Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
From: Dave (db.robertson@clear.net.nz)
Date: 12/13/02
- Next message: BB: "Re: urlscan configuration for specific cgi apps"
- Previous message: BB: "Re: User access log"
- Maybe in reply to: Vincent Polite: "Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: Stefan Schachner[MSFT]: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: Stefan Schachner[MSFT]: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dave" <db.robertson@clear.net.nz> Date: Sat, 14 Dec 2002 01:24:22 +1300
Vincent,
What a drama. I sympathies with you. I have read all episodes in your "Basic
Authentication" story and can relate to them all. I have been tearing my
hear out over almost the identical issue. An interesting common factor is
the introduction of Active Directory.
I am very eager to hear what happened after the rebuild and whether you
finally nailed the problem.
Could you please let me know how you got on.
Regards
David
"Karl Westerholm [MS]" <karlwestonline@microsoft.com> wrote in message
news:8F3$7MPkCHA.932@cpmsftngxa08...
> Sorry, I was out-of-office for a few days there. I hate to see a rebuild
> be required, but then again that will almost certainly fix it...we shall
> see.
>
> -->Karl
>
>
>
> "Please do not send email directly to this alias. This is our online
> account name for newsgroup participation only."
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> You assume all risk for your use. © 2001 Microsoft Corporation. All rights
> reserved.
>
> --------------------
> | From: trinetgrinch@yahoo.com (Vincent Polite)
> | Newsgroups: microsoft.public.inetserver.iis.security
> | Subject: Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage
2002
> = failure?
> | Date: 18 Nov 2002 16:11:10 -0800
> |
> | Well, interestingly enough, I still can't get this set up to work. I
> | have proceeded removing all extraneous accounts and websites from my
> | computer to see if there's anything else going on. I actually
> | attempted to reproduce the issue on my machine here at work and was
> | unable to. The only REAL difference I can tell is that my machine is
> | a domain controller, whereas the machine here is not.
> |
> | I'm considering doing a clean install from scratch to see if that
> | alleviates the problem.
> |
> | Hope all is well,
> |
> | Vincent Polite
> | Still Struggling....
> |
> |
> | trinetgrinch@yahoo.com (Vincent Polite) wrote in message
> news:<2c44a01a.0211131022.5cd13b3c@posting.google.com>...
> | > Karl,
> | >
> | > One other thing. Is it unusual that I cannot log on to the actual
> | > machine?
> | >
> | > By this, I mean, usually, on the basic logon screen of a server, I see
> | > a space for username and password, as well as domain. And domain will
> | > be filled in with a list of domain names, including the name of the
> | > local computer.
> | >
> | > In my setup, I cannot log in to the local computer, only the domain.
> | >
> | > This machine was my very first win2k server and is the first machine
> | > running active directory.
> | >
> | > VP
> | >
> | > karlwestonline@microsoft.com (Karl Westerholm [MS]) wrote in message
> news:<pOD2$griCHA.2368@cpmsftngxa09>...
> | > > I've been where you are, and I can certainly sympathize! With every
> | > > extra bit added to the configuration of this puzzle, the problem
> seems to
> | > > become almost unsolvable. But, as someone once said, 'the truth is
> out
> | > > there'! :)
> | > >
> | > >
> | > > I would try to start with the simplest possible configuration and
> work
> | > > upward:
> | > >
> | > > 1.) Create a brand-new test physical directory (called, say,
> c:\testing)
> | > > local to your IIS5 server, and be careful to keep this physical
> directory
> | > > outside of any other web content directories you have currently.
> | > >
> | > > 2.) Place a single *simple* HTML or ASP file in that dir (something
> like
> | > > '<% response.write time %>', in other words) and Assign NTFS
> permissions on
> | > > the file + dir to be 'administrator' & 'system' full control...no
> other
> | > > NTFS perms.
> | > >
> | > > 3.) Map this physical dir to a virtual directory (called, say,
> 'testing'
> | > > ;) under the website in question, enabling only Basic
authentication.
> | > >
> | > > 4.) Prove that you can at least browse to this file in IE, are
> prompted to
> | > > authenticate, and can use the local administrator account to
> successfully
> | > > authenticate to it.
> | > >
> | > >
> | > > Gotchas to be aware of:
> | > >
> | > > - Always have 'show friendly HTTP error messages' turned off in your
> test
> | > > copy of IE. (IE's tools/internet options/advanced tab) If this
> option is
> | > > checked on your test IE client, it may mask additional error
messages
> you
> | > > may be getting that are very significant.
> | > >
> | > >
> | > > - When testing with IE or FrontPage local to the webserver for a
> baseline
> | > > 'is this working yet?' reference, be sure to connect via
> windowsmachinename
> | > > rather then IP or FQDN. That is to say, use 'http://machinename' to
> | > > connect rather then 'http://1.2.3.4'.
> | > >
> | > > IE (and FrontPage too, if I am not mistaken) will interperate the
> | > > presence of periods in the address as indicating the request *may*
be
> | > > Internet, and not Intranet. This may have the effect of remoting
> your
> | > > request out through a configured Proxy even when you do not wish to
> do so.
> | > >
> | > >
> | > > - Be careful to cycle the IISAdmin service whenever you are making
> security
> | > > tweaks & NTFS-type permissions modifications. IIS5 will cache the
> | > > credentials of a given user account for a period of time (15
minutes,
> I
> | > > believe) so if you do not cycle the IISAdmin service, or wait until
> the
> | > > credentials are no longer cached, you may have made a tweak that
> actually
> | > > fixed the problem but just do not realize it has worked.
> | > >
> | > > You can cycle IISAdmin from control panel/services, but I
> generally like
> | > > to use the command-line:
> | > >
> | > > net stop iisadmin
> | > > (followed by)
> | > > net start w3svc
> | > >
> | > > Of course, this *also* has the effect of stopping all your
> websites on
> | > > that box until the w3svc service is restarted. You can adjust the
> caching
> | > > of credentials in IIS upward or downward, but setting it to too
small
> a
> | > > time can have implications to poor performance. See also:
> | > > http://support.microsoft.com/default.aspx?scid=KB;en-us;152526&
> | > >
> | > >
> | > > Now that I have some of those gotchas out of the way, lets get
> back to
> | > > our testing VDIR. I am presuming that at this point browsing
> locally,
> | > > authenticating as the admin user, and displaying simple content is
> working
> | > > perfectly.
> | > >
> | > > Next, lets configure the server extensions on this VDIR....select
> the
> | > > defaults.
> | > >
> | > > Once you have the extensions configured, attempt to connect to
via
> | > > FrontPage from the local machine. Can you connect? Does it prompt
> you for
> | > > authentication? Do the admin user credentials that worked for
browse
> allow
> | > > you to connect fully w/FP as well?
> | > >
> | > > If not, keep careful track of any errors you get in the process
> and post
> | > > them back here. Also, immediately after whatever FP-failure you
> | > > experience, track down the IIS5 server's System & Application event
> viewer
> | > > logs. Look for any red (stop) or yellow (warning) error messages
> that seem
> | > > to be synced up with the failure....and post them as well! :)
> | > >
> | > > Regards,
> | > > -->Karl
> | > >
> | > >
> | > >
> | > >
> | > > "Please do not send email directly to this alias. This is our online
> | > > account name for newsgroup participation only."
> | > >
> | > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> | > > You assume all risk for your use. © 2001 Microsoft Corporation. All
> rights
> | > > reserved.
> | > >
> | > > --------------------
> | > > | From: trinetgrinch@yahoo.com (Vincent Polite)
> | > > | Newsgroups: microsoft.public.inetserver.iis.security
> | > > | Subject: Basic Authentication + IIS 5 + Windows 2000 + Frontpage
> 2002 =
> | > failure?
> | > > | Date: 12 Nov 2002 16:17:27 -0800
> | > > | Organization: http://groups.google.com/
> | > > |
> | > > | I have seen threads about this topic all over UseNet, so I wanted
to
> | > > | state my problem which may or may not have a unique twist.
> | > > |
> | > > | The setup:
> | > > |
> | > > | My web server is a Windows 2000 Server. It houses Exchange 2000
and
> | > > | runs IIS5 Web Services and FTP Service. From a website
> perspective, I
> | > > | host (for personal reasons) about 30 different websites. These
> | > > | websites are differentiated using host-headers, configured through
> the
> | > > | Internet Services Manager.
> | > > |
> | > > | The websites are divided into 4 domains.
> | > > |
> | > > | *.domain1.com (20)
> | > > | *.domain2.com (2)
> | > > | hostname1.domain3.com
> | > > | hostname2.domain4.com
> | > > |
> | > > | The last two entries are websites that I planned on hosting for
some
> | > > | friends. However, to avoid having all their network traffic
getting
> | > > | sent to my machine before the site was ready, I set up special
> | > > | instances on the server.
> | > > |
> | > > | The web server itself is behind a Netgear Home Protection System
on
> | > > | the tail end of an ADSL Line. I have set up port forwarding for
> ports
> | > > | 80 (HTTP), 443 (HTTPS on IIS), 25(SMTP), and the ports for my
remote
> | > > | control program. (I'm pretty sure FTP is set up as well)
> | > > |
> | > > | On all of the sites I have set up the Frontpage Server Extensions
> | > > | circa 2002. On the majority of the sites, I have set up
Sharepoint
> | > > | Team Services.
> | > > |
> | > > | When I was using NTLM, I was able to connect to my sites and
> | > > | authenticate with any password protected sites no problem. All
the
> | > > | sites worked perfectly, and I had nary a problem.
> | > > |
> | > > |
> | > > | The problem:
> | > > |
> | > > | I wanted to work on a friends' site using the facilities/software
I
> | > > | had available at the office. I was going to use Frontpage 2002 to
> | > > | edit this website, but my company's proxy server will not allow NT
> | > > | Challenge/Response w/untrusted domains.
> | > > |
> | > > | Because I cannot convince the powers that be at my office to let
me
> | > > | use NT Challenge/Response against my web server, I felt a
reasonable
> | > > | alternative would be to change the authentication on the website
to
> | > > | "Basic Authentication."
> | > > |
> | > > | Once I made this change through the Internet Services Manager, I
was
> | > > | unable to use Frontpage to edit the site. The problem went beyond
> | > > | Frontpage, as well. In order to make sure it wasn't my company's
> | > > | proxy server, I tried to edit the site running Frontpage locally
on
> | > > | the server itself, and I couldn't validate any of my accounts.
> | > > |
> | > > | After perusing this newsgroup for about a week, i ran across the
> | > > | following notions:
> | > > |
> | > > | 1) Make sure the accounts can log on locally to the server.
> | > > | 2) Make sure that when logging on, use the servername\username
> format
> | > > | for the username password prompt.
> | > > | 3) Set a default domain equal to the domain of the account you are
> | > > | using.
> | > > | 4) Set a default domain equal to '\' which signifies all trusted
> | > > | domains.
> | > > |
> | > > | Nothing works. At this point my brain is too numb to orchestrate
> the
> | > > | test of just checking basic authentication against a protected
page
> in
> | > > | the website, but I'm pretty sure I can't get that to work as well.
> | > > | Meaning, go into Explorer, remove permissions for a specific page
> | > > | except for a specific user, and then try to browse to that page
> using
> | > > | a web browser under basic authentication.
> | > > |
> | > > | Any ideas as to how I can approach this problem at this point?
> | > > | Clearly I haven't tried everything, but I feel like I've exhausted
> | > > | quite a few possibilities.
> | > > |
> | > > | Thanks,
> | > > |
> | > > | Vincent Polite
> | > > | Internet Application Specialist about to rescind his title
> | > > |
> |
>
- Next message: BB: "Re: urlscan configuration for specific cgi apps"
- Previous message: BB: "Re: User access log"
- Maybe in reply to: Vincent Polite: "Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: Stefan Schachner[MSFT]: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: Stefan Schachner[MSFT]: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
