Re: Anonymous Account not working

I think that you are right, I added it to the admin group and now it works.
I looked and it's a member of:

Administrators (because I just added it)
Guests

And has these User Rights Assignments:
Access this computer from the network
Allow Logon Locally
Bypass Traverse Checking
Log on as a Batch Job



"Roger Abell [MVP]" wrote:

If it were the password in IIS that was wrong for Iusr_ then that
would show up in sec event log as login failure, assuming you have
events being logged. Changing in the IISmgmt interface will change
in metabase.
I am lost in the renames and apparent reinstalls, but it seems that
the Iusr_ you are using may have been defined before the final
IIS install on that box. What groups is it a member in?

"Ishmealm" <Ishmealm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:30BA16C5-C225-4A60-A47D-1FB798360DF1@xxxxxxxxxxxxxxxx
I don't see any security log entries. I just tried to access an anonymous
link without success, but no entry was entered into the sec log (or the
other
logs.)

I think the problem may be with the local account (IUSR_WEB02). When I
built the server there was another server that was named WEB02, I downed
that
server, renamed this server (so that the iusr and iwam accounts would be
named correctly), installed IIS. Renamed this server and brought the old
server back on line. This is the 5th server that I've upgrade, but the
only
one that I did the renaming with (the others, I backed up, rebuilt, and
restored.) This is the only one that has had any problems.

When I look in IIS, the anoymous acct is IUSR_WEB02 (the same as the local
acct.) I'm thinking about changing the password on the local acct to what
I
found out was the IUSR password with this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;184566

I figure that if the local account matches what IIS is using and the
account
is given rights to the folder, that it should work. My concern is that I
need to make a change to the metabase or somewhere else that I don't know
about and I'll break anonymous access to the point I need to rebuild. I'm
hoping that if I just change the local IUSR_WEB02 password to what I found
using:

cscript adsutil.vbs get w3svc/anonymoususerpass

That everything will sync up.
"Roger Abell [MVP]" wrote:

As it is apparently not a content NTFS perrmissions issue it is
perhaps a user rights issue. Have you checked for event msgs
in the Security event log ? Is the Iusr you are using the one
defined during install or a custom one you have created?

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Ishmealm" <Ishmealm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2AB2309E-B23F-444A-A957-FE5539EBC4EC@xxxxxxxxxxxxxxxx
Hi,
I recently built a new webserver to replace an existing server. I
copied the data to the new server and rebuilt all of the IIS
directories
by
hand. I replaced the broken SID of the old IUSR account on all of the
folders with the new IUSR account from the new server. Now when I try
to
access any of the virtual directories anonymously, I am denied access
(If
I
access them with basic or integrated, I have access.) Even if I create
a
new
VD, I get access denied.

I've created a new folder and applied the IUSR account using the
security tab so that I know it has the right account and there isn't
anything
carrying over from the old server (I also granted it Full Control just
to
be
certain it's not a permission problem.) I then created a new VD
pointing
to
the new folder. I get access denied. If I change the anonymous
username
and
password in IIS to another account with rights, it works.

I then used Adsutil.vbs to get the username and password that the
IUSR
acct is using and I manually entered the account info into the
directory
security for the anonymous account. I got access denied.

I'm thinking that the password that IIS is using is somehow
different
from the password that the local account is using. I'm thinking about
doing
a password change on the local account to the password that Adsutil.vbs
gave
me, but I don't want to break anything worse than it already is. Also
once I
make the change, I want to be able to create new VD's without having to
enter
the anonymous password manually everytime.

Am I going about this the right way or is there something that I'm
missing, doing wrong, or need to do in the metabase when I'm done? Any
help
is greatly appreciated.

Thanks,
Ishmeal








.

Relevant Pages

  • Re: Anonymous Account not working
    ... the Iusr_ you are using may have been defined before the final ... IIS install on that box. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Anonymous Account not working
    ... I don't see any security log entries. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ... renamed this server (so that the iusr and iwam accounts would be ...
    (microsoft.public.inetserver.iis.security)
  • Re: Making printer queue available without authentication
    ... this will authenticate the user on NT4ServerName using the guest account ... an authentication dialog box pops up. ... > password from a local account on the server or a domain account, ... > scripts to automate printer setup from the local account. ...
    (microsoft.public.win2000.general)
  • Re: Making printer queue available without authentication
    ... this will authenticate the user on NT4ServerName using the guest account ... an authentication dialog box pops up. ... > password from a local account on the server or a domain account, ... > scripts to automate printer setup from the local account. ...
    (microsoft.public.win2000.printing)
  • RE: Basic Windows 2003 SBS question(s)
    ... SBS domain is an isalnd. ... You need full blown version of 2K or 2K3 server to do that. ... > account that apparently is a local account and not a domain account. ...
    (microsoft.public.exchange.admin)