Re: IIS 5 Authentication problem- solved
From: Tom Kaminski [MVP] ((A_at_T))
Date: Wed, 30 Apr 2003 14:22:18 -0400
Good find, but Basic and Integrated work differently. Basic requires "Log
on locally" while Integrated requires "Access from the network". Your
findings are consistent with what's required for either scheme.
-- Tom Kaminski IIS MVP http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS http://mvp.support.microsoft.com/ http://www.microsoft.com/windowsserver2003/community/centers/iis/ "Paul Deneen" <email@example.com> wrote in message news:firstname.lastname@example.org... Thanks to any who responded or gave thought to this problem. I found the self-inflicted cause of the problem. In Local Security Policies/User Rights Assignment I had added the administrators group to the right: "deny access to this computer from the network". I believed that this would grant only administrators the right to "deny access.." to other groups or users. Apparently it works opposite from that, and administrators were denied access. It is curious, though, that basic authentication still worked. Thanks again. >-----Original Message----- >If you enter a username/password three times, you should see an error >message and an error code, probably a 401.something. The following article >may help you figure out what's going on: >318380 IIS Status Codes >http://support.microsoft.com/?id=318380 > >Most likely it will be a 401.3, Access denied due to ACL on resource, >indicating that either your NTFS permissions or logon rights are not >correct. Can you log in using an administrator account, or do all accounts >fail? What do the NTFS permissions look like on the files you're trying to >access? > >Lisa > >-------------------- >> Content-Class: urn:content-classes:message >> From: "Paul Deneen" <email@example.com> >> Sender: "Paul Deneen" <firstname.lastname@example.org> >> References: <email@example.com> ><firstname.lastname@example.org> >> Subject: Re: IIS 5 Integrated Windows Authentication problem >> Date: Tue, 29 Apr 2003 11:28:40 -0700 >> Lines: 59 >> Message-ID: <email@example.com> >> MIME-Version: 1.0 >> Content-Type: text/plain; >> charset="iso-8859-1" >> Content-Transfer-Encoding: 7bit >> X-Newsreader: Microsoft CDO for Windows 2000 >> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 >> Thread-Index: AcMOfSfzIruG4hzbR0aK37zJXWTKMw== >> Newsgroups: microsoft.public.inetserver.iis.security >> Path: cpmsftngxa06.phx.gbl >> Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:18091 >> NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164 >> X-Tomcat-NG: microsoft.public.inetserver.iis.security >> >> Tom, >> >> Thanks for responding. >> >> If I recall, the standalone server installation required >> the name of a "workgroup" in place of a domain. In any >> case there is no group, it is just the one server, using >> local users and groups. The login credentials I am trying >> to login with are local user accounts, which work fine in >> interactive logon or using basic authentication. >> >> Attempting to logon with user name of SERVERNAME\account, >> and nothing entered for the domain, the server replies >> (without successfully authenticating) with the logon >> dialog box showing the SERVERNAME in the domain box, and >> the account name in the user name box. >> >> Thanks again for your help. Any additional thoughts >> appreciated. >> >> >> >> >-----Original Message----- >> >"Paul Deneen" <firstname.lastname@example.org> wrote in message >> >news:email@example.com... >> >> We're running a Win2K co-located stand-alone web server >> >> (no Active Directory). >> >> >> >> Basic authentication works, Integrated Windows >> >> Authentication doesn't even when credentials are entered >> >> in dialog box. Neither using default domain (leaving >> >> the "domain" field empty) nor using the workgroup name >> >> makes any difference - the authentication fails. >> >> >> >> Is Integrated Windows Authentication only available in >> the >> >> context of an Active Directory domain? >> > >> >What do you mean by "workgroup"? Accounts would need to >> be either local to >> >the server or domain accounts. Since you indicate that >> you're not in a >> >domain, what happens when you use a local account >> (SERVERNAME\account)? >> > >> >-- >> >Tom Kaminski IIS MVP >> >http://www.iistoolshed.com/ - tools, scripts, and >> utilities for running IIS >> >http://mvp.support.microsoft.com/ >> >http://www.microsoft.com/windowsserver2003/community/cente >> rs/iis/ >> > >> >> >> > >> > >> >. >> > >> > >----- >Please do not send email directly to this alias. This is an online >account name for newsgroup participation only. > >This posting is provided "AS IS" with no warranties, and confers >no rights. You assume all risk for your use. > >© 2003 Microsoft Corporation. All rights reserved. > >. >