Unknown Domain user - domain authentication appears limited

From: Beverly Treadwell (prgmrblu_at_newsgroup.nospam)
Date: 11/12/04

  • Next message: Andrey Kreitor: "Re: Certificates Trust List" 
    Date: Thu, 11 Nov 2004 16:56:02 -0800

    Hi folks -

    I have am experiencing a problem with changing the user
    for several pages on my web site. While it seems to be a
    IIS or Domain problem, it appears that it is actually a security
    setting on the server.

    We have used this setup for quite a while and this problem only
    began after a massive change in security policies at the corporate level.

    What we do:

    In order to allow for downloads of a file from a shared directory we
    change the security of the required web site files in the IIS management
    console
    to run the anonymous user as <Domain>/<Domain User>.

    When I tried this on the new server configuration I received the following
    errors
    in the System and Security logs:

    Event Type: Warning
    Event Source: W3SVC
    Event Category: None
    Event ID: 100
    Date: 11/8/2004
    Time: 4:34:16 PM
    User: N/A
    Computer: <My Web Server>
    Description:
    The server was unable to logon the Windows NT account 'domain\domainuser'
    due to the following error: Logon failure: the user has not been granted the
    requested logon type at this computer. The data is the error code.
    ---------------------------------------------

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 534
    Date: 11/8/2004
    Time: 4:34:16 PM
    User: NT AUTHORITY\SYSTEM
    Computer: <My Web Server>
    Description:
    Logon Failure:
      Reason: The user has not been granted the requested
       logon type at this machine
      User Name: domainuser
      Domain: domain
      Logon Type: 2
      Logon Process: IIS
      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Workstation Name: <My Web Server>
    -----------------------------------------------

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 534
    Date: 11/8/2004
    Time: 4:34:16 PM
    User: NT AUTHORITY\SYSTEM
    Computer: <My Web Server>
    Description:
    Logon Failure:
    Reason: The user has not been granted the requested
    logon type at this machine
      User Name: domainuser
      Domain: domain
      Logon Type: 4
      Logon Process: IIS
      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Workstation Name: <My Web Server>
    -------------------------------------------------

    I have given the user the following permissions in the local GPO.

    logon locally (which is all it should need).
    logon as batch
    Access this computer form the network
    Trasverse folders
    Impersonate...
    etc.

    I still get the above errors.

    An authentication testing app for IIS shows that the domain user does not
    exist.
    However this user is visible and the setup is working on other servers in
    the domain
    that have not had the new security changes.

    I have noticed on these "secure" servers that if I try to give any access to
    a
    domain user through the local groups and users utility or on a specific
    folder
    the user appears as "Unknown" showing only the SID of the user and in the
    case of
    files or folders the user shows up with the grayed out head and the red
    question mark
    showing only the SID .

    So far I have been unable to correct the problem. What I did find was that I
    could make this
    work after I had given the user local admin permissions and actually logged
    in locally
    and created a profile. Once done I could remove the admin permission for
    the
    user and since a profile exists on the server every thing works fine.

    We have never had to login as the user previously to make this work. I have
    a hundred + servers and do not want to have to login to each one!

    Any ideas?

    Thanks!

  • Next message: Andrey Kreitor: "Re: Certificates Trust List"

    Relevant Pages

    • Re: Anonymous works 1 Day ??
      ... - This server IS member of a domain. ... There is no group policy ... logon type permission... ... I cleared the "Allow IIS to control password" and it SEEMS ...
      (microsoft.public.inetserver.iis.security)
    • Re: Need to find out the IP of someone trying to hack a server
      ... If you know that it's IIS, then it most likely is OWA or some other Website ... If all the connections in the IIS logs show the IP address of the ISA server, ... I'm getting logon type 8, ... Having trouble finding a list of logon types referenced in event viewer. ...
      (microsoft.public.isa)
    • Single Sign On With ISA
      ... My web application sits on IIS located outside the domain. ... on IIS outside the domain) without having to go through the logon process ... That means the user's credential (username) must be send over to the ... Can Microsft ISA server solve the above mentioned scenario? ...
      (microsoft.public.isaserver)
    • Re: Web Single Sign On
      ... Can Microsoft ISA Server solve such issues? ... current Windows credentials to the server, ... My web application sits on IIS located outside the domain. ... common identity is the user's username used to logon to the domain/active ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Need to find out the IP of someone trying to hack a server
      ... If all the connections in the IIS logs show the IP address of the ISA server, ... I'm getting logon type 8, ... Having trouble finding a list of logon types referenced in event viewer. ... Troubleshooting Client Authentication on Access Rules in ISA Server ...
      (microsoft.public.isa)