Re: userPrincipalName with IIS security?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 09/17/05

  • Next message: David Wang [Msft]: "Re: about iis secuirty" 
    Date: Sat, 17 Sep 2005 04:16:00 -0700

    No such configuration on IIS exists for your theory.

    My guess is that you have some DENY ACL against a group that the
    Administrator is in but NOT against the group the normal user is in.
    Remember, giving access is not about just having permission; it is also
    about not being denied permission. 

    -- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Dave Williams" <davewilliams29@yahoo.com> wrote in message
news:%236EUc9quFHA.3152@TK2MSFTNGP12.phx.gbl...
Hi all, I have an odd issue...
I have an IIS 6 server (actually running Exchange OWA) and two users, one of
whom is allowed full access and the other is denied all access. The denied
user is a member of domains admins and exchange admins, and can log onto a
mailbox fine using Outlook but not with OWA, the allowed user is just a
normal domain user but can access their mailbox in OWA no problem.
Looking through the AD properties of the two users, I found the only
distinction (apart from one being more administrative) is that the allowed
user has a 'userPrincipalName' set whereas the failing user doesn't. Is
there any configuration setting that might be in force on IIS that might
cause this to happen?
I'm aware that userPrincipalName is used for Kerberos authentication, but
not sure what happens if a user doesn't have one (I've done the same thing
in other environments for users without a userPrincipalName many times).
Could it be that the IIS/OWA configuration is disallowing NTLM as its
'integrated' authentication method, so forcing Kerberos and that's failing?
I've looked around the other configuration options, and can see nothing that
would explain why one user would connect and the other be refused.
Any ideas?
Thanks,
Dave
  • Next message: David Wang [Msft]: "Re: about iis secuirty"

    Relevant Pages

    • Re: DCOM calls fails - access denied
      ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: WCF webservice over SSL and without
      ... encryption/signature is handled by SOAP instead of HTTP (IIS) and should be ... I'm assuming there's some point of endpoint configuration I need to do. ... Are you going to use SSL over Http(the most common and convenient ... Microsoft MSDN Online Support Lead ...
      (microsoft.public.dotnet.framework.webservices)
    • Re: Remote Web Workplace logon problem
      ... After you restore metabase from another computer, it will copy all IIS ... configuration information from that ... You can also try reinstall monitoring component by following these steps. ... Select Windows Small Business Server 2003 and then click Change/Remove. ...
      (microsoft.public.windows.server.sbs)
    • Re: web access failed - argghh
      ... Right click the site itself and click Backup Configuration, ... Right click the IIS root in the mmc and click Restore Configuration. ... not the default web site as you might assume. ...
      (microsoft.public.dotnet.framework.aspnet)
    • RE: More than One
      ... As for ASP.NET 2.0 web application hosting in IIS website, ... single virtual directory which is configured as "Application"(have ... each application's runtime configuration collection are ... we suggest deploy separate applications (haven't particular ...
      (microsoft.public.dotnet.framework.aspnet)