Re: IIS Subauthentication Required

Hi,

Event ID 529 failure in the Security log

Verify that the user account you created has the necessary logon permissions (from memory this is "network logon"), and also verify that the user has the necessary NTFS permissions to the files/folders in question (Read/Execute)

Cheers
Ken


"David V" <DavidV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:95BF5296-BB6B-4E2E-9A8A-01A8162BD3C8@xxxxxxxxxxxxxxxx
I have tried both proposed solutions and neither solved the problem. Note
that the Web site's home page works, and it is set up for anonymous
authentication using the local IUSR account. It is the subfolder application
that does not work. This folder is set up to use a domain aco*** for
anonymous authentication. I have confirmed the password for this domain
account, by resetting it, but I am still getting the "You are not authorized
to view this page" message and an Event ID 529 failure in the Security log.

"Ken Schaefer" wrote:

In order for IIS to use the IUSR_<machinename> account, it needs to be able
to "logon" that user account, and to do that it needs the current password
for that IUSR account.

Now, in a normal IIS installation, IIS install creates the IUSR account (in
the Windows SAM), sets the password, and then stores a copy of the password
(encrypted) in the IIS metabase.

However, if the Windows password for the IUSR account changes, then IIS
won't know what the new password is and won't be able to logon the IUSR
account.

Solutions to this problem:
a) if the IUSR password has changed (and you know what the new password is),
then reset the IUSR password in IIS Manager, so that IIS knows what the
password is again.

b) enable SubAuthentication (which allows IIS to transparently get the
password). However SubAuthentication is a security risk you need to
consider, as it means running IIS using an account with elevated
credentials.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"David V" <DavidV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0027FC1F-B246-4877-A84B-30F243BC0F8F@xxxxxxxxxxxxxxxx
>I have 4 Web servers that should all be set up the same; once they are >all
> working we plan to load-balance them. Due to limitations in our > in-house
> application, the Web services are running in IIS 5.0 isolation mode. > The
> Web
> site on all four servers is configured to use the local IUSR account > for
> Anonymous access. As far as I can tell, the configuration on all 4 is
> identical, and the home page works on all four.
> However, within one of the subfolders, configured as an application, > there
> is a login.html that only works on 3 of the servers, not on the 4th. > This
> login page accesses a COM+ application on another server (the app was
> exported to a proxy .msi file, which was then instaled on the Web > server),
> the anoymous access account for this folder is set to a domain account.
> As I
> said, it works on 3 of the 4 Web servers.
>
> On the problem server, I receive an HTTP Error 401.1 (Unauthorized: > Access
> is denied due to invalid credentials). The Security Log shows that the
> failure was due to an unknown username or a bad password. Also, the
> results
> of running the IIS Diags on this serverdisplays the following errors:
> - AnymousPasswordSync: IIS subauthentication requires that the
> AnonymousUserName metabase property be configured with an account from > the
> local computer.
> - AnonymousUserPass: logon failed
> - AnonymousPasswordSync: The current configuration requires IIS
> subauthentication. However, the IIS subauthentication component,
> iissuba.dll,
> is not currently configured.
> - AnonymousPasswordSync: The current configuration uses IIS
> subauthentication for anonymous authentication. This requires that the
> worker
> process be configured to run as the Local System identity, which is not
> recommended for security reasons.
> - Server's response: HTTP/1.1 401 Unauthorized
>
> As far as I can tell, subauthentication is not set on the other > servers.
> Why is sub-authentication required on this server and not on the other > 3?
> How can I fix this?
>
> Any help is greatly appreciated.



.

Quantcast