Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
From: Karl Westerholm [MS] (karlwestonline@microsoft.com)
Date: 11/21/02
- Next message: Tim Greene: "RE: SSL blew up my access via Frontpage"
- Previous message: trish: "How to allow downloading of exe and bat file from frontpage website"
- In reply to: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: Dave: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: Dave: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: karlwestonline@microsoft.com (Karl Westerholm [MS]) Date: Thu, 21 Nov 2002 00:16:26 GMT
Sorry, I was out-of-office for a few days there. I hate to see a rebuild
be required, but then again that will almost certainly fix it...we shall
see.
-->Karl
“Please do not send email directly to this alias. This is our online
account name for newsgroup participation only.”
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.
--------------------
| From: trinetgrinch@yahoo.com (Vincent Polite)
| Newsgroups: microsoft.public.inetserver.iis.security
| Subject: Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002
= failure?
| Date: 18 Nov 2002 16:11:10 -0800
|
| Well, interestingly enough, I still can't get this set up to work. I
| have proceeded removing all extraneous accounts and websites from my
| computer to see if there's anything else going on. I actually
| attempted to reproduce the issue on my machine here at work and was
| unable to. The only REAL difference I can tell is that my machine is
| a domain controller, whereas the machine here is not.
|
| I'm considering doing a clean install from scratch to see if that
| alleviates the problem.
|
| Hope all is well,
|
| Vincent Polite
| Still Struggling....
|
|
| trinetgrinch@yahoo.com (Vincent Polite) wrote in message
news:<2c44a01a.0211131022.5cd13b3c@posting.google.com>...
| > Karl,
| >
| > One other thing. Is it unusual that I cannot log on to the actual
| > machine?
| >
| > By this, I mean, usually, on the basic logon screen of a server, I see
| > a space for username and password, as well as domain. And domain will
| > be filled in with a list of domain names, including the name of the
| > local computer.
| >
| > In my setup, I cannot log in to the local computer, only the domain.
| >
| > This machine was my very first win2k server and is the first machine
| > running active directory.
| >
| > VP
| >
| > karlwestonline@microsoft.com (Karl Westerholm [MS]) wrote in message
news:<pOD2$griCHA.2368@cpmsftngxa09>...
| > > I've been where you are, and I can certainly sympathize! With every
| > > extra bit added to the configuration of this puzzle, the problem
seems to
| > > become almost unsolvable. But, as someone once said, 'the truth is
out
| > > there'! :)
| > >
| > >
| > > I would try to start with the simplest possible configuration and
work
| > > upward:
| > >
| > > 1.) Create a brand-new test physical directory (called, say,
c:\testing)
| > > local to your IIS5 server, and be careful to keep this physical
directory
| > > outside of any other web content directories you have currently.
| > >
| > > 2.) Place a single *simple* HTML or ASP file in that dir (something
like
| > > '<% response.write time %>', in other words) and Assign NTFS
permissions on
| > > the file + dir to be 'administrator' & 'system' full control...no
other
| > > NTFS perms.
| > >
| > > 3.) Map this physical dir to a virtual directory (called, say,
'testing'
| > > ;) under the website in question, enabling only Basic authentication.
| > >
| > > 4.) Prove that you can at least browse to this file in IE, are
prompted to
| > > authenticate, and can use the local administrator account to
successfully
| > > authenticate to it.
| > >
| > >
| > > Gotchas to be aware of:
| > >
| > > - Always have 'show friendly HTTP error messages' turned off in your
test
| > > copy of IE. (IE's tools/internet options/advanced tab) If this
option is
| > > checked on your test IE client, it may mask additional error messages
you
| > > may be getting that are very significant.
| > >
| > >
| > > - When testing with IE or FrontPage local to the webserver for a
baseline
| > > 'is this working yet?' reference, be sure to connect via
windowsmachinename
| > > rather then IP or FQDN. That is to say, use 'http://machinename' to
| > > connect rather then 'http://1.2.3.4'.
| > >
| > > IE (and FrontPage too, if I am not mistaken) will interperate the
| > > presence of periods in the address as indicating the request *may* be
| > > Internet, and not Intranet. This may have the effect of remoting
your
| > > request out through a configured Proxy even when you do not wish to
do so.
| > >
| > >
| > > - Be careful to cycle the IISAdmin service whenever you are making
security
| > > tweaks & NTFS-type permissions modifications. IIS5 will cache the
| > > credentials of a given user account for a period of time (15 minutes,
I
| > > believe) so if you do not cycle the IISAdmin service, or wait until
the
| > > credentials are no longer cached, you may have made a tweak that
actually
| > > fixed the problem but just do not realize it has worked.
| > >
| > > You can cycle IISAdmin from control panel/services, but I
generally like
| > > to use the command-line:
| > >
| > > net stop iisadmin
| > > (followed by)
| > > net start w3svc
| > >
| > > Of course, this *also* has the effect of stopping all your
websites on
| > > that box until the w3svc service is restarted. You can adjust the
caching
| > > of credentials in IIS upward or downward, but setting it to too small
a
| > > time can have implications to poor performance. See also:
| > > http://support.microsoft.com/default.aspx?scid=KB;en-us;152526&
| > >
| > >
| > > Now that I have some of those gotchas out of the way, lets get
back to
| > > our testing VDIR. I am presuming that at this point browsing
locally,
| > > authenticating as the admin user, and displaying simple content is
working
| > > perfectly.
| > >
| > > Next, lets configure the server extensions on this VDIR....select
the
| > > defaults.
| > >
| > > Once you have the extensions configured, attempt to connect to via
| > > FrontPage from the local machine. Can you connect? Does it prompt
you for
| > > authentication? Do the admin user credentials that worked for browse
allow
| > > you to connect fully w/FP as well?
| > >
| > > If not, keep careful track of any errors you get in the process
and post
| > > them back here. Also, immediately after whatever FP-failure you
| > > experience, track down the IIS5 server's System & Application event
viewer
| > > logs. Look for any red (stop) or yellow (warning) error messages
that seem
| > > to be synced up with the failure....and post them as well! :)
| > >
| > > Regards,
| > > -->Karl
| > >
| > >
| > >
| > >
| > > "Please do not send email directly to this alias. This is our online
| > > account name for newsgroup participation only."
| > >
| > > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > > You assume all risk for your use. © 2001 Microsoft Corporation. All
rights
| > > reserved.
| > >
| > > --------------------
| > > | From: trinetgrinch@yahoo.com (Vincent Polite)
| > > | Newsgroups: microsoft.public.inetserver.iis.security
| > > | Subject: Basic Authentication + IIS 5 + Windows 2000 + Frontpage
2002 =
| > failure?
| > > | Date: 12 Nov 2002 16:17:27 -0800
| > > | Organization: http://groups.google.com/
| > > |
| > > | I have seen threads about this topic all over UseNet, so I wanted to
| > > | state my problem which may or may not have a unique twist.
| > > |
| > > | The setup:
| > > |
| > > | My web server is a Windows 2000 Server. It houses Exchange 2000 and
| > > | runs IIS5 Web Services and FTP Service. From a website
perspective, I
| > > | host (for personal reasons) about 30 different websites. These
| > > | websites are differentiated using host-headers, configured through
the
| > > | Internet Services Manager.
| > > |
| > > | The websites are divided into 4 domains.
| > > |
| > > | *.domain1.com (20)
| > > | *.domain2.com (2)
| > > | hostname1.domain3.com
| > > | hostname2.domain4.com
| > > |
| > > | The last two entries are websites that I planned on hosting for some
| > > | friends. However, to avoid having all their network traffic getting
| > > | sent to my machine before the site was ready, I set up special
| > > | instances on the server.
| > > |
| > > | The web server itself is behind a Netgear Home Protection System on
| > > | the tail end of an ADSL Line. I have set up port forwarding for
ports
| > > | 80 (HTTP), 443 (HTTPS on IIS), 25(SMTP), and the ports for my remote
| > > | control program. (I'm pretty sure FTP is set up as well)
| > > |
| > > | On all of the sites I have set up the Frontpage Server Extensions
| > > | circa 2002. On the majority of the sites, I have set up Sharepoint
| > > | Team Services.
| > > |
| > > | When I was using NTLM, I was able to connect to my sites and
| > > | authenticate with any password protected sites no problem. All the
| > > | sites worked perfectly, and I had nary a problem.
| > > |
| > > |
| > > | The problem:
| > > |
| > > | I wanted to work on a friends' site using the facilities/software I
| > > | had available at the office. I was going to use Frontpage 2002 to
| > > | edit this website, but my company's proxy server will not allow NT
| > > | Challenge/Response w/untrusted domains.
| > > |
| > > | Because I cannot convince the powers that be at my office to let me
| > > | use NT Challenge/Response against my web server, I felt a reasonable
| > > | alternative would be to change the authentication on the website to
| > > | "Basic Authentication."
| > > |
| > > | Once I made this change through the Internet Services Manager, I was
| > > | unable to use Frontpage to edit the site. The problem went beyond
| > > | Frontpage, as well. In order to make sure it wasn't my company's
| > > | proxy server, I tried to edit the site running Frontpage locally on
| > > | the server itself, and I couldn't validate any of my accounts.
| > > |
| > > | After perusing this newsgroup for about a week, i ran across the
| > > | following notions:
| > > |
| > > | 1) Make sure the accounts can log on locally to the server.
| > > | 2) Make sure that when logging on, use the servername\username
format
| > > | for the username password prompt.
| > > | 3) Set a default domain equal to the domain of the account you are
| > > | using.
| > > | 4) Set a default domain equal to '\' which signifies all trusted
| > > | domains.
| > > |
| > > | Nothing works. At this point my brain is too numb to orchestrate
the
| > > | test of just checking basic authentication against a protected page
in
| > > | the website, but I'm pretty sure I can't get that to work as well.
| > > | Meaning, go into Explorer, remove permissions for a specific page
| > > | except for a specific user, and then try to browse to that page
using
| > > | a web browser under basic authentication.
| > > |
| > > | Any ideas as to how I can approach this problem at this point?
| > > | Clearly I haven't tried everything, but I feel like I've exhausted
| > > | quite a few possibilities.
| > > |
| > > | Thanks,
| > > |
| > > | Vincent Polite
| > > | Internet Application Specialist about to rescind his title
| > > |
|
- Next message: Tim Greene: "RE: SSL blew up my access via Frontpage"
- Previous message: trish: "How to allow downloading of exe and bat file from frontpage website"
- In reply to: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: Dave: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: Dave: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
