Re: IIS 5 Authentication problem- solved

From: Tom Kaminski [MVP] ((A_at_T))
Date: 04/30/03

Date: Wed, 30 Apr 2003 14:22:18 -0400

Good find, but Basic and Integrated work differently. Basic requires "Log
on locally" while Integrated requires "Access from the network". Your
findings are consistent with what's required for either scheme.

Tom Kaminski IIS MVP - tools, scripts, and utilities for running IIS
"Paul Deneen" <> wrote in message
Thanks to any who responded or gave thought to this
I found the self-inflicted cause of the problem.
In Local Security Policies/User Rights Assignment I had
added the administrators group to the right: "deny access
to this computer from the network".  I believed that this
would grant only administrators the right to "deny
access.." to other groups or users.  Apparently it works
opposite from that, and administrators were denied
access.  It is curious, though, that basic authentication
still worked.
Thanks again.
>-----Original Message-----
>If you enter a username/password three times, you should
see an error
>message and an error code, probably a 401.something. The
following article
>may help you figure out what's going on:
>318380 IIS Status Codes
>Most likely it will be a 401.3, Access denied due to ACL
on resource,
>indicating that either your NTFS permissions or logon
rights are not
>correct. Can you log in using an administrator account,
or do all accounts
>fail? What do the NTFS permissions look like on the files
you're trying to
>> Content-Class: urn:content-classes:message
>> From: "Paul Deneen" <>
>> Sender: "Paul Deneen" <>
>> References: <044101c30e5b$4cb9be80$a001280a@phx.gbl>
>> Subject: Re: IIS 5 Integrated Windows Authentication
>> Date: Tue, 29 Apr 2003 11:28:40 -0700
>> Lines: 59
>> Message-ID: <012c01c30e7d$27f3dd20$a401280a@phx.gbl>
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>> charset="iso-8859-1"
>> Content-Transfer-Encoding: 7bit
>> X-Newsreader: Microsoft CDO for Windows 2000
>> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>> Thread-Index: AcMOfSfzIruG4hzbR0aK37zJXWTKMw==
>> Newsgroups:
>> Path: cpmsftngxa06.phx.gbl
>> Xref: cpmsftngxa06.phx.gbl
>> NNTP-Posting-Host: TK2MSFTNGXA12
>> X-Tomcat-NG:
>> Tom,
>> Thanks for responding.
>> If I recall, the standalone server installation
>> the name of a "workgroup" in place of a domain.  In any
>> case there is no group, it is just the one server,
>> local users and groups.  The login credentials I am
>> to login with are local user accounts, which work fine
>> interactive logon or using basic authentication.
>> Attempting to logon with user name of
>> and nothing entered for the domain, the server replies
>> (without successfully authenticating) with the logon
>> dialog box showing the SERVERNAME in the domain box,
>> the account name in the user name box.
>> Thanks again for your help.  Any additional thoughts
>> appreciated.
>> >-----Original Message-----
>> >"Paul Deneen" <> wrote in message
>> >news:044101c30e5b$4cb9be80$a001280a@phx.gbl...
>> >> We're running a Win2K co-located stand-alone web
>> >> (no Active Directory).
>> >>
>> >> Basic authentication works, Integrated Windows
>> >> Authentication doesn't even when credentials are
>> >> in dialog box.  Neither using default domain (leaving
>> >> the "domain" field empty) nor using the workgroup
>> >> makes any difference - the authentication fails.
>> >>
>> >> Is Integrated Windows Authentication only available
>> the
>> >> context of an Active Directory domain?
>> >
>> >What do you mean by "workgroup"?  Accounts would need
>> be either local to
>> >the server or domain accounts.  Since you indicate
>> you're not in a
>> >domain, what happens when you use a local account
>> (SERVERNAME\account)?
>> >
>> >-- 
>> >Tom Kaminski IIS MVP
>> > - tools, scripts, and
>> utilities for running IIS
>> >
>> rs/iis/
>> >
>> >
>> >
>> >.
>> >
>Please do not send email directly to this alias. This is
an online
>account name for newsgroup participation only.
>This posting is provided "AS IS" with no warranties, and
>no rights. You assume all risk for your use.
> 2003 Microsoft Corporation. All rights reserved.

Relevant Pages

  • Re: integrated authentication
    ... I think that this is IIS authentication who is ... With the only "basic authentication" the user can ... domain and the two server have "trust the computer for delagation" checked. ... The account service for IIS application pool and the account service for SQL ...
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ...
  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
  • Re: WM5 can not sync to exchange
    ... I checked all the authentication settings and they are as you requested. ... After running the internet connection wizard I had to uncheck the Require ... On the SBS 2003 Server open the Server Management console. ... Open IIS Manager ...