|
Home > Archive > IIS Server Security > July 2005 > iis + win2k adv server problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
iis + win2k adv server problem
|
|
| Pohihihi 2005-06-28, 8:48 pm |
| Hello NG,
I am running IIS on Win2k Adv Server + SP4 + .Net framework 1.1
my problem is as following --
I have default website and some other sites on the same iis (with diff port
numbers)
We have a domain but this server is not a part of any domain but on same
network (intranet)
When I try to access the default site (e.g. http://WebServer) it works just
fine from any other computer
but when I try to access any other sites on same IIS (e.g.
http://WebServer:8080) it shows a NT login form.
Now I guess that it has to do something with ACL or the web.config file. I
have tried all the possible solutions given on web and on online help but I
still see that NT login form. Note that it let me see the site if I enter
the details of user account on my WebServer but I want others to see this
intranet site without going through this login process.
Thank you for the help in advance.
Po.
| |
| Fransg [MSFT] 2005-07-01, 2:48 am |
|
"Pohihihi" <pohihihi@hotmail.com> wrote in message
news:u8nwe.1090$aA5.628@tornado.socal.rr.com...
> Hello NG,
>
> I am running IIS on Win2k Adv Server + SP4 + .Net framework 1.1
>
> my problem is as following --
>
> I have default website and some other sites on the same iis (with diff
> port numbers)
> We have a domain but this server is not a part of any domain but on same
> network (intranet)
> When I try to access the default site (e.g. http://WebServer) it works
> just fine from any other computer
> but when I try to access any other sites on same IIS (e.g.
> http://WebServer:8080) it shows a NT login form.
>
> Now I guess that it has to do something with ACL or the web.config file. I
> have tried all the possible solutions given on web and on online help but
> I still see that NT login form. Note that it let me see the site if I
> enter the details of user account on my WebServer but I want others to see
> this intranet site without going through this login process.
>
> Thank you for the help in advance.
>
> Po.
>
Is the home directory located on the same server? If it is located on a
remote share, you might run into some passthrough authentication issues.
Also, if you connect to the server using a FQN and the FQDN contains a DOT
you could also see this behavior (KB303650)
Please try the following.
Change the VDir from http://webserver:8080 to the VDir of your default
website (http://webserver) and test if you are prompted again. Of so, check
your IIS Authentication settings of the webserver:8080. If not, you need to
check the ACL's on the target directory of the VDir of WebServer:8080.
Or vicaversa, map the VDir of your default website to the VDir of the
webserver:8080.
Good luck,
--
Frans Geurtsen
PSS Security
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Pohihihi 2005-07-01, 7:53 am |
| Frans,
Thanks for the reply. Before my first posting following I did
1- Checked if I get NT type login on default (I did not)
2- I checked (and gave admin rights) rights in VDir given to IUSR_Machine
but nothing changed
3- I changed default site's VDir so that it can point to my
http://WebServer:8080 's VDir but I started getting NT type login on default
4- I also checked web.config file but nothing in that changes anything.
Also, I just followed as suggested in KB artical you noted. I am not using
FQN/FQDN. This server is not a part of any domain and is independent on same
network.
VDir is on same server. I tried putting VDir inside wwwroot and outside of
it. Same story. It works just fine as localhost but this problem comes if I
access it front other computers that are part of a domain.
Thanks,
Po
"Fransg [MSFT]" <fransg@online.microsoft.com> wrote in message
news:%23ZVZx4ffFHA.2840@tk2msftngp13.phx.gbl...
>
> "Pohihihi" <pohihihi@hotmail.com> wrote in message
> news:u8nwe.1090$aA5.628@tornado.socal.rr.com...
>
> Is the home directory located on the same server? If it is located on a
> remote share, you might run into some passthrough authentication issues.
> Also, if you connect to the server using a FQN and the FQDN contains a DOT
> you could also see this behavior (KB303650)
> Please try the following.
> Change the VDir from http://webserver:8080 to the VDir of your default
> website (http://webserver) and test if you are prompted again. Of so,
> check your IIS Authentication settings of the webserver:8080. If not, you
> need to check the ACL's on the target directory of the VDir of
> WebServer:8080.
> Or vicaversa, map the VDir of your default website to the VDir of the
> webserver:8080.
>
> Good luck,
>
> --
> Frans Geurtsen
> PSS Security
> Microsoft
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| Fransg [MSFT] 2005-07-04, 5:58 pm |
|
"Pohihihi" <pohihihi@hotmail.com> wrote in message
news:kI9xe.4443$3o4.862@tornado.socal.rr.com...
> Frans,
>
> Thanks for the reply. Before my first posting following I did
>
> 1- Checked if I get NT type login on default (I did not)
> 2- I checked (and gave admin rights) rights in VDir given to IUSR_Machine
> but nothing changed
> 3- I changed default site's VDir so that it can point to my
> http://WebServer:8080 's VDir but I started getting NT type login on
> default
> 4- I also checked web.config file but nothing in that changes anything.
>
> Also, I just followed as suggested in KB artical you noted. I am not using
> FQN/FQDN. This server is not a part of any domain and is independent on
> same network.
> VDir is on same server. I tried putting VDir inside wwwroot and outside of
> it. Same story. It works just fine as localhost but this problem comes if
> I access it front other computers that are part of a domain.
>
> Thanks,
> Po
What happens if you point your default website to the webserver:8080 VDir?
If you still get prompted, check if the IUser has rights to read the files
on the VDir. (explicit)
Have you enabled Anonymous access on the weserver:8080 site and disabled all
other authentication options?
--
Frans Geurtsen
PSS Security
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Pohihihi 2005-07-07, 7:55 am |
| Xref: TK2MSFTNGP08.phx.gbl microsoft.public.inetserver.iis.security:38517
> What happens if you point your default website to the webserver:8080 VDir?
I get prompt
> If you still get prompted, check if the IUser has rights to read the files
> on the VDir. (explicit)
I have given it all the rights on that VDIR
> Have you enabled Anonymous access on the weserver:8080 site and disabled
> all other authentication options?
Yes
My web.config file has following
<authentication mode="Forms">
<forms name=".ASPXAUTH" protection="All" timeout="60" />
</authentication>
if I change authentication mode to none then I do not see NT type login but
then that is a problem because this site is pointing to intranet blog
(powered by dasBlog) and not every user is allowed to have admin rights.
Thanks,
Po
"Fransg [MSFT]" <fransg@online.microsoft.com> wrote in message
news:%23tv4hNKgFHA.3164@TK2MSFTNGP15.phx.gbl...
>
> "Pohihihi" <pohihihi@hotmail.com> wrote in message
> news:kI9xe.4443$3o4.862@tornado.socal.rr.com...
>
> What happens if you point your default website to the webserver:8080 VDir?
> If you still get prompted, check if the IUser has rights to read the files
> on the VDir. (explicit)
> Have you enabled Anonymous access on the weserver:8080 site and disabled
> all other authentication options?
>
>
> --
> Frans Geurtsen
> PSS Security
> Microsoft
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| Fransg [MSFT] 2005-07-11, 7:48 am |
|
"Pohihihi" <pohihihi@hotmail.com> wrote in message
news:2q7ze.8581$3o4.238@tornado.socal.rr.com...[vbcol=seagreen]
>
> I get prompt
>
>
> I have given it all the rights on that VDIR
>
>
> Yes
>
> My web.config file has following
>
> <authentication mode="Forms">
>
> <forms name=".ASPXAUTH" protection="All" timeout="60" />
>
> </authentication>
>
> if I change authentication mode to none then I do not see NT type login
> but then that is a problem because this site is pointing to intranet blog
> (powered by dasBlog) and not every user is allowed to have admin rights.
>
> Thanks,
> Po
>
>
>
>
> "Fransg [MSFT]" <fransg@online.microsoft.com> wrote in message
> news:%23tv4hNKgFHA.3164@TK2MSFTNGP15.phx.gbl...
Ok, Correct me if I am wrong.
The webserver is not a member of a domain. So the webserver will not be able
to authenticate a user against the domain controler.
So this will mean that you need all users as local user on the server.
Since the server needs some form of authentication, if a user comes from
another machine, it will pop-up a dailog box to prompt for Username and
Pasword.
If you have basic authentication enabled, the server will not be able to
verify the users credentials unless it will prompt for it.
From the local machine, the webserver will know who the logged on user is
and will not prompt you for credentials.
If the server was a domain member, it would have been able to find out who
the user will be thanks to Active Directory.
--
Frans Geurtsen
PSS Security
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Pohihihi 2005-07-13, 6:02 pm |
| Xref: TK2MSFTNGP08.phx.gbl microsoft.public.inetserver.iis.security:38596
Yes that is right. But the point is that I want any user (any one in or out
of any domain) to be able to access the site but not be able to login into
the server remotely (including domain admins). The blog site I am trying to
put on intranet has a login button and is shown at the time of local login
in the site as link for login page but other than that it should let any
user view pages without forcing them to login as admin of that blog (login
is only for the owner of that blog). Ultimately my goal is to make that work
like any www.mysite.com server and still allow owner to be able to login
when needed. This is when I start getting NT style login window when I try
to access that page from other computer.
"Fransg [MSFT]" <fransg@online.microsoft.com> wrote in message
news:uoGehrghFHA.2180@TK2MSFTNGP15.phx.gbl...
>
> "Pohihihi" <pohihihi@hotmail.com> wrote in message
> news:2q7ze.8581$3o4.238@tornado.socal.rr.com...
>
> Ok, Correct me if I am wrong.
> The webserver is not a member of a domain. So the webserver will not be
> able to authenticate a user against the domain controler.
> So this will mean that you need all users as local user on the server.
> Since the server needs some form of authentication, if a user comes from
> another machine, it will pop-up a dailog box to prompt for Username and
> Pasword.
> If you have basic authentication enabled, the server will not be able to
> verify the users credentials unless it will prompt for it.
>
> From the local machine, the webserver will know who the logged on user is
> and will not prompt you for credentials.
> If the server was a domain member, it would have been able to find out who
> the user will be thanks to Active Directory.
>
>
> --
> Frans Geurtsen
> PSS Security
> Microsoft
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| Fransg [MSFT] 2005-07-15, 2:48 am |
| Still you need useraccounts on the webserver.
Possible you can set anonymous access on your home page to prevent the logon
box to show up.
When you need a user to logon, you can direct him to a page where they can
authenticate.
In that case you will need useraccounts on the box. These accounts should be
strictly limited so they can only do what they need to do on the exact
locations.
But just for the public parts you could/should use anonymous.
--
Frans Geurtsen
PSS Security
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
"Pohihihi" <pohihihi@hotmail.com> wrote in message
news:ThhBe.25080$aA5.21448@tornado.socal.rr.com...
> Yes that is right. But the point is that I want any user (any one in or
> out of any domain) to be able to access the site but not be able to login
> into the server remotely (including domain admins). The blog site I am
> trying to put on intranet has a login button and is shown at the time of
> local login in the site as link for login page but other than that it
> should let any user view pages without forcing them to login as admin of
> that blog (login is only for the owner of that blog). Ultimately my goal
> is to make that work like any www.mysite.com server and still allow owner
> to be able to login when needed. This is when I start getting NT style
> login window when I try to access that page from other computer.
>
| |
| Pohihihi 2005-07-15, 8:52 pm |
| Thanks Frans, I guess I will have to connect it to domain. I might do some
research on blocking domain admins/users to login remotely or locally into
the machine (other than the accounts I want to permit).
"Fransg [MSFT]" <fransg@online.microsoft.com> wrote in message
news:uglbX5PiFHA.2852@TK2MSFTNGP15.phx.gbl...
> Still you need useraccounts on the webserver.
> Possible you can set anonymous access on your home page to prevent the
> logon box to show up.
> When you need a user to logon, you can direct him to a page where they can
> authenticate.
>
> In that case you will need useraccounts on the box. These accounts should
> be strictly limited so they can only do what they need to do on the exact
> locations.
>
> But just for the public parts you could/should use anonymous.
>
>
> --
> Frans Geurtsen
> PSS Security
> Microsoft
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Pohihihi" <pohihihi@hotmail.com> wrote in message
> news:ThhBe.25080$aA5.21448@tornado.socal.rr.com...
>
>
|
|
|
|
|