|
Home > Archive > FrontPage Server Extensions for Windows > May 2005 > Win 2003 SP1 FrontPage Problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Win 2003 SP1 FrontPage Problem
|
|
| Tangentwizard 2005-04-13, 2:50 am |
| Once I installed SP1 for 2003 can no longer log into a website vai Front
Page, gives me a accesed denied message.
These websites are on my local system.
Enter them into the host file as
site.local 192.168.0.1
othersite.local 192.168.0.1
this worked fine before now doesn't can still access vai the browser but can
not login via FrontPage.
Can still login into the default web site.
any sugestions answers?
| |
| Cari \(MS-MVP\) 2005-04-13, 2:50 am |
| Known problem, I hope they're working on it. All I've seen so far is the
generic "uninstall SP1" which is not really the answer.
(In other words.... me too!)
--
Cari (MS-MVP)
Printing & Imaging
In Loving Memory of our dear friend Alex Nichol MVP
"Tangentwizard" <Tangentwizard@discussions.microsoft.com> wrote in message
news:A24A1D1C-DCBF-4808-A6A0-53C1D25D3E8D@microsoft.com...
> Once I installed SP1 for 2003 can no longer log into a website vai Front
> Page, gives me a accesed denied message.
>
> These websites are on my local system.
>
> Enter them into the host file as
>
> site.local 192.168.0.1
> othersite.local 192.168.0.1
>
> this worked fine before now doesn't can still access vai the browser but
> can
> not login via FrontPage.
>
> Can still login into the default web site.
>
> any sugestions answers?
>
| |
| Brian Williams 2005-04-13, 8:50 pm |
| what is the status of this thread
my server is still broke. 
"Tangentwizard" <Tangentwizard@discussions.microsoft.com> wrote in message
news:A24A1D1C-DCBF-4808-A6A0-53C1D25D3E8D@microsoft.com...
> Once I installed SP1 for 2003 can no longer log into a website vai Front
> Page, gives me a accesed denied message.
>
> These websites are on my local system.
>
> Enter them into the host file as
>
> site.local 192.168.0.1
> othersite.local 192.168.0.1
>
> this worked fine before now doesn't can still access vai the browser but
> can
> not login via FrontPage.
>
> Can still login into the default web site.
>
> any sugestions answers?
| |
| dougshome 2005-04-14, 9:03 am |
| I just discovered this last night. I assumed it was the SP1 update I installed last week but wasn't sure. FP extentions are pretty quirky anyway. The existing AdvancedAuthor account is still working but if she forgets her password she's outta luck. Unfortunately, I was just setting her up with a new domain to play with. Ahh... Microsoft! If/when I find a fix I'll post it.
Doug | |
| dougshome 2005-04-14, 3:48 pm |
| After a little digging (mostly on this site) it's conclusive; uninstall SP1 until Microsoft solves the issue. I'm guessing there are other issues we have not stumbled upon yet.
I uninstalled it and all was fine! | |
| monty_ray 2005-04-14, 4:31 pm |
| I am having this same problem, BUT I found a work around that might work for some people.
If you cannot 'Check Server Extensions' from the server, try doing it from a different machine, remotely.
When I remote desktop into the server, it doesn't work for any Host Header sites. The only sites that will work are the default site and sites that have their own IP address. What I have to do with host header sites is take the http://www.domain.com/_vti_bin/_vti...l?page=user.htm and put it into a browser on another machine (in this case, my workstation). My administrator U/P works perfectly if I do it like this, but not on the server.
I hope this helps out some other people while we wait for MS to fix this.
-Matt | |
| Kathleen Anderson [MVP - FrontPage] 2005-04-16, 7:47 am |
| Please contact Microsoft Product Support Services:
http://support.microsoft.com/oas/de...827&gprid=36987
if this problem was caused by the Service Pack, there's no charge for the
call.
--
~ Kathleen Anderson
Microsoft MVP - FrontPage
Spider Web Woman Designs
web: http://www.spiderwebwoman.com/resources/
blog: http://msmvps.com/spiderwebwoman/category/321.aspx
"Tangentwizard" <Tangentwizard@discussions.microsoft.com> wrote in message
news:A24A1D1C-DCBF-4808-A6A0-53C1D25D3E8D@microsoft.com...
> Once I installed SP1 for 2003 can no longer log into a website vai Front
> Page, gives me a accesed denied message.
>
> These websites are on my local system.
>
> Enter them into the host file as
>
> site.local 192.168.0.1
> othersite.local 192.168.0.1
>
> this worked fine before now doesn't can still access vai the browser but
> can
> not login via FrontPage.
>
> Can still login into the default web site.
>
> any sugestions answers?
| |
| Michael Middleton 2005-04-22, 5:58 pm |
| Cari (MS-MVP) wrote:
> Known problem, I hope they're working on it. All I've seen so far is the
> generic "uninstall SP1" which is not really the answer.
Same issue here on two Windows 2003 boxes, running FPSE that came with
the Standard Edition. Standalone boxes, no AD. SP1 broke two
FPSE-related things... local access to the Admin for the extensions and
customers being able to publish. The behavior, as documented here
several times, is that the domain name is prepended to the username so
the security provider it tries is not a security provider, eventually it
401s. Others have described it in more detail. I think it's a kerberos
issue.
I did NOT uninstall SP1....
I did the following things:
1. verified that the MsSharePointApplicationPool is running as Local
Service (not Network or a user).
2. Applied the reg hack per
http://support.microsoft.com/defaul...kb;en-us;896861
to disable loopback checking (loopback name <> virtual domain names)
3. Verified that Local Service has access to the roles.ini files
( they are in C:\Documents and Settings\All Users\Application
Data\Microsoft\Web Server Extensions\50, verify the low-level security
is not inherited and includes the SYSTEM group ).
4. Verified that Local Service has access perms to the Web Server
Extension subkeys ( HKLM\Software\Microsoft\Shared Tools\ especially the
security key )
Then just for S&Gs:
5. Upgraded all sites to 5.0.2.6738, ran Server Health, all boxes checked.
So far it looks good, I can run the Server Admin both locally and from
my Firefox. Customer complaints have stopped.
Can someone else try this 'fix' and see if we also need to allow clear
text auth for our bottom-feeding customers? I have someone lined up to
test in a few hours who uses IE and has serveral sites with us.
Thanks,
Mike Middleton
http://www.m13.net
| |
| Jim Cheshire \(JIMCO\) 2005-04-27, 5:52 pm |
| Michael Middleton wrote:
> Cari (MS-MVP) wrote:
>
What you are experiencing here is not a "problem" that Microsoft is working
on. It is a security loophole that was closed with SP1. It prevents NTLM
authentication from working in some instances.
In cases where you are in a closed environment, you can register an SPN and
use Kerberos. If you cannot use Kerberos, you will have to use Basic.
--
Jim Cheshire
JIMCO
http://www.jimcoaddins.com
New Spawn Version!
Version 1.9.6 adds new features!
Get it today FREE at:
http://www.jimcoaddins.com
| |
| Michael Middleton 2005-04-27, 8:50 pm |
| Understood. You have commented on the word "problem" which was in the
post I was replying to. So to be clearer:
To the SysAdmins with public Web Servers and many Virtual Domains who
applied SP1 and got flooded with customer complaints about FrontPage not
publishing and those who couldn't run the local Admin interface for
FPSEs ... it's a "problem" enough for them that many un-installed SP1.
My intention was to offer an alternative to uninstalling SP1; namely, to
stop checking the loopback for the domain name of the virtual, 'cause it
ain't in there. MS felt it was an important enough issue to have issued
a KB on it.
Peace,
Mike
> Michael Middleton wrote:
>
>
> What you are experiencing here is not a "problem" that Microsoft is working
> on. It is a security loophole that was closed with SP1. It prevents NTLM
> authentication from working in some instances.
>
> In cases where you are in a closed environment, you can register an SPN and
> use Kerberos. If you cannot use Kerberos, you will have to use Basic.
>
| |
| Jim Cheshire \(JIMCO\) 2005-04-28, 7:54 am |
| Michael Middleton wrote:
> Understood. You have commented on the word "problem" which was in the
> post I was replying to. So to be clearer:
>
> To the SysAdmins with public Web Servers and many Virtual Domains who
> applied SP1 and got flooded with customer complaints about FrontPage
> not publishing and those who couldn't run the local Admin interface
> for FPSEs ... it's a "problem" enough for them that many un-installed
> SP1.
And that's good information. However, the real problem here is that hosting
companies are inappropriately using NTLM authentication instead of Basic.
NTLM was never designed to be used over the Internet for many reasons, one
of which is that it does not allow for delegation of credentials.
In short, if the admins at these hosting companies were as technically adept
as they should be, they wouldn't have had the problem.
--
Jim Cheshire
JIMCO
http://www.jimcoaddins.com
New Spawn Version!
Version 1.9.6 adds new features!
Get it today FREE at:
http://www.jimcoaddins.com
| |
| Michael Middleton 2005-04-29, 2:54 am |
| Jim,
OK, interesting.
Let's say that Technically Inept Admin has a Windows 2003 box with
FrontPage sites all over it, virtual domains. Let's say it hosts a web
domain "customersite.com" (which is FPSE enabled). T.I.A. checks his
Windows Updates regularly. He installs SP1 on Patch Tuesday of April 2005.
15 minutes later, the owner of customersite.com is on the phone, "I
can't publish to my site, it was working fine, but now when I put my
name and password in the form, it just brings me back to the form again,
but this time has added "customersite.com\" in front of my name, I try
again and again, then get an error 401. What did you do to break my site?"
So T.I.A. tries it himself, and can't even get the Server Admin site to
load on the local box, same sort of error. Grasping at straws, T.I.A.
comes to this newsgroup (and others) looking for an answer and sees lots
of people with this problem, and the only solution offered is
"un-install SP1".
So... he does.
I am saying that SP1 added a security check of the loopback adapter
which needs to be disabled in that environment. SP1 need not be
un-installed before at least trying:
http://support.microsoft.com/defaul...kb;en-us;896861
And make sure the new AppPool is running in the correct user context
(Local Service).
That solution has worked for me, however we T.I.A's do sometimes get lucky.
Your solution has something to do with NTLM authentication. But I am
confused. What exactly should T.I.A. do to make his customer happy
again? Just checking the box "basic" for the authentication on the web
application for customersite.com will not fix this (it's an error
accessing _vti_bin virtual which is now controlled by a new Application,
running in a new user's context with new security configurations).
Can you explain how this perfectly-working FPSE site on a shared public
IIS6 server being broken after W2K3's SP1 is due to a technically inept
admin? I am not getting what you're saying to try, specifically, as the
best course of action in this situation (note the careful non-use of the
"p" word). I freely admit I have much to learn, but I can't believe the
Admins who un-installed SP1 due to this are all inept and all to blame.
Mike
>
>Jim Cheshire (JIMCO) wrote:
> And that's good information. However, the real problem here is that hosting
> companies are inappropriately using NTLM authentication instead of Basic.
> NTLM was never designed to be used over the Internet for many reasons, one
> of which is that it does not allow for delegation of credentials.
>
> In short, if the admins at these hosting companies were as technically adept
> as they should be, they wouldn't have had the problem.
>
| |
| Jim Cheshire \(JIMCO\) 2005-04-29, 7:59 am |
| Michael Middleton wrote:
>
> Can you explain how this perfectly-working FPSE site on a shared
> public IIS6 server being broken after W2K3's SP1 is due to a
> technically inept admin? I am not getting what you're saying to try,
> specifically, as the best course of action in this situation (note
> the careful non-use of the "p" word). I freely admit I have much to
> learn, but I can't believe the Admins who un-installed SP1 due to
> this are all inept and all to blame.
I never said that they were technically inept. I said that they were not as
technically adept as they should be if they are relying on NTLM
authentication over the Internet. Anyone who understands how NTLM works
would never choose it in an Internet environment. I submit that if you are
an administrator for a hosting company, you should know how authentication
methods work.
I also pointed out that the most common reason for 401s appearing
immediately after installing SP1 on Windows 2003 is a fix in SP1 that
prevents man-in-the-middle attacks via NTLM.
The above two pieces of information are fact, not hyperbole. Don't get
carried away and claim that I called admins inept and that everything was
their fault.
--
Jim Cheshire
JIMCO
http://www.jimcoaddins.com
New Spawn Version!
Version 1.9.6 adds new features!
Get it today FREE at:
http://www.jimcoaddins.com
| |
| Michael Middleton 2005-05-02, 5:50 pm |
|
>
>
>
> I never said that they were technically inept. I said that they were not as
> technically adept as they should be if they are relying on NTLM
> authentication over the Internet. Anyone who understands how NTLM works
> would never choose it in an Internet environment. I submit that if you are
> an administrator for a hosting company, you should know how authentication
> methods work.
I am no longer having this problem. I am trying to give clear and
specific helpful suggestions to the Admins who found FrontPage broken
after SP1.
>
> I also pointed out that the most common reason for 401s appearing
> immediately after installing SP1 on Windows 2003 is a fix in SP1 that
> prevents man-in-the-middle attacks via NTLM.
How does an Admin deal with the situation, in your view, short of
uninstalling SP1? That's what you have not told us.
Mike
| |
| Jim Cheshire \(JIMCO\) 2005-05-02, 5:50 pm |
| Michael Middleton wrote:
>
> How does an Admin deal with the situation, in your view, short of
> uninstalling SP1? That's what you have not told us.
>
But I have! Don't use NTLM. Use Basic.
--
Jim Cheshire
JIMCO
http://www.jimcoaddins.com
New Spawn Version!
Version 1.9.6 adds new features!
Get it today FREE at:
http://www.jimcoaddins.com
| |
|
| Thank you Michael,
http://support.microsoft.com/defaul...kb;en-us;896861
worked for me. Uninstalling sp1 was not something I wanted to do and I have
to use NTLM because this is a dev machine, I debug with Visual Studio and i
have qualified host names for my various IIS sites.
al
PS. It has been over a year since I have had to read this newsgroup, I
guess thats a testimony to the stability that has finally been achieved with
Windows 2003 and FrontPage 2003.
"Michael Middleton" <mike@m13.net> wrote in message
news:z9sde.2$fx3.0@okepread02...
>
>
> I am no longer having this problem. I am trying to give clear and
> specific helpful suggestions to the Admins who found FrontPage broken
> after SP1.
>
>
> How does an Admin deal with the situation, in your view, short of
> uninstalling SP1? That's what you have not told us.
>
> Mike
| |
|
| NTLM was not the issue with the Win 2003 sp1 installation.
We don't use NTLM and were adversely affected by the installation of Win 2k3
sp1.
[Note posts below in which Thomas Rowe and Kathleen Anderson came to our
aid.]
Uninstallation of Win 2k3 sp1 solved our problem, completely.
--
-
"Jim Cheshire (JIMCO)" <contactme@mysite.com> wrote in message
news:e51OKF1TFHA.616@TK2MSFTNGP12.phx.gbl...
Michael Middleton wrote:
>
> How does an Admin deal with the situation, in your view, short of
> uninstalling SP1? That's what you have not told us.
>
But I have! Don't use NTLM. Use Basic.
--
Jim Cheshire
JIMCO
http://www.jimcoaddins.com
New Spawn Version!
Version 1.9.6 adds new features!
Get it today FREE at:
http://www.jimcoaddins.com
| |
| Jim Cheshire 2005-05-20, 2:47 am |
| Dana wrote:
> NTLM was not the issue with the Win 2003 sp1 installation.
>
> We don't use NTLM and were adversely affected by the installation of
> Win 2k3 sp1.
> [Note posts below in which Thomas Rowe and Kathleen Anderson came to
> our aid.]
>
>
> Uninstallation of Win 2k3 sp1 solved our problem, completely.
>
Note that I said "the most common reason for 401s." I did not say that it
was the ONLY cause for 401s.
Uninstalling SP1 is not a good idea. Your problem is likely caused by the
loopback issue that is widely known and addressed in many places in this
group.
--
Jim Cheshire
JIMCO
http://www.jimcoaddins.com
The premiere add-in and software source
for Microsoft FrontPage.
|
|
|
|
|