IIS 6.0 Problem on Win Server 2K3

TheMSsForum.com: The Microsoft Software Forum

Greetings,
I am having a very weird problem. Some how IIS 6.0 running on Win Server
2K3 standard thinks that the default anonymous user doesnt have access to
the index.htm in the site directory. I checked the permissions on all dirs
from the c:\ down to the file itself and they all say the user can read, i
even tried with full permissions. Now this is the interesting part, when i
changed the default user to the domain admin, it worked, which i can believe
since the domain admin can do everything. Now i tried changing it to a
domain account that doesnt have as much power, and its not authorized to
view the page. Is there a hidden permission im not looking at or just what
is happening? Thanks in advance.
Top

Re: IIS 6.0 Problem on Win Server 2K3 by David

David
Wed Nov 26 01:44:43 CST 2003

Was this clean install or upgrade? Did you run DCPROMO?

You also have not given:
1. What authentication is enabled on the vdir
2. What authenticated account was used by the web browser
3. What ACLs are present on the resource being accessed
4. [if script] What ACLs are present on the ScriptEngine

It is not clear to me whether the anonymous user had proper
username/password credentials (sometimes they get out of sync). It is not
clear whether domain account had permissions on the files in question. Did
you turn off "bypass traverse checking" on the authenticated account?

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Verizon News" <jsmith@401m.net> wrote in message
news:dkUwb.2844$E9.2593@nwrddc01.gnilink.net...
Greetings,
I am having a very weird problem. Some how IIS 6.0 running on Win Server
2K3 standard thinks that the default anonymous user doesnt have access to
the index.htm in the site directory. I checked the permissions on all dirs
from the c:\ down to the file itself and they all say the user can read, i
even tried with full permissions. Now this is the interesting part, when i
changed the default user to the domain admin, it worked, which i can believe
since the domain admin can do everything. Now i tried changing it to a
domain account that doesnt have as much power, and its not authorized to
view the page. Is there a hidden permission im not looking at or just what
is happening? Thanks in advance.





Top

Re: IIS 6.0 Problem on Win Server 2K3 by Verizon

Verizon
Wed Nov 26 07:40:34 CST 2003

The install is a clean install, and i did not run DCPROMO, and the machine
isn't running as a BDC or PDC.

Only anonymous access is turned on, the account that is used is which ever
on is used for anonymous access, after the inital install, IUSR_<MACHINE
NAME>, which IIS6 recognizes as authenticated by default. The ACL, im
guessing the local one to the machine and the one being pushed out by the
PDC are present, since it is authenticating to domain passwords.
I looked at the permissions for the anonmous user(IUSR_MACHINENAME starting
from the root down to the actual file and it has permissions to read all of
them, and the file on the webserver is a plain html file. I even created a
new html file to see if it was just the permissions on that file. And the
same not autherized to view page. This is the same with the domain account.
I am going to try another fresh install. I'll let you know what happens.

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OMSrDL$sDHA.2304@tk2msftngp13.phx.gbl...
> Was this clean install or upgrade? Did you run DCPROMO?
>
> You also have not given:
> 1. What authentication is enabled on the vdir
> 2. What authenticated account was used by the web browser
> 3. What ACLs are present on the resource being accessed
> 4. [if script] What ACLs are present on the ScriptEngine
>
> It is not clear to me whether the anonymous user had proper
> username/password credentials (sometimes they get out of sync). It is not
> clear whether domain account had permissions on the files in question.
Did
> you turn off "bypass traverse checking" on the authenticated account?
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Verizon News" <jsmith@401m.net> wrote in message
> news:dkUwb.2844$E9.2593@nwrddc01.gnilink.net...
> Greetings,
> I am having a very weird problem. Some how IIS 6.0 running on Win
Server
> 2K3 standard thinks that the default anonymous user doesnt have access to
> the index.htm in the site directory. I checked the permissions on all
dirs
> from the c:\ down to the file itself and they all say the user can read, i
> even tried with full permissions. Now this is the interesting part, when
i
> changed the default user to the domain admin, it worked, which i can
believe
> since the domain admin can do everything. Now i tried changing it to a
> domain account that doesnt have as much power, and its not authorized to
> view the page. Is there a hidden permission im not looking at or just
what
> is happening? Thanks in advance.
>
>
>
>
>


Top

Re: IIS 6.0 Problem on Win Server 2K3 by rc_short

rc_short
Wed Nov 26 13:28:56 CST 2003

"Verizon News" <jsmith@401m.net> wrote in message news:<m32xb.3293$E9.2124@nwrddc01.gnilink.net>...
> The install is a clean install, and i did not run DCPROMO, and the machine
> isn't running as a BDC or PDC.
>
> Only anonymous access is turned on, the account that is used is which ever
> on is used for anonymous access, after the inital install, IUSR_<MACHINE
> NAME>, which IIS6 recognizes as authenticated by default. The ACL, im
> guessing the local one to the machine and the one being pushed out by the
> PDC are present, since it is authenticating to domain passwords.
> I looked at the permissions for the anonmous user(IUSR_MACHINENAME starting
> from the root down to the actual file and it has permissions to read all of
> them, and the file on the webserver is a plain html file. I even created a
> new html file to see if it was just the permissions on that file. And the
> same not autherized to view page. This is the same with the domain account.
> I am going to try another fresh install. I'll let you know what happens.
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:OMSrDL$sDHA.2304@tk2msftngp13.phx.gbl...
> > Was this clean install or upgrade? Did you run DCPROMO?
> >
> > You also have not given:
> > 1. What authentication is enabled on the vdir
> > 2. What authenticated account was used by the web browser
> > 3. What ACLs are present on the resource being accessed
> > 4. [if script] What ACLs are present on the ScriptEngine
> >
> > It is not clear to me whether the anonymous user had proper
> > username/password credentials (sometimes they get out of sync). It is not
> > clear whether domain account had permissions on the files in question.
> Did
> > you turn off "bypass traverse checking" on the authenticated account?
> >
> > --
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Verizon News" <jsmith@401m.net> wrote in message
> > news:dkUwb.2844$E9.2593@nwrddc01.gnilink.net...
> > Greetings,
> > I am having a very weird problem. Some how IIS 6.0 running on Win
> Server
> > 2K3 standard thinks that the default anonymous user doesnt have access to
> > the index.htm in the site directory. I checked the permissions on all
> dirs
> > from the c:\ down to the file itself and they all say the user can read, i
> > even tried with full permissions. Now this is the interesting part, when
> i
> > changed the default user to the domain admin, it worked, which i can
> believe
> > since the domain admin can do everything. Now i tried changing it to a
> > domain account that doesnt have as much power, and its not authorized to
> > view the page. Is there a hidden permission im not looking at or just
> what
> > is happening? Thanks in advance.
> >
> >
> >
> >
> >
Is IIS running in WPIM mode or IIS5 mode? If in WPIM, Take a look at
the IIS_WPG groups. BY default the IUSR_Machine account is only a
member of the Guest group. I have just implemented a new 2003\IIS6
.Net application server myself. IIS6.0 is locked down rather tight out
of the box. I created a domain account and added it to the local
IIS_WPG group, and it worked almost right away. I hope this helps.
Top

Re: IIS 6.0 Problem on Win Server 2K3 by David

David
Wed Nov 26 22:02:33 CST 2003

RickS, your suggestion is incorrect. In fact, you should consider removing
IUSR from IIS_WPG because you've opened a big security vulnerability on your
system. Identities in IIS_WPG must be trusted -- IUSR is not trusted.

Anonymous access using the local IUSR works out of the box, regardless of
whether it's a standalone server or domain member (very special case is
domain controller, which I highly discourage). We clean-install machines,
join to a domain, and do anonymous access with IUSR or domain account all
the time without problems and without any modifications, so I'm inclined to
believe your problems are because you're trying to do something different.
Make sure you copy the ACLs from "%SYSTEMDRIVE%\inetpub\wwwroot" to your
content directories unless you know how to further lockdown/sandbox server
content correctly on IIS6.

Back to the original question -- what response do you receive when running
as a non-admin (either domain user or IUSR -- which you need to know the
correct password to, or else you'll always get 401.1) -- you must give me
the HTTP status and substatus code -- either with the web log for the
website, or turn off IE's "Show Friendly HTTP Errors". Also, do not run
this under Remote Desktop, as some privileges are removed by default for
non-administrators.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"RickS" <rc_short@hotmail.com> wrote in message
news:a26ce3c5.0311261128.2fa3e561@posting.google.com...
"Verizon News" <jsmith@401m.net> wrote in message
news:<m32xb.3293$E9.2124@nwrddc01.gnilink.net>...
> The install is a clean install, and i did not run DCPROMO, and the machine
> isn't running as a BDC or PDC.
>
> Only anonymous access is turned on, the account that is used is which ever
> on is used for anonymous access, after the inital install, IUSR_<MACHINE
> NAME>, which IIS6 recognizes as authenticated by default. The ACL, im
> guessing the local one to the machine and the one being pushed out by the
> PDC are present, since it is authenticating to domain passwords.
> I looked at the permissions for the anonmous user(IUSR_MACHINENAME
starting
> from the root down to the actual file and it has permissions to read all
of
> them, and the file on the webserver is a plain html file. I even created a
> new html file to see if it was just the permissions on that file. And the
> same not autherized to view page. This is the same with the domain
account.
> I am going to try another fresh install. I'll let you know what happens.
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:OMSrDL$sDHA.2304@tk2msftngp13.phx.gbl...
> > Was this clean install or upgrade? Did you run DCPROMO?
> >
> > You also have not given:
> > 1. What authentication is enabled on the vdir
> > 2. What authenticated account was used by the web browser
> > 3. What ACLs are present on the resource being accessed
> > 4. [if script] What ACLs are present on the ScriptEngine
> >
> > It is not clear to me whether the anonymous user had proper
> > username/password credentials (sometimes they get out of sync). It is
not
> > clear whether domain account had permissions on the files in question.
> Did
> > you turn off "bypass traverse checking" on the authenticated account?
> >
> > --
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Verizon News" <jsmith@401m.net> wrote in message
> > news:dkUwb.2844$E9.2593@nwrddc01.gnilink.net...
> > Greetings,
> > I am having a very weird problem. Some how IIS 6.0 running on Win
> Server
> > 2K3 standard thinks that the default anonymous user doesnt have access
to
> > the index.htm in the site directory. I checked the permissions on all
> dirs
> > from the c:\ down to the file itself and they all say the user can read,
i
> > even tried with full permissions. Now this is the interesting part,
when
> i
> > changed the default user to the domain admin, it worked, which i can
> believe
> > since the domain admin can do everything. Now i tried changing it to a
> > domain account that doesnt have as much power, and its not authorized to
> > view the page. Is there a hidden permission im not looking at or just
> what
> > is happening? Thanks in advance.
> >
> >
> >
> >
> >
Is IIS running in WPIM mode or IIS5 mode? If in WPIM, Take a look at
the IIS_WPG groups. BY default the IUSR_Machine account is only a
member of the Guest group. I have just implemented a new 2003\IIS6
.Net application server myself. IIS6.0 is locked down rather tight out
of the box. I created a domain account and added it to the local
IIS_WPG group, and it worked almost right away. I hope this helps.


Top