|
Home > Archive > IIS Server Security > February 2005 > IIS Lockdown tool
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Alfonso 2005-02-11, 6:00 pm |
| Currently using Win2K server SP/4. Installed iis lockdown tool 2.1 and know
it ask for a user name and password when connection is made to the Web
server.
How can I remove this logon service?
Reviewed local policy to system and I can't find how to remove this service.
| |
| Eric Rodriguez 2005-02-12, 2:47 am |
| The answer to your question depends on what kind of authentication is being
used. You may be prompted for credentials when an account doesn't have
rights to a page requested, or a resource the page my try to access. If
anonymous access is enabled this might be the iusr account, if integrated
authentication is used it would be the user that is trying to login.
<http://support.microsoft.com/?id=301457>
If only basic authentication is enabled you will be prompted for
credentials everytime. You will also be prompted when integrated
authentication is enabled if you're running into a double hop scenario.
<http://support.microsoft.com/?id=264921>
Should anonymous access be enabled, or are you using Windows integrated
authentication? One of the templates that comes with the Lockdown tool
prevents the anonymous account from writing to content directories. Does
the application you're getting promted for credentials for try to write
anything to disk?
Check all of your content directories and make sure the appropriate users
have the correct rights. Also check your rights and permissions against
the following KB article.
<http://support.microsoft.com/?id=812614>
You may also want to use AuthDiag to help you troubleshoot this issue.
<http://www.microsoft.com/downloads/...fe777-4a21-4066
-bd22-b931f7572e9a&DisplayLang=en>
Before anyone can give you a good answer to your question we need to know a
little more about the problem. The problem could be an ACL issue, a
checkbox in IIS, the anonymous account not being in sync between the
metabase and user account, etc...
What kind of authentication should be in use?
Is this an internet or intranet site?
If you pass valid credentials can you get access to the site?
What kind of content are you trying to serve (i.e. asp, aspx, etc...) and
what template did you select for IIS Lockdown?
I hope this gives you a good starting point.
~Eric
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2005 Microsoft Corporation. All rights
reserved.
| |
| Alfonso 2005-02-17, 5:53 pm |
| Before I applied the IIS lockdown, I had users enter the proper URL and the
logon screen to the web application would appear. Now after applying the
lockdown the server logon screen appears before they could enter to the
application. I checked the local policies and it looks O.K. I compare this
to another server that runs the same application; the only difference is that
the IUSR and IWAM accounts are not allowing me to control the general tab
area other then just disabling the account.
Is there a way I could change these account back to a default stage or do
they need to be deleted and re-created?
What kind of authentication should be in use? None
Is this an internet or intranet site? Intranet
If you pass valid credentials can you get access to the site? I created an
account and it allows the web to be access, but I'm trying to remove the
logon screen.
What kind of content are you trying to serve (i.e. asp, aspx, etc...) and
what template did you select for IIS Lockdown? ASP pages and ASP template.
"Eric Rodriguez" wrote:
> The answer to your question depends on what kind of authentication is being
> used. You may be prompted for credentials when an account doesn't have
> rights to a page requested, or a resource the page my try to access. If
> anonymous access is enabled this might be the iusr account, if integrated
> authentication is used it would be the user that is trying to login.
> <http://support.microsoft.com/?id=301457>
>
> If only basic authentication is enabled you will be prompted for
> credentials everytime. You will also be prompted when integrated
> authentication is enabled if you're running into a double hop scenario.
> <http://support.microsoft.com/?id=264921>
>
> Should anonymous access be enabled, or are you using Windows integrated
> authentication? One of the templates that comes with the Lockdown tool
> prevents the anonymous account from writing to content directories. Does
> the application you're getting promted for credentials for try to write
> anything to disk?
>
> Check all of your content directories and make sure the appropriate users
> have the correct rights. Also check your rights and permissions against
> the following KB article.
> <http://support.microsoft.com/?id=812614>
>
> You may also want to use AuthDiag to help you troubleshoot this issue.
> <http://www.microsoft.com/downloads/...fe777-4a21-4066
> -bd22-b931f7572e9a&DisplayLang=en>
>
> Before anyone can give you a good answer to your question we need to know a
> little more about the problem. The problem could be an ACL issue, a
> checkbox in IIS, the anonymous account not being in sync between the
> metabase and user account, etc...
>
> What kind of authentication should be in use?
> Is this an internet or intranet site?
> If you pass valid credentials can you get access to the site?
> What kind of content are you trying to serve (i.e. asp, aspx, etc...) and
> what template did you select for IIS Lockdown?
>
> I hope this gives you a good starting point.
>
> ~Eric
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> You assume all risk for your use. © 2005 Microsoft Corporation. All rights
> reserved.
>
>
>
|
|
|
|
|