Re: Can't make a domain user the "anonymous access" user
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 06/29/04
- Next message: Mark Rae: "Re: Can't get SSL to work locally"
- Previous message: Jen Roth: "Re: Can't make a domain user the "anonymous access" user"
- In reply to: Jen Roth: "Re: Can't make a domain user the "anonymous access" user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Jun 2004 00:51:01 -0700
1. No. please tell me what you actually have enabled, not what you tried to
toggle. When dealing with authentication issues it is VERY important to
isolate EXACTLY what authentication protocol you are using. I recommend
either using ONLY Anonymous, or ONLY Integrated. Not both at the same time,
and not with any other. When you isolate, you are CERTAIN what protocol is
being used on the request and thus the expected outcome. Otherwise, you
need to give me a network trace of the browser/server traffic so that I can
determine what exact protocol was finally negotiated and used.
Some of the things you claim is not consistent with a default IIS
installation:
- When Integrated authentication is used, you should not see a dialog box
unless the auto-authentication between the browser and server failed. This
can happen if the username/password is repeatedly deemed incorrect, or
something is running on the server that is erroneously sending 401 access
denied.
- If you use a browser that cannot do NTLM, by definition, a 401.2 error is
returned. IIS will not return 401.1.
Now, if you swear that IIS IS returning 401.1 with a vdir configured with
ONLY Integrated authentication AND you used a browser that doesn't support
NTLM, that is a sign that you have something else custom (ISAPI Filter or
ISAPI Extension) running on your server that is broken, and you'll need to
fix that yourself. It is not an IIS issue but an issue with the custom
ISAPI.
3. No. IIS6 logs, by default, will contain the status, substatus, and Win32
error codes -- unless you've customized the log format. I want all three
pieces of information.
If I understand the last bit of info from you correctly, you're saying that:
1. If the vdir has ONLY anonymous enabled AND you configure the anonymous
user as yourself, it still comes back as 401.1
2. If the vdir has ONLY Integrated enabled, you end up with a login dialog,
and after giving your own credentials, it works
Note -- none of what you describe is expected behavior, and I just do not
see what you are claiming with my IIS6 using a domain user as anonymous
user -- it simply works for me -- just installed IIS6, joined a domain,
changed the anonymous user, and made an anonymous request. Thus, I think
you either have some ISAPI running on the server that is modifying behavior,
or it has something to do with your domain's group policy modifying user
privileges on the server. Security Audit is the way to go there. That, and
use secpol.msc to enumerate all the privileges held by the local anonymous
user account that works and your domain account that does not.
In either case, I do not think your problems lie with IIS but elsewhere.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Jen Roth" <anonymous@discussions.microsoft.com> wrote in message news:223ce01c45da5$1d994ef0$a601280a@phx.gbl... Thanks for your response. >I want to know: >1. what authentication protocols are enabled for the ASP page in question >(anon, basic, Integrated, etc) I have tried both with and without Integrated authentication enabled. When it's enabled, I get a login prompt if I am using an NTLM-capable browser (IE, Mozilla). I can then authenticate using the domain account in question. Or, if I hit "cancel", I get a 401.1 error. When it's not enabled, or if I'm using a browser that can't do NTLM, the attempt to view the page just fails with the 401.1 error. >2. Are you using default or custom AppPool Identity for the Application Pool containing this ASP page Default. >3. What are the web log entries for the request that is failing. In >particular, give the HTTP status/sub-status as well as Win32 error codes. I'm getting "Error 401.1 - Unauthorized: Access is denied due to invalid credentials." (It just says "401" in the web log.) I'm just not sure *why* the credentials are invalid. As I said, I can enter the same domain\username and password at the prompt and view the page. I even tried using my own domain account -- one I use to log onto this computer every single day -- and got the same error. In the Event Viewer, I see Event ID 537: User: NT AUTHORITY\SYSTEM Logon Failure: Reason: An error occurred during login. User Name: <my domain user> Domain: <my domain> Logon Type: 3 Logon Process: IIS etc. >I would then enable Security Auditing and see what is causing anonymous >login to fail, and go from there. > >-- >//David >IIS >This posting is provided "AS IS" with no warranties, and confers no rights. >// >"Jen Roth" <anonymous@discussions.microsoft.com> wrote in message >news:2261501c45d51$a6b52500$a301280a@phx.gbl... >I have been trying to set up a website in IIS 6 so that a >domain user account is used for anonymous access, instead >of IUSR_SERVERNAME. (I am doing this because we have ASP >scripts that need to connect to a datasource as this domain >user.) Unfortunately, it doesn't work. I can set it up so >that a local account is used for anonymous access -- I >created a local "test" account just to make sure I was >setting all the permissions right, and it worked fine. But >if I use a domain account instead, I am prompted for a >username and password whenever I access a web page. I know >the domain account is valid and the password is right, and >the NTFS permissions allow this user access. If I log in >with this username/password when I am prompted, I can view >the page. But for some reason, IIS just doesn't seem to >recognize this domain user as the "anonymous access" user. > Can anyone help? > > >. >
- Next message: Mark Rae: "Re: Can't get SSL to work locally"
- Previous message: Jen Roth: "Re: Can't make a domain user the "anonymous access" user"
- In reply to: Jen Roth: "Re: Can't make a domain user the "anonymous access" user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
