|
Home > Archive > IIS Server > August 2005 > IUSER Question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Jeffrey Jones 2005-08-25, 6:04 pm |
| Hello,
I don't know if this is the proper place to post this but I need to know
about this. Recently, I have started to get a whole bunch of 529 (bad
logon) errors in my event log associated with the IUSER account. I
posted this on the SBS NG and the answer I recieved was to reset the
IUSER account password. I did in AD and in IIS at the Default Site. This
did not work and infact made everything worse. My OWA gave me a 440
logon error which I corrected by changing the IWAM password to the same
one as my IUSER and then ran some scripts according to a website I found
of a google search for the 440 error. That solved the OWA problem but
now my IUSER account keeps generating 539 events (lockouts). My question
is, are there any services that rely on the IUSER account? Is there a
way to stop the lockout events and the 529 errors? Any suggestions welcome.
Thanks,
Jeff Jones
| |
| Chris Adams \(IIS\) 2005-08-26, 2:51 am |
| Hey Jeff,
I would love you understand authentication a bit better. I know it can be
confusing, especially when you wear many, many hats. Instead of gorring
into details in this reply, I would like to point you to webcasts that we
have done in the IIS Webcast Series that are particularly interesting to
your situation. You can see all IIS Webcasts at www.iiswebcastseries.com
for past and future.
. Authentication
. The Ins and Outs of Authentication in Internet Information
Services
. Understanding Digest and Advanced Digest Authentication in IIS
6.0
. Using Integrated Authentication in IIS
With that said, the short answer is the original login on all requests is
always Anonymous. This is specific to the HTTP protocol. It is not IIS's
role to determine the authentication type, but instead to "challenge" the
server when the administrator or developer of the web application decides it
is not for "anonymous" eyes. Thus, we will always try to login as
IUSR_MachineName or the value set for the AnonymousUserName in the metabase.
In your case, my guess is that you have the value for the following
property: AnonymousUserPass set to an invalid password. To extend that,
you have a default setting or a policy that is causing a "lockout" of this
key account. You should use a utility developed by Microsoft's IIS team
called Authentication and Access Control Diagnostics (AuthDiag) to
troubleshoot your failure.
To install, please download the IIS Diagnostics toolkit using this URL -
http://www.microsoft.com/downloads/...&DisplayLang=en
For a webcast on Authdiag, make sure to review this -
. IIS Diagnostics Tools
. Using AuthDiag to Diagnose Problems with granular and
Authorization in IIS
I hope this helps -- for problems, questions, email authdiag at
microsoft.com.
"Jeffrey Jones" <jeffjones176@kc.rr.com> wrote in message
news:ehUoYOaqFHA.2064@TK2MSFTNGP09.phx.gbl...
> Hello,
> I don't know if this is the proper place to post this but I need to know
> about this. Recently, I have started to get a whole bunch of 529 (bad
> logon) errors in my event log associated with the IUSER account. I posted
> this on the SBS NG and the answer I recieved was to reset the IUSER
> account password. I did in AD and in IIS at the Default Site. This did not
> work and infact made everything worse. My OWA gave me a 440 logon error
> which I corrected by changing the IWAM password to the same one as my
> IUSER and then ran some scripts according to a website I found of a google
> search for the 440 error. That solved the OWA problem but now my IUSER
> account keeps generating 539 events (lockouts). My question is, are there
> any services that rely on the IUSER account? Is there a way to stop the
> lockout events and the 529 errors? Any suggestions welcome.
> Thanks,
> Jeff Jones
| |
| nospam_ericwassberg@hotmail.com 2005-08-31, 6:00 pm |
| Hi Chris,
My name is eric and I work with Jeff. Thanks for the links, I hope we
can use the tool to fix our 529 problem. I attempted to check out the
webcast for Using AuthDiag to Diagnose Problems with granular and
Authorization in IIS, but it returned an error
The Event you are searching for does not exist. If you are searching
with an Event Number that you received with an invitation, then it is
possible that this event is no longer available for registration.
Is there a different event number for this webcast?
You were right about the lockout policy, and I believe I have it fixed
for now, but I do not know how to properly set the AnonymousUserPass
key. I already have the metabase explorer, but am not sure of the
correct procedure or its consequences.
Any additional advice or instructions on finding the offending service
would be appreciated. Here is an example of the event log if it helps.
Thanks again.... eric
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/29/2005
Time: 11:01:06 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: IUSR_<server>
Domain: mydomain
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVERNAME
Caller User Name: SERVERNAME$
Caller Domain: mydomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 11496
Transited Services: -
Source Network Address: -
Source Port: -
Chris Adams (IIS) wrote:[vbcol=seagreen]
> Hey Jeff,
>
> I would love you understand authentication a bit better. I know it can be
> confusing, especially when you wear many, many hats. Instead of gorring
> into details in this reply, I would like to point you to webcasts that we
> have done in the IIS Webcast Series that are particularly interesting to
> your situation. You can see all IIS Webcasts at www.iiswebcastseries.com
> for past and future.
>
> . Authentication
> . The Ins and Outs of Authentication in Internet Information
> Services
> . Understanding Digest and Advanced Digest Authentication in IIS
> 6.0
> . Using Integrated Authentication in IIS
>
>
> With that said, the short answer is the original login on all requests is
> always Anonymous. This is specific to the HTTP protocol. It is not IIS's
> role to determine the authentication type, but instead to "challenge" the
> server when the administrator or developer of the web application decides it
> is not for "anonymous" eyes. Thus, we will always try to login as
> IUSR_MachineName or the value set for the AnonymousUserName in the metabase.
>
> In your case, my guess is that you have the value for the following
> property: AnonymousUserPass set to an invalid password. To extend that,
> you have a default setting or a policy that is causing a "lockout" of this
> key account. You should use a utility developed by Microsoft's IIS team
> called Authentication and Access Control Diagnostics (AuthDiag) to
> troubleshoot your failure.
>
> To install, please download the IIS Diagnostics toolkit using this URL -
>
> http://www.microsoft.com/downloads/...&DisplayLang=en
>
> For a webcast on Authdiag, make sure to review this -
>
> . IIS Diagnostics Tools
> . Using AuthDiag to Diagnose Problems with granular and
> Authorization in IIS
>
>
> I hope this helps -- for problems, questions, email authdiag at
> microsoft.com.
>
> "Jeffrey Jones" <jeffjones176@kc.rr.com> wrote in message
> news:ehUoYOaqFHA.2064@TK2MSFTNGP09.phx.gbl...
|
|
|
|
|