Re: Basic Authentication fails with Error 401.2 where Integrated s

OK. So I am assuming that your test.html is simple static html
that does not involve this vendors parts. I am also assuming
that when you set up /test you did set the NTFS permissions
directly or via IIS so that the account you are testing with does
have read. The logins you see for IUsr_ and Network Service
are likely from spinning up IIS backside support on first hits
on the /test site, and your not seeing login failure messages
most likely means that the login was successful. If permissions
on /test/test.html do not allow access by your authenticated test
user account then IIS will reprompt for an account that does.
Could that be what is happening? Likely not as you have said
that all works if you enable integrated authentication, with the
precise same test setup, right?
Let us know if above assumptions are correct, OK? We can
then look at what is left, if we can figure what it is.

Roger


"Jude Fisher" <JudeFisher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7B8342C2-2804-4B57-ACE2-457352396425@xxxxxxxxxxxxxxxx
Roger,

I've set up the test directory as described in my first post. I'm then
trying to access the page (http://localhost/test/test.html) through
internet
explorer. I get a windows log in box as a prompt. As you can imagine, I've
tried every possible combination of things but I'm mostly trying with
COMPUTERNAME\USER and the password. The password is for the moment set to
something absurdly simple so I'm sure it's not a problem with that.

I've enabled failure logging and tested a regular remote desktop log in to
verify the failure is being recorded (it is). When I attempt to access the
directory above, however, I don't get a failure audit. I don't get any
event
at all for the user I'm trying to log in with. What I do get is a success
audit for the IUSR account (even though anonymous access is turned off and
I
am denied access to the page I'm trying to get to). Some details from that
success audit:

User Name: IUSR_XXXXXXXXXXXXXXXX
Domain: XXXXXXXXXXXXXXXX
Logon ID: XXXXXXXXXXXXXXXX
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: XXXXXXXXXXXXXXXX
Logon GUID: -
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: XXXXXXXXXXXXXXXX
Caller Process ID: 184
Transited Services: -
Source Network Address: -
Source Port: -

I actually get two (identical) success audits for this account, and a
success audit for the NETWORK_SERVICE account, but it is as if the attempt
to
log in through the username/password box just never happened.

Not sure if any of that is useful but any help would be appreciated.

Thanks for your time so far.

Jude Fisher



"Roger Abell [MVP]" wrote:

How are you trying to log in? With domain\account when
using a domain account ?? The auditing settings are in the
Local Security Policy which you will find in Administrative
Tools (though domain policy may be controlling).

"Jude Fisher" <JudeFisher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1E3B299-F273-44FF-B61E-7DAC0CEF25AB@xxxxxxxxxxxxxxxx
Roger,

Thanks for replying.

The event log doesn't appear to be recording failures. How would I turn
that
on?

Thanks again.

Jude Fisher

"Roger Abell [MVP]" wrote:

Have you looked into the security event log, assuming that it
is configured to record login failures?
You will probably see a unknown account or bad password
event message, indicating the account that the domain.
This last is probably not correct if the login attempt did not
use domain\account syntax in the login attempt, where domain
might need to be the local machine name of the webserver if
domain account is not in use.


"Jude Fisher" <JudeFisher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6CF2177C-D68E-46CD-A95D-1FF4D51BC8C0@xxxxxxxxxxxxxxxx
Hi,

I'm a developer rather than a server tech and I've run into some
problems
configuring a website.

An external provider we're using requires that a specific script be
in
a
directory that is protected by Basic Authentication. This isn't
something
I've had to do before so I've been stumbling along following the KB
instructions. I've set up a test directory but I can't seem to get
authentication working properly. Here are the details:

I'm running IIS 6 on Windows Server 2003 with Asp.Net 1.1 and 2.0
both
installed.

The directory is configured with regular read priveleges, no scripts
or
executables for the moment. The page inside the directory that I am
using
for
testing is just a plain html page with one line of text in it.

The directory is configured in IIS with only Basic Authentication
checked
(Anonymous access, digest and integrated access are all cleared) and
the
domain and realm fields are empty.

I have a limted access account I want to use for this but for
testing
I've
also tried my administrator account, which has priveleges to the
folder
and
also local log on priveleges for the machine. Problems are
consistent
whichever account is used.

The error occurs whether I'm connecting remotely or (through remote
desktop)
via localhost, which should rule out any proxies.

The error returned is HTTP Error 401.2 - Unauthorized: Access is
denied
due
to server configuration.

*IMPORTANT* (I'm hoping this points directly to the problem!) - If I
check
the integrated authentication box in the IIS security configuration,
suddenly
the log in works. If I clear it so only basic is checked, it breaks
again.

Thanks in advance for any assistance.










.

Relevant Pages

  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... an account I created to test this whole ... I've remove the check box for integrated authentication and I've even tried ... > configuration and common AD for trust configuration. ... > tab for the virtual directory and unchecked the windows authentication. ...
    (microsoft.public.inetserver.iis)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Problems with Kmail
    ... to refusing the connection during authentication. ... the account, I still could not retrieve mail (yes, this was on the ... had to go into the KMail account configuration and re-enter the password. ...
    (alt.os.linux.suse)
  • Re: IIS 6 fails anonymous connection
    ... It sounded like you configured sub-authentication, which on prior IIS ... The reason that you have to have Integrated authentication enabled along ... so there is some sort of configuration problem specific to ... The resources must also be ACL'd for this user account or else you will get ...
    (microsoft.public.inetserver.iis.security)