Re: Windows Authentication Access Denied Error

After further debugging today I came to the same conclusion that it is the
ACL's that are the root of the problem. However, I checked the permissions
on all the folders specified on msdn for asp.net required access list
controls (http://msdn.microsoft.com/en-us/library/kwzs111e(VS.80).aspx) and
all appear to have the correct settings on my server.

Unfortunately, there is no way I am going to convince our CIS group to not
enforce their lockdown policy. However, if I could pinpoint the exact folder
(or folders) that the NETWORK SERVICE account is failing to access, then I
could probably get CIS to allow access specifically, which is why I worded
the original question in that manner.

I have read posts and articles on possible causes and workarounds until my
head is spinning and even downloaded a couple diagnostics tools but nothing
has worked so far. I am about to try reinstalling IIS, but that is a last
ditch effort and not something I want to do every week to keep this site up
and running. There has to be an easier way to pinpoint the root cause of
this issue and fix it.

"David Wang" wrote:

The second request is 401.3, indicating that IIS successfully
authenticated the user, but the user was later denied access by NTFS
ACL.

It confirms that the issue has nothing to do with IIS and is specific
to ACLs your application depends upon. There are no service
dependencies or special files/folders for Windows Authentication of
the sort that you are asking about.

I suggest starting by removing the web servers from your corporate
group policy, or at least apply different group policies for servers.
That is the source of your troubles, not IIS.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Dec 3, 4:42 am, L Nelson <LNel...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
When the user hits the website the first response is 401 2 2148074254
For myself, it then goes to 200 0 0 as a successful login
For the users who are failing, the second response is 401 3 5
At this point, a login prompt window pops up. If the user enters their
login and password here, they get the access denied error and the entry in
the log is 401 1 0



"David Wang" wrote:
On Dec 2, 12:38 pm, L Nelson <L Nel...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
I have two Windows 2003 servers hosting an ASP.NET site. Both servers are
using Windows Authentication. Everything was working fine, but suddenly my
users are not able to access the dev site. They are still able to access
prod fine. When attempting to access the site they are getting a 401 "access
denied" error message. I suspect that our company's automated lockdown
policies are causing the problem, but in order to have them configured so
they will not interfere I need to know all the services that the Windows
Authentication protocol uses, and also if there are any specific folders or
directories that the users need to have access to. The lockdown policies
restrict access to anything and everything on C. The web files and also the
SQL Server Express engine are installed to the E directory on the server. I
am still able to access both sites, as I am also on the local admins group.

It sounds like your question is more about the dependencies of your
specific web application, unrelated to IIS.

To be certain -- please check the IIS log entry for the requests which
result in "401 access denied" and make sure it is not 401.1 or 401.2.
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_II...

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -

- Show quoted text -

.

Relevant Pages

  • IIS Setting prevents AD Query from working?
    ... does NOT work when IIS is set to only use Integrated Windows ... only delegatable when Integrated Windows Authentication is used if Kereberos ... Windows 2003 Server ...
    (microsoft.public.sharepoint.portalserver.development)
  • IIS Setting prevents AD Query from working?
    ... does NOT work when IIS is set to only use Integrated Windows ... only delegatable when Integrated Windows Authentication is used if Kereberos ... Windows 2003 Server ...
    (microsoft.public.inetserver.iis)
  • Re: Access to the fileserver from webserver
    ... You'll probably need to set "Trust computer for delegation" on the computer ... The problem is that the IIS and web app are on a different ... server than the fileserver. ... > The IIS settings are set to windows authentication, ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: cannot view web pages after transferring files to web server
    ... Integrated Windows authentication. ... What we want is - if a logged-in Windows user has database rights, ... asp.net in-built development server. ... However, when I copy this website to a virtual directory on an IIS server, I ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Moving exchange iis directory to new iis server
    ... did you triy to recreate the folders with the kb i send u? ... on the front-end server has a white mark on the icon like its not avalible, ... in the IIS? ... just wondering why it didnt created by the install of exchange. ...
    (microsoft.public.exchange.setup)