Re: IIS 5 Authentication problem- solved

From: Tom Kaminski [MVP] ((A_at_T))
Date: 04/30/03


Date: Wed, 30 Apr 2003 14:22:18 -0400


Good find, but Basic and Integrated work differently. Basic requires "Log
on locally" while Integrated requires "Access from the network". Your
findings are consistent with what's required for either scheme.

-- 
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserver2003/community/centers/iis/
"Paul Deneen" <paul@carbide.com> wrote in message
news:042101c30f39$bb15dab0$3301280a@phx.gbl...
Thanks to any who responded or gave thought to this
problem.
I found the self-inflicted cause of the problem.
In Local Security Policies/User Rights Assignment I had
added the administrators group to the right: "deny access
to this computer from the network".  I believed that this
would grant only administrators the right to "deny
access.." to other groups or users.  Apparently it works
opposite from that, and administrators were denied
access.  It is curious, though, that basic authentication
still worked.
Thanks again.
>-----Original Message-----
>If you enter a username/password three times, you should
see an error
>message and an error code, probably a 401.something. The
following article
>may help you figure out what's going on:
>318380 IIS Status Codes
>http://support.microsoft.com/?id=318380
>
>Most likely it will be a 401.3, Access denied due to ACL
on resource,
>indicating that either your NTFS permissions or logon
rights are not
>correct. Can you log in using an administrator account,
or do all accounts
>fail? What do the NTFS permissions look like on the files
you're trying to
>access?
>
>Lisa
>
>--------------------
>> Content-Class: urn:content-classes:message
>> From: "Paul Deneen" <paul@carbide.com>
>> Sender: "Paul Deneen" <paul@carbide.com>
>> References: <044101c30e5b$4cb9be80$a001280a@phx.gbl>
><b8m1ji$mmt6@kcweb01.netnews.att.com>
>> Subject: Re: IIS 5 Integrated Windows Authentication
problem
>> Date: Tue, 29 Apr 2003 11:28:40 -0700
>> Lines: 59
>> Message-ID: <012c01c30e7d$27f3dd20$a401280a@phx.gbl>
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>> charset="iso-8859-1"
>> Content-Transfer-Encoding: 7bit
>> X-Newsreader: Microsoft CDO for Windows 2000
>> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>> Thread-Index: AcMOfSfzIruG4hzbR0aK37zJXWTKMw==
>> Newsgroups: microsoft.public.inetserver.iis.security
>> Path: cpmsftngxa06.phx.gbl
>> Xref: cpmsftngxa06.phx.gbl
microsoft.public.inetserver.iis.security:18091
>> NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
>> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>>
>> Tom,
>>
>> Thanks for responding.
>>
>> If I recall, the standalone server installation
required
>> the name of a "workgroup" in place of a domain.  In any
>> case there is no group, it is just the one server,
using
>> local users and groups.  The login credentials I am
trying
>> to login with are local user accounts, which work fine
in
>> interactive logon or using basic authentication.
>>
>> Attempting to logon with user name of
SERVERNAME\account,
>> and nothing entered for the domain, the server replies
>> (without successfully authenticating) with the logon
>> dialog box showing the SERVERNAME in the domain box,
and
>> the account name in the user name box.
>>
>> Thanks again for your help.  Any additional thoughts
>> appreciated.
>>
>>
>>
>> >-----Original Message-----
>> >"Paul Deneen" <paul@carbide.com> wrote in message
>> >news:044101c30e5b$4cb9be80$a001280a@phx.gbl...
>> >> We're running a Win2K co-located stand-alone web
server
>> >> (no Active Directory).
>> >>
>> >> Basic authentication works, Integrated Windows
>> >> Authentication doesn't even when credentials are
entered
>> >> in dialog box.  Neither using default domain (leaving
>> >> the "domain" field empty) nor using the workgroup
name
>> >> makes any difference - the authentication fails.
>> >>
>> >> Is Integrated Windows Authentication only available
in
>> the
>> >> context of an Active Directory domain?
>> >
>> >What do you mean by "workgroup"?  Accounts would need
to
>> be either local to
>> >the server or domain accounts.  Since you indicate
that
>> you're not in a
>> >domain, what happens when you use a local account
>> (SERVERNAME\account)?
>> >
>> >-- 
>> >Tom Kaminski IIS MVP
>> >http://www.iistoolshed.com/ - tools, scripts, and
>> utilities for running IIS
>> >http://mvp.support.microsoft.com/
>>
>http://www.microsoft.com/windowsserver2003/community/cente
>> rs/iis/
>> >
>>
>>
>> >
>> >
>> >.
>> >
>>
>
>-----
>Please do not send email directly to this alias. This is
an online
>account name for newsgroup participation only.
>
>This posting is provided "AS IS" with no warranties, and
confers
>no rights. You assume all risk for your use.
>
> 2003 Microsoft Corporation. All rights reserved.
>
>.
>


Relevant Pages

  • Re: integrated authentication
    ... I think that this is IIS authentication who is ... With the only "basic authentication" the user can ... domain and the two server have "trust the computer for delagation" checked. ... The account service for IIS application pool and the account service for SQL ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ...
    (microsoft.public.inetserver.iis.security)
  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
    (microsoft.public.inetserver.iis.security)
  • Re: WM5 can not sync to exchange
    ... I checked all the authentication settings and they are as you requested. ... After running the internet connection wizard I had to uncheck the Require ... On the SBS 2003 Server open the Server Management console. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)