Re: HTTP 401.3 - Access denied by ACL on resource .exe
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/28/04
- Next message: Roger Abell: "Re: Granting Permissions to Manage Virtual Directories"
- Previous message: Ken Schaefer: "Re: IIS6 - Virtual Directory to URL share, authentication problems."
- In reply to: Mary: "HTTP 401.3 - Access denied by ACL on resource .exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Oct 2004 21:13:15 -0700
I suggest you run AuthDiag.
401.3 indicates that *some* user authenticated, but that user was denied
access to the resource by explicit ACL on the resource. If you turn of NT
Security Auditing you should be able to see what user logged on (and was
denied access), or you can run FileMon (www.sysinternals.com) to look at
what user was remotely authenticated and denied access.
Using a user that is a part of the local administrators group is a NOP for
troubleshooting. Common folklore suggest that administrators have access to
everything, and that is false. Administrators DO NOT have access to
everything -- they only have the ability to get access to everything.
Administrators are no different than normal users other than one bit that
says "I can change any ACL" -- this is what allows them to take control/gain
access to anything, but they have to explicitly do so. Thus, administrators
are perfectly able to be denied access to a resource, denied access to
logon, etc -- like any other user. But unlike any other user, administrator
can change the deny ACL to allow themselves access.
If the machine is a part of a domain, I would start checking for any overly
zealous security policies being enforced that break a web server -- like
removing "Bypass Traverse checking" or "Logon Locally" or "Logon
Interactively", etc.
At this point, a 401.3 tells you that some user logged on, and that user got
access denied when trying to load the .exe action. It is important for you
to figure out:
1. What is that user identity
2. Is it the right one you expect
3. Make sure that user identity has access to the .EXE and any of its
dependencies. For example, if CGI.EXE depends on DLL1.DLL and the user
identity has access to CGI.EXE but does not have access to DLL1.DLL, the
user will still get "access denied" trying to access CGI.EXE.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Mary" <maristellabox@hotmail.com> wrote in message news:u18al1DvEHA.3976@TK2MSFTNGP09.phx.gbl... I have a problem with my cluster server (windows 2000) that host an IIS virtual server. In the autentication method I set the anonimous ad I set a domani user who is member of local administrator group. When I try to call a .exe application from a browser, the server prompts me for credentials, and there are no users able to complete the task, neither the domain administrator. I check the NTFS permissions, and seems ok, but after 3 retries the server gets me an HTTP 401.3 error. IIS is configured as Script and Execute permission. someone knows how to resolve? thanks a lot Mary
- Next message: Roger Abell: "Re: Granting Permissions to Manage Virtual Directories"
- Previous message: Ken Schaefer: "Re: IIS6 - Virtual Directory to URL share, authentication problems."
- In reply to: Mary: "HTTP 401.3 - Access denied by ACL on resource .exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
