Hi All,

I am stuck and could use some help.  For some reason, none of our
domain users can access our webpages unless they are added to the
Administrator group on the Web server and I can't figure out why. This
just started happening recently.

We have a local group called Users that conains our Domain Users.

Here is what I have done:

1. Checked that the users gruops has access to the Web Directory -
Users - yes
IIS_WFG - yes
System - yes
Administrators - yes
Users - yes

2. Checked the authentication method for the Website
- Integrated Windows Authentication

3. Looked at the logs for a persons not in the Adminstrators groups.
Here are a few lines:
2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 -  401
1 0
2007-12-04 21:28:28 W3SVC1786339847  GET /ts/index.html - 80 -  500
0 2148074244

So it looks like it is failing because it can't validate the user and
only works if the user is in the admin group.  Anyone have any idea
why?

Thanks in advance for your help!
-SJ

[ Post a follow-up to this message ]

Hi,

This isn't an IIS issue - something is happening lower down in the stack
(e.g. inside LSASS or similar).

The initial request is denied with an Unauthorized (401) HTTP status. The
client then appears to be sending credentials, and the server is returning
500. The Win32 status indicates an internal security error occurred.

I would start by looking in the Windows Event Logs to see if any errors are
being logged there.

Cheers
Ken


--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken


"SirCodesALot" <sjourdan@gmail.com> wrote in message
news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com...
> Hi All,
>
> I am stuck and could use some help.  For some reason, none of our
> domain users can access our webpages unless they are added to the
> Administrator group on the Web server and I can't figure out why. This
> just started happening recently.
>
> We have a local group called Users that conains our Domain Users.
>
> Here is what I have done:
>
> 1. Checked that the users gruops has access to the Web Directory -
>    Users - yes
>    IIS_WFG - yes
>    System - yes
>    Administrators - yes
>    Users - yes
>
> 2. Checked the authentication method for the Website
>    - Integrated Windows Authentication
>
> 3. Looked at the logs for a persons not in the Adminstrators groups.
> Here are a few lines:
>   2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 -  401
> 1 0
>   2007-12-04 21:28:28 W3SVC1786339847  GET /ts/index.html - 80 -  500
> 0 2148074244
>
> So it looks like it is failing because it can't validate the user and
> only works if the user is in the admin group.  Anyone have any idea
> why?
>
> Thanks in advance for your help!
> -SJ
>

[ Post a follow-up to this message ]

On Dec 5, 4:02 am, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
wrote:
> Hi,
>
> This isn't an IIS issue - something is happening lower down in the stack
> (e.g. inside LSASS or similar).
>
> The initial request is denied with an Unauthorized (401) HTTP status. The
> client then appears to be sending credentials, and the server is returning
> 500. The Win32 status indicates an internal security error occurred.
>
> I would start by looking in the Windows Event Logs to see if any errors ar
e
> being logged there.
>
> Cheers
> Ken
>
> --
> My IIS Blog:www.adOpenStatic.com/cs/blogs/ken
>
> "SirCodesALot" <sjour...@gmail.com> wrote in message
>
> news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com...
>
>
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
> - Show quoted text -

Ken, thanks for your response! I will try looking into that way.

Thanks again,
-SJ

[ Post a follow-up to this message ]

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OHKs%23YyNIHA.5980@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> This isn't an IIS issue - something is happening lower down in the stack
> (e.g. inside LSASS or similar).
>
> The initial request is denied with an Unauthorized (401) HTTP status. The
> client then appears to be sending credentials, and the server is returning
> 500. The Win32 status indicates an internal security error occurred.
>
> I would start by looking in the Windows Event Logs to see if any errors
> are being logged there.
>

Indeed Ken, and might not the app trace be useful too, as it seems
by 500 that it is not handling the (unanticipated?) access denial.

Roger

> "SirCodesALot" <sjourdan@gmail.com> wrote in message
> news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com... 
>

[ Post a follow-up to this message ]

So this means you have looked in the event logs, and there seen
these domain users members successful at login, yet they are
denied access to the resource.   Right?  . . . or at least no failed
login events for them then if you don't log success?

If not so, was there a change in login rights, or in group nestings
recently?

Roger

"SirCodesALot" <sjourdan@gmail.com> wrote in message
news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com...
> Hi All,
>
> I am stuck and could use some help.  For some reason, none of our
> domain users can access our webpages unless they are added to the
> Administrator group on the Web server and I can't figure out why. This
> just started happening recently.
>
> We have a local group called Users that conains our Domain Users.
>
> Here is what I have done:
>
> 1. Checked that the users gruops has access to the Web Directory -
>    Users - yes
>    IIS_WFG - yes
>    System - yes
>    Administrators - yes
>    Users - yes
>
> 2. Checked the authentication method for the Website
>    - Integrated Windows Authentication
>
> 3. Looked at the logs for a persons not in the Adminstrators groups.
> Here are a few lines:
>   2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 -  401
> 1 0
>   2007-12-04 21:28:28 W3SVC1786339847  GET /ts/index.html - 80 -  500
> 0 2148074244
>
> So it looks like it is failing because it can't validate the user and
> only works if the user is in the admin group.  Anyone have any idea
> why?
>
> Thanks in advance for your help!
> -SJ
>

[ Post a follow-up to this message ]

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:uVTVd2JOIHA.4136@TK2MSFTNGP03.phx.gbl...
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:OHKs%23YyNIHA.5980@TK2MSFTNGP04.phx.gbl... 
>
> Indeed Ken, and might not the app trace be useful too, as it seems
> by 500 that it is not handling the (unanticipated?) access denial.

It could be, but Win32 error 2148074244 is SEC_E_INTERNAL_ERROR, which
indicates to me tha there is an error below IIS. IIS is then seeing this not
as an access denied, but some other error it is not equiped to handle, and
so IIS generates the 500 Internal Server Error, not the application. The
application probably isn't seeing the request at all

Cheers
Ken


> Roger
> 
>
>

[ Post a follow-up to this message ]

Check whether you have the correct user group settings under logon locally
right on server security policy.

"SirCodesALot" wrote:

> Hi All,
>
> I am stuck and could use some help.  For some reason, none of our
> domain users can access our webpages unless they are added to the
> Administrator group on the Web server and I can't figure out why. This
> just started happening recently.
>
> We have a local group called Users that conains our Domain Users.
>
> Here is what I have done:
>
> 1. Checked that the users gruops has access to the Web Directory -
>     Users - yes
>     IIS_WFG - yes
>     System - yes
>     Administrators - yes
>     Users - yes
>
> 2. Checked the authentication method for the Website
>     - Integrated Windows Authentication
>
> 3. Looked at the logs for a persons not in the Adminstrators groups.
> Here are a few lines:
>    2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 -  401
> 1 0
>    2007-12-04 21:28:28 W3SVC1786339847  GET /ts/index.html - 80 -  500
> 0 2148074244
>
> So it looks like it is failing because it can't validate the user and
> only works if the user is in the admin group.  Anyone have any idea
> why?
>
> Thanks in advance for your help!
> -SJ
>
>

[ Post a follow-up to this message ]