Re: IIS requiring authentication

On Nov 26, 8:51 am, awshaffer <awshaf...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Using IIS on a standalone Win2003 server. Users hit the server IP from any
workstation on the LAN and get the default web page. Setup has been in place
for about a year with no problems. Last week, we start getting errors when
users try to hit the site. Users get "Authentication Required" popup when
they use their bookmark to get to the site.

First time this happened, entering the admin user credentials would allow
the user to proceed to the default web site. That is no longer the case; no
credentials are validated. Have verified user/pw for the admin user on the
server, so that is not the issue.

Point is, we should *never* need to authenticate to get to this page. I went
into IIS Manager and checked the Directory Security settings. "Enable
anonymous access" is selected. Down below, in the "Authenticated Access"
area, it had shown "Integrated Windows authentication" for when anonymous
access was disabled, or when NTFS permissions caused restrictions.

I have not been at the keyboard of this server for over a month, prior to
this issue arising last week. It is not auto-updating--i.e. zero changes have
been made that could account for this. I have tried disabling the Windows
Authentication, then restarting. I have tried using admin user to get past
authentication; only worked the first few times (?). I've tried changing the
password for the IUSR_computername user both in the Local Users and Groups
and in IIS Manager. Nothing is working.

Some random changes do happen. I had taken off the Integrated Windows
authentication, restarted the server, took a screenshot of IIS Mgr with that
setting *off*. Users had access to the default web page. 30 min. later, same
problem. Checked IIS Mgr, and integ win auth was back on...? Nobody has
physical or remote access to this sever except me, and except for users'
access to the default web page.

When at the server console, typing the server IP in the web browser yields
"authentication required." Typing "localhost" takes me to the default web
page. Now, that's just weird.

Any help would be oh-so-appreciated!



Anonymous access and Authenticated Access does *NOT* mean that you
*never* need to authenticate to get to a page. You MUST understand
this point. A user ALWAYS need to authenticate to get to ANY content
on Windows because content on NTFS is ACL'd. The question is *who*
does the automatic authentication, client or server, such that you
have the illusion of never needing to authenticate.

http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_Denied_to_Administrators_or_Anonymous_User.aspx


My suspicion is that this is not an IIS issue. You said that you had
not changed server configuration. I add that IIS doesn't change
configuration on its own -- it does not have a user token with
permissions to change its own configuration. Your type of issue
usually indicate some combination of :
1. Domain Controllers pushing down security policies, user/ACL
lockdown, configuration scripts, etc that prevent proper functioning
of IIS (*very* frequently the culprit)
2. Something else on the server is crashing inetinfo.exe and reverting
your IIS configuration changes (for example, if you run in IIS5
Compatibility Mode, or if you run other applications in inetinfo.exe)
3. Security attacks (intentional or unintentional) on the IIS
anonymous account that cause account lockout (for example, the Guest
group may get locked down by group policy, or you change the anonymous
user's password to be out of sync with the cached value in metabase,
etc)
4. Something else is authenticating on IIS and overriding IIS's
configured behavior (for example, someone installed/activated custom
authentication ISAPI Filter)

Your observation with "localhost" and IP going to different places
indicate either a networking problem or user misconfiguration/
misunderstanding of IIS. For example, you could have a website with
host header of "localhost" that can funnel your localhost requests to
one website (with one set of behaviors) and those with IP to another
website (with different behaviors). Or DNS could be messed up on your
internal network such that localhost is resolving to another computer
and not this IIS server, etc. In order for your result to be weird,
you have to show that the request to "localhost" and by IP was
serviced by the SAME IIS Website and server, and even then, there are
other possible explanations.


I recommend you read the following blog entries to get an
understanding of how to troubleshoot and use the IIS-related logs, and
what each 401 means in an IIS log file:
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx
http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx

My experience with your type of "funny" behavior with IIS is that it
is rarely an IIS bug/issue. It is almost always something external,
related to security or lockdown from a domain policy, whose unintended
effects on IIS gets recognized as the "funny" behavior because people
use web applications on IIS. Thus, I recommend against fiddling with
any IIS settings and always start from "what does IIS log files
complain about being the problem" and go from there.

My suspicion is that you've always had a network misconfiguration that
is just now exposed, and you had an external security policy applied
to lock down this IIS server from functioning. I highly recommend just
looking around for clues and not changing any IIS server
configuration.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Quantcast