|
Home > Archive > IIS Server Security > June 2005 > 401.3 on IIS after SP1
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
401.3 on IIS after SP1
|
|
| M.Siler 2005-06-13, 5:52 pm |
| Any one had the problem that after installing SP1 that IIS presents the user
with a login window and if you cancel you get an 401.3 Unauthorized: Access
is denied...
Everything was working just fine until Windows Server 2003 SP1 was
installed.
| |
| Bernard Cheah [MVP] 2005-06-13, 8:48 pm |
| Mmm.. SP1. look at the IIS log file, check if user has READ permission on
requested file. You can try filemon (sysinternals.com) to trace it as well.
I have not seen 401.3 but many 401.1 with FPSE after sp1.
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"M.Siler" <John.Doe@NoSpam.com> wrote in message
news:ek1BjIGcFHA.3844@tk2msftngp13.phx.gbl...
> Any one had the problem that after installing SP1 that IIS presents the
> user with a login window and if you cancel you get an 401.3 Unauthorized:
> Access is denied...
>
> Everything was working just fine until Windows Server 2003 SP1 was
> installed.
>
| |
| David Wang [Msft] 2005-06-14, 8:51 pm |
| Please post the web log entries for the requests PRIOR to the 401.3.
I suspect you are seeing:
http://support.microsoft.com/?id=896861
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"M.Siler" <John.Doe@NoSpam.com> wrote in message
news:ek1BjIGcFHA.3844@tk2msftngp13.phx.gbl...
Any one had the problem that after installing SP1 that IIS presents the user
with a login window and if you cancel you get an 401.3 Unauthorized: Access
is denied...
Everything was working just fine until Windows Server 2003 SP1 was
installed.
| |
| M.Siler 2005-06-15, 8:55 pm |
| I found these instruction on the Internet and followed them.
1. Open IIS Manager > Application Pools, then to the pool which is relevant
to your site (in my case DefaultAppPool).. on this item, right click and
choose properties.
2. Now navigate to the identity tab.
3. It was set to Predefined: Network Service. I changed this to
Configurable: IWAM_(server name)
I still get the windows login prompt, but it will authenticate me
successfully. If I access the website from the server I am NOT presented
with the login prompt.
Why? What's the scoop with this change?
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:%23HDg4UHcFHA.2520@TK2MSFTNGP09.phx.gbl...
> Mmm.. SP1. look at the IIS log file, check if user has READ permission on
> requested file. You can try filemon (sysinternals.com) to trace it as
> well.
>
> I have not seen 401.3 but many 401.1 with FPSE after sp1.
>
> --
> Regards,
> Bernard Cheah
> http://www.microsoft.com/iis/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
>
>
> "M.Siler" <John.Doe@NoSpam.com> wrote in message
> news:ek1BjIGcFHA.3844@tk2msftngp13.phx.gbl...
>
>
| |
| Bernard Cheah [MVP] 2005-06-16, 7:52 am |
| Cool ! but I'm not sure why. did you try revert back to network service,
then try filemon to trace ? if it's 401.3 then it's account permission
issue.
Take a look at David's reply as well.
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"M.Siler" <email address not provided> wrote in message
news:etICVtgcFHA.3712@TK2MSFTNGP12.phx.gbl...
>I found these instruction on the Internet and followed them.
>
> 1. Open IIS Manager > Application Pools, then to the pool which is
> relevant to your site (in my case DefaultAppPool).. on this item, right
> click and choose properties.
>
> 2. Now navigate to the identity tab.
>
> 3. It was set to Predefined: Network Service. I changed this to
> Configurable: IWAM_(server name)
>
> I still get the windows login prompt, but it will authenticate me
> successfully. If I access the website from the server I am NOT presented
> with the login prompt.
>
> Why? What's the scoop with this change?
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:%23HDg4UHcFHA.2520@TK2MSFTNGP09.phx.gbl...
>
>
| |
| M.Siler 2005-06-16, 7:52 am |
| I tried going back to network service with no luck. I'll get filemon and see
what it shows. The link that David provided was for 401.1. That error I'm
not getting, unless I turn off "Integrated Windows authentication".
One more little twist in this mess is I'm running an Active/Passive cluster.
Therefore, the user IWAM_NODEA is fine when NODEA is the active node, but
when it fails over to NODEB... I'm wonding if I'm going to have a problem??
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:O$z$xVlcFHA.1404@TK2MSFTNGP09.phx.gbl...
> Cool ! but I'm not sure why. did you try revert back to network service,
> then try filemon to trace ? if it's 401.3 then it's account permission
> issue.
>
> Take a look at David's reply as well.
>
> --
> Regards,
> Bernard Cheah
> http://www.microsoft.com/iis/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
| |
| David Wang [Msft] 2005-06-16, 8:49 pm |
| Actually, I think that 401.3 is a red-herring. Thus, I was asking you for
all the web log entries prior to the 401.3. At the same time, I was
proposing a possible cause.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"M.Siler" <John.Doe@NoSpam.com> wrote in message
news:uumpDKncFHA.2840@TK2MSFTNGP14.phx.gbl...
I tried going back to network service with no luck. I'll get filemon and see
what it shows. The link that David provided was for 401.1. That error I'm
not getting, unless I turn off "Integrated Windows authentication".
One more little twist in this mess is I'm running an Active/Passive cluster.
Therefore, the user IWAM_NODEA is fine when NODEA is the active node, but
when it fails over to NODEB... I'm wonding if I'm going to have a problem??
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:O$z$xVlcFHA.1404@TK2MSFTNGP09.phx.gbl...
> Cool ! but I'm not sure why. did you try revert back to network service,
> then try filemon to trace ? if it's 401.3 then it's account permission
> issue.
>
> Take a look at David's reply as well.
>
> --
> Regards,
> Bernard Cheah
> http://www.microsoft.com/iis/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
| |
| Bernard Cheah [MVP] 2005-06-17, 2:52 am |
| Yes, go ahead and try filemon. and check the log if you found any 401.1 like
what David has posted. As for the cluster setup, well normally we do IIS in
NLB rather MSCS. anyway, the iwam account in node b will be used and if the
configuration for both nodes is the same, I would guess you will not get any
problem with it.
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:O8BWW4tcFHA.2288@TK2MSFTNGP14.phx.gbl...
> Actually, I think that 401.3 is a red-herring. Thus, I was asking you for
> all the web log entries prior to the 401.3. At the same time, I was
> proposing a possible cause.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "M.Siler" <John.Doe@NoSpam.com> wrote in message
> news:uumpDKncFHA.2840@TK2MSFTNGP14.phx.gbl...
> I tried going back to network service with no luck. I'll get filemon and
> see
> what it shows. The link that David provided was for 401.1. That error I'm
> not getting, unless I turn off "Integrated Windows authentication".
>
> One more little twist in this mess is I'm running an Active/Passive
> cluster.
> Therefore, the user IWAM_NODEA is fine when NODEA is the active node, but
> when it fails over to NODEB... I'm wonding if I'm going to have a
> problem??
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:O$z$xVlcFHA.1404@TK2MSFTNGP09.phx.gbl...
>
>
>
|
|
|
|
|