|
Home > Archive > Microsoft Content Management Server > July 2005 > Guest access not working from MCMS SE
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Guest access not working from MCMS SE
|
|
| SC Kevin 2005-07-14, 5:51 pm |
| Hi,
We are having trouble getting guest access to work in an environment with
two web servers accessing a single repository. We are using MCMS EE as an
authoring environment and MCMS SE for presentation. Both servers are in the
DMZ and are not members of a domain. We have a guest account (mcms_guest) set
up on both servers, with the same password. The SCA specifies
localmachine\mcms_guest as the guest user account and guest access is enabled
on both servers. For various reasons, we require guest access to work on both
servers.
Looking in Site Manager, the local accounts appear under the name of the
local machine, e.g. host1\mcms_guest. Both hosts are listed under “Supported
Windows NT Domains” but it is only possible to add a user if the account
exists on the host from which it is being added. I presume this is by design
and it appears as though the account details are being stored in the
repository as being local accounts, rather than the domain being stored
explicitly, otherwise accounts from both servers would be listed.
I’m sorry if this sounds convoluted, anyway, what is happening is that guest
access is working on the authoring server (EE) but not on the presentation
server (SE). If I try to access the site on the presentation server, I get a
login prompt. If I log in using my administrator account I can see the site,
otherwise I just get the “Access denied” message, which I understand comes
from MCMS. A manual login using the guest account does not work either.
I also understand that MCMS SE on the presentation server will be running in
“violation mode” because there are too many accounts set up on the authoring
server, including some groups, but that’s fine, because we only need
subscribers to be able to access the site.
MORE INFORMATION: because there are many users and groups set up on the
authoring server, most of these display as “Unknown” in Site Manager on the
presentation server. This is, I think, why we get the error “No mapping
between account names and security IDs was done. (1332)” if we try to add
users on the presentation server (MCMS SE). I can live with this, as I am
perfectly happy to do this on the authoring server, what I don’t want to have
to do is duplicate all of the Windows users and groups from one to the other
– all we really need is a couple of administrators and the guest account.
However, could this be what is causing the problem with guest access from the
presentation server and, if so, how do I get round it?
If you’re still with me, thanks for reading this far!
Kevin
| |
| Stefan [MSFT] 2005-07-14, 5:51 pm |
| Hi Kevin,
everything sounds correct.
Are you sure that anonymous access to IIS works correct?
If the configured account in IIS is not correct then you will get the same
behaviour.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
New to MCMS?
Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
----------------------
"SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
news:7FB93245-10CF-416E-B2D5-CDBB62E54EFA@microsoft.com...
> Hi,
>
> We are having trouble getting guest access to work in an environment with
> two web servers accessing a single repository. We are using MCMS EE as an
> authoring environment and MCMS SE for presentation. Both servers are in
> the
> DMZ and are not members of a domain. We have a guest account (mcms_guest)
> set
> up on both servers, with the same password. The SCA specifies
> localmachine\mcms_guest as the guest user account and guest access is
> enabled
> on both servers. For various reasons, we require guest access to work on
> both
> servers.
>
> Looking in Site Manager, the local accounts appear under the name of the
> local machine, e.g. host1\mcms_guest. Both hosts are listed under
> "Supported
> Windows NT Domains" but it is only possible to add a user if the account
> exists on the host from which it is being added. I presume this is by
> design
> and it appears as though the account details are being stored in the
> repository as being local accounts, rather than the domain being stored
> explicitly, otherwise accounts from both servers would be listed.
>
> I'm sorry if this sounds convoluted, anyway, what is happening is that
> guest
> access is working on the authoring server (EE) but not on the presentation
> server (SE). If I try to access the site on the presentation server, I get
> a
> login prompt. If I log in using my administrator account I can see the
> site,
> otherwise I just get the "Access denied" message, which I understand comes
> from MCMS. A manual login using the guest account does not work either.
>
> I also understand that MCMS SE on the presentation server will be running
> in
> "violation mode" because there are too many accounts set up on the
> authoring
> server, including some groups, but that's fine, because we only need
> subscribers to be able to access the site.
>
> MORE INFORMATION: because there are many users and groups set up on the
> authoring server, most of these display as "Unknown" in Site Manager on
> the
> presentation server. This is, I think, why we get the error "No mapping
> between account names and security IDs was done. (1332)" if we try to add
> users on the presentation server (MCMS SE). I can live with this, as I am
> perfectly happy to do this on the authoring server, what I don't want to
> have
> to do is duplicate all of the Windows users and groups from one to the
> other
> - all we really need is a couple of administrators and the guest account.
> However, could this be what is causing the problem with guest access from
> the
> presentation server and, if so, how do I get round it?
>
> If you're still with me, thanks for reading this far!
>
> Kevin
>
| |
| SC Kevin 2005-07-14, 5:51 pm |
| Hi Stefan,
As far as I can see it's OK. The CMS web site has "Enable Anonymous Access"
ticked. It also had "Integrate Windows Authentication" ticked - if I remove
that I don't get the login prompt any more - it just goes straight to the
"Access denied" message.
I tried creating another (non-CMS) web site on the same server, with
anonymous access, and that works.
Kevin
"Stefan [MSFT]" wrote:
> Hi Kevin,
>
> everything sounds correct.
> Are you sure that anonymous access to IIS works correct?
> If the configured account in IIS is not correct then you will get the same
> behaviour.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
> New to MCMS?
> Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
> ----------------------
>
>
> "SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
> news:7FB93245-10CF-416E-B2D5-CDBB62E54EFA@microsoft.com...
>
>
>
| |
| Stefan [MSFT] 2005-07-14, 5:51 pm |
| Hi Kevin,
this is no proof!
Please verify if the same anonymous user account is configured for all parts
of your site (e.g. using Metabase Explorer or an ADSI script).
Also check if the same password is set on all levels.
Then place a normal html file in a virtual directory and try to retrieve it.
Check if you get a 401 logged in IIS for this request.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
New to MCMS?
Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
----------------------
"SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
news:AE0BE2DA-0022-4EAA-95A1-872823E588F8@microsoft.com...[vbcol=seagreen]
> Hi Stefan,
>
> As far as I can see it's OK. The CMS web site has "Enable Anonymous
> Access"
> ticked. It also had "Integrate Windows Authentication" ticked - if I
> remove
> that I don't get the login prompt any more - it just goes straight to the
> "Access denied" message.
>
> I tried creating another (non-CMS) web site on the same server, with
> anonymous access, and that works.
>
> Kevin
>
> "Stefan [MSFT]" wrote:
>
| |
| SC Kevin 2005-07-14, 5:51 pm |
| Stefan,
AnonymousUserName and AnonymousUserPass only appear in one place, under
/LM/W3SVC - is that sufficient evidence?
Also, I tried a normal html file in the same virtual directory as the CMS
application and that was retrieved successfully (no error 401), so it does
seem to be a CMS issue.
Kevin
"Stefan [MSFT]" wrote:
> Hi Kevin,
>
> this is no proof!
> Please verify if the same anonymous user account is configured for all parts
> of your site (e.g. using Metabase Explorer or an ADSI script).
> Also check if the same password is set on all levels.
>
> Then place a normal html file in a virtual directory and try to retrieve it.
> Check if you get a 401 logged in IIS for this request.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
> New to MCMS?
> Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
> ----------------------
>
>
> "SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
> news:AE0BE2DA-0022-4EAA-95A1-872823E588F8@microsoft.com...
>
>
>
| |
| Stefan [MSFT] 2005-07-14, 5:51 pm |
| Hi Kevin,
still no prove.
MCMS uses ASP.NET and not static html pages.
So a permission problem on a resource of ASP.NET could cause the same issue.
It only proofs that the anonymous accounts works.
Ok, now please add a simple hello.aspx to your virtual directory and browse
to it.
Do you see a 401 in the IIS log?
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
New to MCMS?
Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
----------------------
"SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
news:47C19150-D5DE-4551-870C-B6F284FED9A0@microsoft.com...[vbcol=seagreen]
> Stefan,
>
> AnonymousUserName and AnonymousUserPass only appear in one place, under
> /LM/W3SVC - is that sufficient evidence?
>
> Also, I tried a normal html file in the same virtual directory as the CMS
> application and that was retrieved successfully (no error 401), so it does
> seem to be a CMS issue.
>
> Kevin
>
> "Stefan [MSFT]" wrote:
>
| |
| SC Kevin 2005-07-15, 7:50 am |
| Hi Stefan,
Yes, you're right - a normal aspx file gives the same problem - it won't run
unless I authenticate as an adminstrator. Can you give me some clues as to
what to check next?
Thanks,
Kevin
"Stefan [MSFT]" wrote:
> Hi Kevin,
>
> still no prove.
> MCMS uses ASP.NET and not static html pages.
> So a permission problem on a resource of ASP.NET could cause the same issue.
> It only proofs that the anonymous accounts works.
> Ok, now please add a simple hello.aspx to your virtual directory and browse
> to it.
> Do you see a 401 in the IIS log?
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
> New to MCMS?
> Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
> ----------------------
>
>
> "SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
> news:47C19150-D5DE-4551-870C-B6F284FED9A0@microsoft.com...
>
>
>
| |
| Stefan [MSFT] 2005-07-15, 7:50 am |
| Hi Kevin,
please check the credentials on the
C:\WINDOWS\Microsoft.NET\Framework and included directories and files.
"Users" need to have read&execute, List folder contents and read
permissions.
And the anonymous account needs to be a member of the users group.
If this does not help, please follow up on an ASP.NET related newsgroup as
these people would have more knowledge on the required rights.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
New to MCMS?
Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
----------------------
"SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
news:8DC60E3F-4C1C-4621-807A-DC386DB425AA@microsoft.com...[vbcol=seagreen]
> Hi Stefan,
>
> Yes, you're right - a normal aspx file gives the same problem - it won't
> run
> unless I authenticate as an adminstrator. Can you give me some clues as to
> what to check next?
>
> Thanks,
>
> Kevin
>
> "Stefan [MSFT]" wrote:
>
| |
| SC Kevin 2005-07-15, 7:50 am |
| Thanks Stefan,
I have checked all of this and everything looks OK, but it still doesn't
work. The anonymous account was not a member of users, only guests, so I
added it to users, but that didn't help (in any case, it is only a member of
guests on the machine that DOES work). The ASPNET account was already a
member of users. I have even rebooted the server just in case; still no joy.
I will do as you suggest and enquire elsewhere. Maybe this server has been
"over-enthusiastically" locked down.
Thanks for your help - I may be back!
Kevin
"Stefan [MSFT]" wrote:
> Hi Kevin,
>
> please check the credentials on the
>
> C:\WINDOWS\Microsoft.NET\Framework and included directories and files.
>
> "Users" need to have read&execute, List folder contents and read
> permissions.
>
> And the anonymous account needs to be a member of the users group.
>
> If this does not help, please follow up on an ASP.NET related newsgroup as
> these people would have more knowledge on the required rights.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
> New to MCMS?
> Check out this book: Building Websites Using MCMS: http://tinyurl.com/6zj44
> ----------------------
>
>
> "SC Kevin" <SCKevin@discussions.microsoft.com> wrote in message
> news:8DC60E3F-4C1C-4621-807A-DC386DB425AA@microsoft.com...
>
>
>
| |
| SC Kevin 2005-07-15, 5:56 pm |
| Update - I've discovered that the problem is not with asp.net itself, but is
specific to the CMS application - there's something in the web.config it
doesn't like, but I don't know what yet. If I delete the web.config, the aspx
runs OK, though obviously the CMS site doesn't because it needs the
web.config. This was just copied from the other server, so I don't know
what's wrong with it - I'll have a closer look later.
"SC Kevin" wrote:
[vbcol=seagreen]
> Thanks Stefan,
>
> I have checked all of this and everything looks OK, but it still doesn't
> work. The anonymous account was not a member of users, only guests, so I
> added it to users, but that didn't help (in any case, it is only a member of
> guests on the machine that DOES work). The ASPNET account was already a
> member of users. I have even rebooted the server just in case; still no joy.
>
> I will do as you suggest and enquire elsewhere. Maybe this server has been
> "over-enthusiastically" locked down.
>
> Thanks for your help - I may be back!
>
> Kevin
>
> "Stefan [MSFT]" wrote:
>
| |
| SC Kevin 2005-07-26, 7:57 am |
| For info, I resolved this problem, but I still don't know what caused it. It
appeared to be a CMS issue, not a .NET issue, because I'm fairly sure the
error was being generated by the CMS Authorisation module, which was refusing
guest access. Connecting the SE server to our live repository, as opposed to
the test repository I was trying it out on (generally a good plan!) worked.
There must be something "odd" about the test repository, but I can't figure
out what.
"SC Kevin" wrote:
[vbcol=seagreen]
> Update - I've discovered that the problem is not with asp.net itself, but is
> specific to the CMS application - there's something in the web.config it
> doesn't like, but I don't know what yet. If I delete the web.config, the aspx
> runs OK, though obviously the CMS site doesn't because it needs the
> web.config. This was just copied from the other server, so I don't know
> what's wrong with it - I'll have a closer look later.
>
> "SC Kevin" wrote:
>
|
|
|
|
|