Strange 401.3 Errors In Log File

TheMSsForum.com: The Microsoft Software Forum

Hi,
I have just setup an intranet at work running on IIS5 / Windows 2000
advanced Server.
The problem I am getting, is there has been 1700 401.3 errors in the last 3
days. I would accept this, except I get no feedback from the users (ie
complaining about knackered pages) and when studying the log file, even I
get 401.3 errors, and I have admin rights on the server!
The errors occur for various pages, though the most common appears to be the
root index.htm file. All files on the server have access rights for the
users to read / execute, and selected files have modify depending on the
user's needs for those files.
Can anyone help? I have got NetTracker running and it's quite alarming to
see all these 401.3 errors.
Just better add, that the 401.3 error is the ACL authorization error which
would indicate a rights issue, though as I say all files should have at
least read / execute.

TIA

Stuart Doughty
doughtysm*@*hotmail.com
Top

Re: Strange 401.3 Errors In Log File by David

David
Wed Aug 04 03:37:49 CDT 2004

First, you must realize that having "admin rights" on a server does NOT mean
you will never see "access denied". Administrators are like any other user
and can be denied access to a resource and see "access denied". The key
difference between a user and an administrator is that an administrator has
special permission to CHANGE the ACLs of any resource on the system to give
themselves access.

A 401.3 indicates that the remote user successfully authenticated to the web
server, but that identity was denied read/execute access on the resource
named by the URL. So, you clearly need to investigate:
1. What are the ACLs on the resources being denied
2. What is the remote authenticated identity

If you can trigger this phenomenon yourself, you should run FileMon
(www.sysinternals.com) and enable Auditing to monitor for the actual
authentication protocol, user identity, and access denied reason on access
to that file -- and we can go from there.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Stuart Doughty" <doughtysm*@hotmail.com> wrote in message
news:O%23N%23fdMeEHA.3212@TK2MSFTNGP10.phx.gbl...
Hi,
I have just setup an intranet at work running on IIS5 / Windows 2000
advanced Server.
The problem I am getting, is there has been 1700 401.3 errors in the last 3
days. I would accept this, except I get no feedback from the users (ie
complaining about knackered pages) and when studying the log file, even I
get 401.3 errors, and I have admin rights on the server!
The errors occur for various pages, though the most common appears to be the
root index.htm file. All files on the server have access rights for the
users to read / execute, and selected files have modify depending on the
user's needs for those files.
Can anyone help? I have got NetTracker running and it's quite alarming to
see all these 401.3 errors.
Just better add, that the 401.3 error is the ACL authorization error which
would indicate a rights issue, though as I say all files should have at
least read / execute.

TIA

Stuart Doughty
doughtysm*@*hotmail.com



Top

Re: Strange 401.3 Errors In Log File by Stuart

Stuart
Fri Aug 06 12:55:04 CDT 2004

Thanks for the reply David,
I presume you mean enable auditing on the Win2k Server - folder auditing? I
have done this, and I don't get any failures - get successes, but where
there should be a suspected failure there isn't. Also, I ran FileMon and
sure enough I got an error on one of the pages in question.
Don't think I am any the wiser!

Stuart Doughty

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%23trFY6feEHA.4068@TK2MSFTNGP11.phx.gbl...
> First, you must realize that having "admin rights" on a server does NOT
mean
> you will never see "access denied". Administrators are like any other
user
> and can be denied access to a resource and see "access denied". The key
> difference between a user and an administrator is that an administrator
has
> special permission to CHANGE the ACLs of any resource on the system to
give
> themselves access.
>
> A 401.3 indicates that the remote user successfully authenticated to the
web
> server, but that identity was denied read/execute access on the resource
> named by the URL. So, you clearly need to investigate:
> 1. What are the ACLs on the resources being denied
> 2. What is the remote authenticated identity
>
> If you can trigger this phenomenon yourself, you should run FileMon
> (www.sysinternals.com) and enable Auditing to monitor for the actual
> authentication protocol, user identity, and access denied reason on access
> to that file -- and we can go from there.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Stuart Doughty" <doughtysm*@hotmail.com> wrote in message
> news:O%23N%23fdMeEHA.3212@TK2MSFTNGP10.phx.gbl...
> Hi,
> I have just setup an intranet at work running on IIS5 / Windows 2000
> advanced Server.
> The problem I am getting, is there has been 1700 401.3 errors in the last
3
> days. I would accept this, except I get no feedback from the users (ie
> complaining about knackered pages) and when studying the log file, even I
> get 401.3 errors, and I have admin rights on the server!
> The errors occur for various pages, though the most common appears to be
the
> root index.htm file. All files on the server have access rights for the
> users to read / execute, and selected files have modify depending on the
> user's needs for those files.
> Can anyone help? I have got NetTracker running and it's quite alarming to
> see all these 401.3 errors.
> Just better add, that the 401.3 error is the ACL authorization error which
> would indicate a rights issue, though as I say all files should have at
> least read / execute.
>
> TIA
>
> Stuart Doughty
> doughtysm*@*hotmail.com
>
>
>


Top

Re: Strange 401.3 Errors In Log File by David

David
Fri Aug 06 18:37:45 CDT 2004

What user identity is reported as "access denied" by Filemon and cross-check
with Windows auditing.

Is this user identity what you expect or not.

Finally, check the resource to make sure that user identity does have read
access to it.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Stuart Doughty" <doughtysm*@hotmail.com> wrote in message
news:uDcAX69eEHA.636@TK2MSFTNGP12.phx.gbl...
Thanks for the reply David,
I presume you mean enable auditing on the Win2k Server - folder auditing? I
have done this, and I don't get any failures - get successes, but where
there should be a suspected failure there isn't. Also, I ran FileMon and
sure enough I got an error on one of the pages in question.
Don't think I am any the wiser!

Stuart Doughty

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%23trFY6feEHA.4068@TK2MSFTNGP11.phx.gbl...
> First, you must realize that having "admin rights" on a server does NOT
mean
> you will never see "access denied". Administrators are like any other
user
> and can be denied access to a resource and see "access denied". The key
> difference between a user and an administrator is that an administrator
has
> special permission to CHANGE the ACLs of any resource on the system to
give
> themselves access.
>
> A 401.3 indicates that the remote user successfully authenticated to the
web
> server, but that identity was denied read/execute access on the resource
> named by the URL. So, you clearly need to investigate:
> 1. What are the ACLs on the resources being denied
> 2. What is the remote authenticated identity
>
> If you can trigger this phenomenon yourself, you should run FileMon
> (www.sysinternals.com) and enable Auditing to monitor for the actual
> authentication protocol, user identity, and access denied reason on access
> to that file -- and we can go from there.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Stuart Doughty" <doughtysm*@hotmail.com> wrote in message
> news:O%23N%23fdMeEHA.3212@TK2MSFTNGP10.phx.gbl...
> Hi,
> I have just setup an intranet at work running on IIS5 / Windows 2000
> advanced Server.
> The problem I am getting, is there has been 1700 401.3 errors in the last
3
> days. I would accept this, except I get no feedback from the users (ie
> complaining about knackered pages) and when studying the log file, even I
> get 401.3 errors, and I have admin rights on the server!
> The errors occur for various pages, though the most common appears to be
the
> root index.htm file. All files on the server have access rights for the
> users to read / execute, and selected files have modify depending on the
> user's needs for those files.
> Can anyone help? I have got NetTracker running and it's quite alarming to
> see all these 401.3 errors.
> Just better add, that the 401.3 error is the ACL authorization error which
> would indicate a rights issue, though as I say all files should have at
> least read / execute.
>
> TIA
>
> Stuart Doughty
> doughtysm*@*hotmail.com
>
>
>



Top