|
Home > Archive > IIS Server Security > November 2004 > The user has not be granted the requested logon type at this machine
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
The user has not be granted the requested logon type at this machine
|
|
| Beverly Treadwell 2004-11-08, 5:50 pm |
| Folks -
I have am experiencing a problem with changing the user
for several pages on my web site.
We have used this setup for quite a while and this problem only
began after a massive change in security policies at the corporate level.
What we do:
In order to allow for downloads of a file from a shared directory we
change the security of the required web site files in the IIS management
console
to run the anonymous user as <Domain>/<Domain User>.
When I tried this on the new server configuration I received the following
errors
in the System and Security logs:
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 100
Date: 11/8/2004
Time: 4:34:16 PM
User: N/A
Computer: <My Web Server>
Description:
The server was unable to logon the Windows NT account 'domain\domainuser'
due to the following error: Logon failure: the user has not been granted the
requested logon type at this computer. The data is the error code.
---------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: 11/8/2004
Time: 4:34:16 PM
User: NT AUTHORITY\SYSTEM
Computer: <My Web Server>
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: domainuser
Domain: domain
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <My Web Server>
-----------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: 11/8/2004
Time: 4:34:16 PM
User: NT AUTHORITY\SYSTEM
Computer: <My Web Server>
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: domainuser
Domain: domain
Logon Type: 4
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <My Web Server>
-------------------------------------------------
I have given the user the following permissions in the local GPO.
logon locally (which is all it should need).
logon as batch
Access this computer form the network
I also tried "Impersonate"
I still get the above errors. What I did find was that I could make this
work after
I had given the user local admin permissions and actually logged in locally
and
created a profile. Once done I could remove the admin permission for the
user.
We have never had to login as the user previously to make this work. I have
quite a few
servers and do not want to have to login to each one!
Did I miss something? Any ideas?
Thanks!
| |
| WenJun Zhang[msft] 2004-11-09, 2:49 am |
| Hi Beverly,
The only difference I can find is: after you add the account to
Administrators group and performed a logon, the account will be
automatically added to the built-in Interactive group. After that,
you removed it from Administrators but it's still in Interactive.
Also the event log indicates the problematic logon type is just
'Logon Type: 2' - Interactive Logon .. It's the important difference
I think:
Using Default Group Accounts
http://www.microsoft.com/technet/pr...0serv/evaluate/
featfunc/07w2kadc.mspx
So I just wonder if some permissions are missing for the original
account but are held by Interactive. Please check if the domain
account has been added into local users group. Also it may be helpful
to go through the default min permission required by IUSR:
How to set required NTFS permissions and user rights for an IIS 5.0
Web server
http://support.microsoft.com/?id=271071
Furthremore, if you uncheck the "Allow IIS to control password"
checkbox, this will change the logon type from Interactive to
ClearText , which is more secure and may be able to work immediately.
Please update here on any findings or results. Thanks.
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
| |
| Beverly Treadwell 2004-11-09, 5:52 pm |
| Thanks for the response.
I agree that the user is missing the interactive login portion of the
permissions. The login type: 4 is "login as batch job" which I have
explicitly set in the
GPO. I just can't figure out how to repair the problem. I seriously have
hundreds of servers
that require this user to run about 5 files.
I tried adding the domain user to the local user group with no luck.
As it turns out the Domain Users Group has been added to the Local users
already.
I did run through the NTFS Permissions with no luck.
You said:
> Furthremore, if you uncheck the "Allow IIS to control password"
> checkbox, this will change the logon type from Interactive to
> ClearText , which is more secure and may be able to work immediately.
This is in fact how we set the user up. IIS does no allow
"Allow IIS to control password" for users not local on the box.
One thing I have noticed is that the users added to the server
are showing as SIDs only. On the file security sections the user is
often grayed with the little "?" over it.
Beverly
""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:zTXZfBkxEHA.3436@cpmsftngxa10.phx.gbl...
> Hi Beverly,
>
> The only difference I can find is: after you add the account to
> Administrators group and performed a logon, the account will be
> automatically added to the built-in Interactive group. After that,
> you removed it from Administrators but it's still in Interactive.
> Also the event log indicates the problematic logon type is just
> 'Logon Type: 2' - Interactive Logon .. It's the important difference
> I think:
>
> Using Default Group Accounts
> http://www.microsoft.com/technet/pr...0serv/evaluate/
> featfunc/07w2kadc.mspx
>
> So I just wonder if some permissions are missing for the original
> account but are held by Interactive. Please check if the domain
> account has been added into local users group. Also it may be helpful
> to go through the default min permission required by IUSR:
>
> How to set required NTFS permissions and user rights for an IIS 5.0
> Web server
> http://support.microsoft.com/?id=271071
>
> Furthremore, if you uncheck the "Allow IIS to control password"
> checkbox, this will change the logon type from Interactive to
> ClearText , which is more secure and may be able to work immediately.
>
> Please update here on any findings or results. Thanks.
> Best regards,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Get Secure! - www.microsoft.com/security
>
| |
| Karl Levinson [x y] mvp 2004-11-10, 2:49 am |
| What sort of authentication was being used in the web server for those
pages? If this was anonymous authentication, I wonder whether the password
for the IUSR or IWAM accounts were changed, either locally on the web server
or in the domain.
I also wonder whether the web server was previously joined to the domain and
is no longer joined?
I would not give everyone "logon as batch job" permissions on the servers,
that doesn't sound like a good solution to me.
"Beverly Treadwell" <prgmrblu@newsgroup.nospam> wrote in message
news:uD3HvloxEHA.3336@TK2MSFTNGP11.phx.gbl...
> Thanks for the response.
>
> I agree that the user is missing the interactive login portion of the
> permissions. The login type: 4 is "login as batch job" which I have
> explicitly set in the
> GPO. I just can't figure out how to repair the problem. I seriously have
> hundreds of servers
> that require this user to run about 5 files.
>
> I tried adding the domain user to the local user group with no luck.
> As it turns out the Domain Users Group has been added to the Local users
> already.
> I did run through the NTFS Permissions with no luck.
>
> You said:
>
> This is in fact how we set the user up. IIS does no allow
> "Allow IIS to control password" for users not local on the box.
>
> One thing I have noticed is that the users added to the server
> are showing as SIDs only. On the file security sections the user is
> often grayed with the little "?" over it.
>
> Beverly
>
>
>
>
> ""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
> news:zTXZfBkxEHA.3436@cpmsftngxa10.phx.gbl...
>
>
| |
| WenJun Zhang[msft] 2004-11-10, 2:49 am |
| Hi Beverly,
Is it possible that there is a 'deny logon locally' overwrites the
'log on locally' setting? Also have you used any domain level policy?
841188 "The local policy of this system does not permit you to logon
http://support.microsoft.com/?id=841188
Anyway, I think it's worthy to run AuthDiag to scan the problematic
server. It may help you find out the domain account is lack of which
rights.
Authentication and Access Control Diagnostics 1.0 (AuthDiag)
For the x86 Platform
http://www.microsoft.com/downloads/...d=E90FE777-4A21
-4066-BD22-B931F7572E9A&displaylang=en
Thanks.
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
| |
| Beverly Treadwell 2004-11-10, 5:50 pm |
| To my knowledge the passwords for the IUSR and IWAM users have not been
changed.
Pages on the rest of the site work fine with the usual annonymous settings.
I only have
problems with making a different user. I
I'm logging in as a domain user and accessing the domain so the server seems
to be joined
to the domain
Right now I'm just trying different settings. It should only need logon
locally.
Beverly
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:ewsVGgvxEHA.1264@TK2MSFTNGP12.phx.gbl...
> What sort of authentication was being used in the web server for those
> pages? If this was anonymous authentication, I wonder whether the
> password
> for the IUSR or IWAM accounts were changed, either locally on the web
> server
> or in the domain.
>
> I also wonder whether the web server was previously joined to the domain
> and
> is no longer joined?
>
> I would not give everyone "logon as batch job" permissions on the servers,
> that doesn't sound like a good solution to me.
>
>
> "Beverly Treadwell" <prgmrblu@newsgroup.nospam> wrote in message
> news:uD3HvloxEHA.3336@TK2MSFTNGP11.phx.gbl...
>
>
| |
| Beverly Treadwell 2004-11-10, 5:50 pm |
| Wenjen -
Thanks for the help. The first article did not apply.
I did, however, download and use the Authentication and Access Control
Diagnostics.
Very cool tool.
It told me that: "AnonymousUserName <DOMAIN>\<My Domain User> does not
exists"
I also recieve the following errors:
BUILTIN\Users does not have Access this computer from the
networkprivilege
Everyone does not have Access this computer from the networkprivilege
All of these errors referred to the specific pages I was trying to set
and a few other diretories.
They did not refer to the whole site.
-----------------------------------
I found these errors very interesting but confusing:
1. I have used this user for several installations on servers without this
level of "security lockdown".
2. I am able to login to the server as a domain user that is set as a local
admin and as a regular domain admin.
3. I can browse to this user from IIS when setting it up.
4. I have specifically give the user: logon locally, access this computer
from the network, bypass traverse checking,
impersonate client after authentication, logon as a batch, and just for
good measure "logon as a service"
I have noticed that when adding a domain user to any item on the server the
user will appear
with the little grey head, a red '?' and will only display the SID of the
user. This includes
domain admins (though I can still login).
Beverly
""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:ab62LmwxEHA.3152@cpmsftngxa10.phx.gbl...
> Hi Beverly,
>
> Is it possible that there is a 'deny logon locally' overwrites the
> 'log on locally' setting? Also have you used any domain level policy?
>
> 841188 "The local policy of this system does not permit you to logon
> http://support.microsoft.com/?id=841188
>
> Anyway, I think it's worthy to run AuthDiag to scan the problematic
> server. It may help you find out the domain account is lack of which
> rights.
>
> Authentication and Access Control Diagnostics 1.0 (AuthDiag)
> For the x86 Platform
> http://www.microsoft.com/downloads/...d=E90FE777-4A21
> -4066-BD22-B931F7572E9A&displaylang=en
>
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Get Secure! - www.microsoft.com/security
>
| |
| WenJun Zhang[msft] 2004-11-11, 7:47 am |
| Beverly.
I think the problem is probably on your AD since AuthDiag reported
the account doesn't exist on your server. You may post a thread to
our Windows AD newsgroup about the SID not properly resolved to
account name issue. Also please take a look at the following article,
see if the info in the following article applies.
Client, service, and program incompatibilities that may occur when
you modify security settings and user rights assignments
http://support.microsoft.com/?id=823659
Thanks.
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
| |
| Beverly Treadwell 2004-11-11, 5:52 pm |
| WenJun:
Thanks for all the great info.
While I don't have it repaired yet you did
send me in the right direction!
Beverly
""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
news:X97OME%23xEHA.3440@cpmsftngxa10.phx.gbl...
> Beverly.
>
> I think the problem is probably on your AD since AuthDiag reported
> the account doesn't exist on your server. You may post a thread to
> our Windows AD newsgroup about the SID not properly resolved to
> account name issue. Also please take a look at the following article,
> see if the info in the following article applies.
>
> Client, service, and program incompatibilities that may occur when
> you modify security settings and user rights assignments
> http://support.microsoft.com/?id=823659
>
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Get Secure! - www.microsoft.com/security
>
| |
| WenJun Zhang[msft] 2004-11-12, 2:48 am |
| :-) You are welcome Beverly. It's my pleasure.
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
|
|
|
|
|