IIS Server Security - Logon Prompt Required to Access IIS6 Site

Author

Logon Prompt Required to Access IIS6 Site - Solved

Mark Olbert

2005-06-12, 5:51 pm

I'm posting this to save some other poor sod the pain I went through...

I have IIS6 running on WinServer2003 SP1. I moved over several existing websites from an IIS5.1 box
running Win2K SP4 by copying the directories, and then using the New Website wizard in IIS6 to
create the websites.

You can imagine my surprise when I was forced to log in to the sites in order to view them over my
LAN. Call me naive, but I >>thought<< the point of writing a webserver was to... serve up web pages.

After much troubleshooting, I determined that the problem involved the default account used by IIS6
to support anonymous access, IUSR_<machine_name>. I suspected this might be a problem because I'm
running IIS6 on a domain controller.

Deleting the IUSR_<machine_name> and IWAM_<machine_name> accounts and rebooting the server solved
the problem (albeit at the price of introducing some new problems that I'm resolving). IIS6 noticed
that the ISUR_ and IWAM_ accounts were missing, and set itself to work with
<domain>\IUSR_<machine_name> and <domain>\IWAM_<machine_name> instead.

So now my webserver actually serves up webpages!

And to think, it only took three hours to do it! Now, httpd from apache would've been up and running
in, oh, 45 minutes, counting a full compile from source code, but hey, it's Open Source software and
hence no good

.

Now if I can only figure out how to get the SceCLI subsystem to stop gacking over the missing IUSR_
and IWAM_ accounts, I'll be all set.

Until the next security patch, at least.

- Mark

David Wang [Msft]

2005-06-13, 5:52 pm

One post to this newsgroup and AuthDiag would have helped.

http://www.microsoft.com/downloads/...&displaylang=en

Running IIS6 on a Domain Controller will be hit-and-miss. Many rules change
on a DC that can break IIS6.

For the most part, IIS6 just installs and runs if you stay away from Domain
Controllers and random Group Policy lockdown of user privileges or ACLs.
IIS6 runs with far fewer privileges, so it is very easy to disable that one
identity/privilege that is needed and get access-denied.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<Mark Olbert> wrote in message
news:v1fpa1h8h16uv2q9uskd23q1s1v7t7nsra@
4ax.com...
I'm posting this to save some other poor sod the pain I went through...

I have IIS6 running on WinServer2003 SP1. I moved over several existing
websites from an IIS5.1 box
running Win2K SP4 by copying the directories, and then using the New Website
wizard in IIS6 to
create the websites.

You can imagine my surprise when I was forced to log in to the sites in
order to view them over my
LAN. Call me naive, but I >>thought<< the point of writing a webserver was
to... serve up web pages.

After much troubleshooting, I determined that the problem involved the
default account used by IIS6
to support anonymous access, IUSR_<machine_name>. I suspected this might be
a problem because I'm
running IIS6 on a domain controller.

Deleting the IUSR_<machine_name> and IWAM_<machine_name> accounts and
rebooting the server solved
the problem (albeit at the price of introducing some new problems that I'm
resolving). IIS6 noticed
that the ISUR_ and IWAM_ accounts were missing, and set itself to work with
<domain>\IUSR_<machine_name> and <domain>\IWAM_<machine_name> instead.

So now my webserver actually serves up webpages!

And to think, it only took three hours to do it! Now, httpd from apache
would've been up and running
in, oh, 45 minutes, counting a full compile from source code, but hey, it's
open source software and
hence no good

.

Now if I can only figure out how to get the SceCLI subsystem to stop gacking
over the missing IUSR_
and IWAM_ accounts, I'll be all set.

Until the next security patch, at least.

- Mark