Re: Permanently turn off Integrated Windows Authentication?

From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 12/28/03

  • Next message: Goran: "configure IIS's SMTP service" 
    Date: Sun, 28 Dec 2003 11:51:38 -0700

    Okay, we've tried what you suggested, making the change to the virtual
    directory and unchecking the "Integrated Windows Authentication" box, and
    then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it
    successfully stops the service and all other dependant Exchange services.
    We start all of the services back up and the box remains unchecked. It
    remained uncheck for the next 2 days, but then on the 3rd day it was checked
    again automatically. Just a reminder, this is a Member Server running
    Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange and
    IIS services every night for offline backups. We are attempting to change
    this on a Virtual Directory, not the top level of the website. Is there
    something we are missing? Thank you for your help.

    "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
    news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl...
    > Ok, I've described basically the same solution as Karl. Only difference
    is
    > that I *know* that stopping IISADMIN will trigger the metabase flush.
    >
    > I'll describe what's going on.
    >
    > The basic problem is this:
    > 1. When you make a configuration change to IIS via the UI, it is kept in
    > memory (since IIS will frequently take the change live) and NOT
    immediately
    > written to disk.
    > 2. Later, IIS attempts to write the change to disk using an algorithm to
    > determine "idleness".
    > 3. I've seen instances where "idleness" doesn't happen, so the changes are
    > not written to disk after a given time period. This isn't exactly bad
    since
    > IIS will eventually write the change to disk when you stop the IISADMIN
    > service... but it's bad news if #4 happens...
    > 4. Something manages to kill the IISADMIN service before IIS writes the
    > change. This can be an inproc ISAPI crashing, or using IISRESET and IIS
    > takes >30 seconds to restart (probably likely with Exchange as a
    > dependency). When this happens, the unwritten changes are lost, and upon
    > restart, you get the old settings.
    >
    > What you're describing is that somehow, #4 is happening prior to your
    change
    > being flushed to disk. Thus, you're losing your change. The way you work
    > around this is to basically make the change and IMMEDIATELY cause a
    metabase
    > flush to disk to happen. Stopping the IISADMIN service is one way, but
    NOT
    > using IISRESET. The sure way to do this is to type:
    > NET STOP /y IISADMIN on the commandline
    >
    > With IIS6, what we changed was:
    > 1. Give you a menu option to immediately save all configuration to disk.
    > 2. When you exit the UI, automatically initiate a flush to disk.
    >
    > We will probably never change this behavior on prior IIS versions since
    the
    > change can be dangerous and cause other potential unknown problems. It's
    > better to have a known problem and workaround than an unknown problem with
    > an unknown workaround.
    >
    > --
    > //David
    > IIS
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    > //
    > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
    > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl...
    > Yes, I believe this is a bug as well, I have seen several posts in this
    > newsgroup over the last several months with others having the same issue.
    > Could the MS guy elaborate of what might be wrong or where to look for the
    > source of the problem, what to fix?
    >
    > Our issue has been very inconsistent, we stop all web services during our
    > offline Exchange backup every night. And even though we have unchecked
    the
    > box for "Integreated Windows Authentication" it will sometimes stay
    > unchecked when the web services are restarted but most of the time the box
    > is rechecked automatically.
    >
    > Thanks Karl, I try what you have suggested.
    >
    >
    > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
    > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl...
    > > This has been happening to me ever since 2001. I believe it's a known
    > bug,
    > > possibly where the IIS Metabase isn't properly being saved on exit.
    What
    > I
    > > was able to do is make that change AND ONLY that one change in one
    place,
    > > and then right-click to stop and restart the web server instance [and/or
    > > stop and restart the WWW service in Windows]. Then immediately go back
    > into
    > > IIS and confirm that the setting is still there. If it is, you should
    be
    > > OK.
    > >
    > >
    > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in
    message
    > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl...
    > > > Is there a way to permanently turn off Integrated Windows
    Authentication
    > > on
    > > > Windows 2000 SP4 IIS 5.0?
    > > >
    > > >
    > > >
    > > > We know that you can uncheck the box for it on the Properties for that
    > > > specific virtual directory under Authentication Methods, but every
    time
    > > the
    > > > server is rebooted or if the IIS Admin Service is restarted it
    > > automatically
    > > > checks that box back on.
    > > >
    > > >
    > > >
    > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we
    > don't
    > > > want the Domain field box showing up for clients logging into OWA. We
    > > only
    > > > want Basic Authentication over forced SSL (which we have configured
    and
    > > > working fine). We've noticed that down-level clients for some home
    > users
    > > > can't login IF Integrated Windows Authentication is checked on.
    > > >
    > > >
    > > >
    > > > Is there a registry setting to disable this or a script that will
    > disable
    > > it
    > > > that we could run at machine start up? Thanks for any ideas or
    > > suggestions.
    > > >
    > > >
    > > >
    > > >
    > >
    > >
    >
    >
    >

  • Next message: Goran: "configure IIS's SMTP service"

    Relevant Pages

    • Re: Permanently turn off Integrated Windows Authentication?
      ... memory (since IIS will frequently take the change live) and NOT immediately ... IIS attempts to write the change to disk using an algorithm to ... IIS will eventually write the change to disk when you stop the IISADMIN ... restart, ...
      (microsoft.public.inetserver.iis.security)
    • Re: Permanently turn off Integrated Windows Authentication?
      ... as when it start it might overwrite the setting configure in IIS MMC. ... > directory and unchecking the "Integrated Windows Authentication" box, ... >> that I *know* that stopping IISADMIN will trigger the metabase flush. ... IIS attempts to write the change to disk using an algorithm to ...
      (microsoft.public.inetserver.iis.security)
    • Re: Deleted IIS Sites keep coming back
      ... Delete the site in IIS manager UI. ... Then run "NET STOP IISADMIN /y". ... this operation succeeds, then you are sure that the change has been taken ... crashed/killed before flushing the changes to disk, ...
      (microsoft.public.inetserver.iis)
    • Re: Permanently turn off Integrated Windows Authentication?
      ... (probably Exchange), so you want to configure Exchange (or however it wants ... IIS services every night for offline backups. ... IIS attempts to write the change to disk using an algorithm to ... > restart, ...
      (microsoft.public.inetserver.iis.security)
    • Re: How do I get ASP working and How do I test it once I get it working
      ... Not sure what you mean by "not disk based". ... All localhost is local disked based as in located on local hard ... Perhaps its just that .asp is associated with Front Page instead of IIS? ...
      (microsoft.public.frontpage.programming)
    • Quantcast