|
Home > Archive > IIS Server Security > June 2006 > Help with password prompt
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Help with password prompt
|
|
|
| Our website runs on a Windows 2003 server using IIS. Anonymous access is
enabled on the default website with a domain user account that has
administrative rights to the server. Integrated Windows Authentication is
also checked.
Users on our LAN connect to the website on the server with no problem
(meaning, they are not prompted for a username & password).
However, if you try to access the same website from a Terminal Server, you
get prompted to enter a username and password.
Can anyone suggest ways that authentication is either not required at all,
or at least invisible to the user? This web server is only used internally,
so we don't need super high security.
Thanks,
Jason
| |
| Miha Pihler [MVP] 2006-06-01, 1:16 pm |
| Hi Jason,
If you want anonymous connection to work, make sure that user account that
is assigned for anonymous access has read permissions on the web content to
the site. It looks like right now the anonymous account does not have NTFS
permissions...
IIS will always honor the NTFS permissions...
Also -- you should not grant administrator permissions to anonymous account.
It can be very dangerous for security of your server...
--
Mike
Microsoft MVP - Windows Security
"Jason" <Jason@discussions.microsoft.com> wrote in message
news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com...
> Our website runs on a Windows 2003 server using IIS. Anonymous access is
> enabled on the default website with a domain user account that has
> administrative rights to the server. Integrated Windows Authentication is
> also checked.
>
> Users on our LAN connect to the website on the server with no problem
> (meaning, they are not prompted for a username & password).
>
> However, if you try to access the same website from a Terminal Server, you
> get prompted to enter a username and password.
>
> Can anyone suggest ways that authentication is either not required at all,
> or at least invisible to the user? This web server is only used
> internally,
> so we don't need super high security.
>
> Thanks,
>
> Jason
| |
|
| Thanks Mike, but since the anonymous account has administrator permissions
not only to the website, but the server itself, I would not think that the
problem is a permissions issue? At least as far as the Anonymous Account is
concerned?
"Miha Pihler [MVP]" wrote:
> Hi Jason,
>
> If you want anonymous connection to work, make sure that user account that
> is assigned for anonymous access has read permissions on the web content to
> the site. It looks like right now the anonymous account does not have NTFS
> permissions...
>
> IIS will always honor the NTFS permissions...
>
> Also -- you should not grant administrator permissions to anonymous account.
> It can be very dangerous for security of your server...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Jason" <Jason@discussions.microsoft.com> wrote in message
> news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com...
>
>
>
| |
| Miha Pihler [MVP] 2006-06-01, 7:16 pm |
| Hi,
I don't know how permissions are set on the folder where your web content is
stored. My advice is to first check that this user has permissions (at least
read) on the folder where the web content is.
You can lock out even administrator from the folder - the only difference is
that administrator (or member of administrators group) can take ownership
and with it permissions to the folder.
--
Mike
Microsoft MVP - Windows Security
"Jason" <Jason@discussions.microsoft.com> wrote in message
news:452C9436-A0CE-4C9A-B098-311B31DE3E5C@microsoft.com...[vbcol=seagreen]
> Thanks Mike, but since the anonymous account has administrator permissions
> not only to the website, but the server itself, I would not think that the
> problem is a permissions issue? At least as far as the Anonymous Account
> is
> concerned?
>
> "Miha Pihler [MVP]" wrote:
>
| |
|
| The user has full control permissions on the web content folders, plus admin
rights on the machine.
"Miha Pihler [MVP]" wrote:
> Hi,
>
> I don't know how permissions are set on the folder where your web content is
> stored. My advice is to first check that this user has permissions (at least
> read) on the folder where the web content is.
>
> You can lock out even administrator from the folder - the only difference is
> that administrator (or member of administrators group) can take ownership
> and with it permissions to the folder.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Jason" <Jason@discussions.microsoft.com> wrote in message
> news:452C9436-A0CE-4C9A-B098-311B31DE3E5C@microsoft.com...
>
>
>
| |
| WenJun Zhang[msft] 2006-06-02, 7:19 am |
| Hi Jason,
If the server has been applied with SP1, the familiar cause is the new
loopback check security feature. Please take a look at the following
article:
896861 You receive error 401.1 when you browse a Web site that uses
Integrated
http://support.microsoft.com/?id=896861
Another possible cause is there are 3 group policy permissions may be
missed by the IIS anonymous - IUSR account. You should check them in the
server's local security policy and your domain security policy on DC:
- Access this computer from the network
- Log on locally
- Log on as a batch job
Refer to:
275167 PRB: Anonymous access fails with an HTTP 401.1 error after you join
an
http://support.microsoft.com/?id=275167
Please let me know how the thing is going. Thanks.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| WenJun Zhang[msft] 2006-06-06, 1:23 pm |
| Hi Jason,
I haven't heard back from you yet. I am just writing to see how everything
is going. I would appreciate if you could get back to me at your earliest
convenience.
If you have any questions or concerns related to this issue, please drop me
a note.
I appreciate your time and I look forward to hearing from you.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
=============
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.
This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/te...erview/40010469
Others: https://partner.microsoft.com/US/te...upportoverview/
If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx
========================================
==============
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|
|