IIS Integrated Windows Authentication problem

[Brian P. Mueller]

Greetings,

I've run into a rather strange problem and I hope someone
else may have seen it.

My simplified test setup:

- Windows 2000 server, IIS 5.0
- A simple web application (under the default site), set
to Integrated Windows Authentication only.
- The web app consists of just a default.htm page.
- The Everyone group has full control of the web
directory.

Here's the problem. Some domain users cannot access the
site and receive a "The page cannot be displayed" error.
There seems to be no common security settings/permissions
among the users that are failing. I turned on auditing
and it appears that the authentication is never even
attempted - there are no logon successes or failures,
nothing (the users that work do show up in the log), just
an instant error page.

This problem happens with every secured web application
on every server I've tried, even on an XP workstation
(IIS 5.1). I'm running out of things to try. I can't see
anything about the user accounts that would prevent them
from authenticating to IIS.

I've never encountered anything like this before. Any
ideas?

Thanks,
Brian

[Brian P. Mueller]

Just a couple more details I left out:

- The servers in question have the .Net framework
installed, but the framework is not being used by the
test site.

- After extensive searching in the IIS logs, it appears
that behind the scenes I'm actually getting a 401.5 error:

HTTP 401.5 - Unauthorized: Authorization by ISAPI or CGI
application failed

The user never gets the 401.5 error page however.

Thanks,
Brian

>.
>

[Lisa Cozzens]

Hi Brian,

In Internet Explorer, go to Tools -> Internet Options -> Advanced tab,
scroll down a little ways and make sure that there is NOT a check mark next
to "Show friendly HTTP error messages." Then try hitting the page again,
using the credentials of one of the users that can't access it. Scroll all
the way down to the bottom of the error page. What is the exact error that
you see?

Make sure that all the accounts have the "Access this computer from the
network" right, and that they *don't* have the "Deny access to this
computer from the network" right. (Administrative Tools -> Local Security
Policy -> Local Policies -> User Rights Assignment.) By default, the
Everyone group has the first right, and no one has the second right, but
just double check to make sure these haven't gotten changed.

Make sure that you can log in properly as those users -- the accounts
aren't locked out, the passwords haven't expired, etc.

Download Filemon and Regmon from www.sysinternals.com. Run these programs
on the web server while you hit the page using a failing user's
credentials. Save the logs and review them. Look for any "access denied's"
or similarly suspicious messages coming from inetinfo.exe or dllhost.exe.

Hope this helps,
Lisa

--------------------
> Content-Class: urn:content-classes:message
> From: "Brian P. Mueller" <bpmu...@hotmail.com>
> Sender: "Brian P. Mueller" <bpmu...@hotmail.com>
> References: <1216601c21954$9a5c4240$35ef2ecf@TKMSFTNGXA11>
> Subject: IIS Integrated Windows Authentication problem
> Date: Fri, 21 Jun 2002 12:37:41 -0700
> Lines: 57
> Message-ID: <115e601c2195b$1b7165d0$3bef2ecf@TKMSFTNGXA10>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Thread-Index: AcIZWxtxtZc3IaDoSWCr165j/ZwRbw==
> Newsgroups: microsoft.public.inetserver.iis.security
> Path: cpmsftngxa08
> Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:7810
> NNTP-Posting-Host: TKMSFTNGXA10 10.201.226.38
> X-Tomcat-NG: microsoft.public.inetserver.iis.security

-----
Have you installed the new cumulative security patch for IIS?
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

© 2002 Microsoft Corporation. All rights reserved.

[David Wang [MS]]

401.5 is an access denied response sent by an ISAPI or CGI application, meaning
the request reaching an ISAPI or CGI and the ISAPI/CGI itself sent the 401
response. Your users authenticated fine; if they didn't, you'd get 401.1. If
they didn't have rights to access the resource, you'd get a 401.3.

What URL results in this failure (or is it any random URL). It must be a
certain URL because else it would not be 401.5.

Due to IE's "Friendly HTTP Error" feature, a lot of errors, including 401.X,
turn into a generic "page can't be displayed" error.

--
//David

"Brian P. Mueller" <bpmu...@hotmail.com> wrote in message
news:115e601c2195b$1b7165d0$3bef2ecf@TKMSFTNGXA10...

[David Rude]

I am having this same exact problem with a slight twist. Remotely (via my
LAN) I can access IIS just fine; I get the name/password dialog and
everything works. Locally I get the mysterious 'page cannot be displayed'
error, no logon dialog , 401's in the IIS log, and *no* failures in the
audit log. It's like it never even attemps to access the files. I've
verified everything I can think of. Locally I am log in as Administrator.
I'm fairly sure it is not the NTFS permissions as I can use the same local
account name/pwd remotely and the credentials work just fine and I see the
audit sucesses. The only way I get local access is to enable anonymous
and/or use Basic auth. without Integrated.

My config is, WinXP Pro, MS.NET, VS.NET and all the available SPs, etc...
IIS integrated security only.
My remote machine in Win98SE, no proxy's anywhere. Accessing via
//machinename, just trying to access default.htm.

My basic NTFS permissions on wwwroot are: Administrators, Users, CREATE
OWNER, SYSTEM, VS Developers, and IUSR_ All have read/execute or better.

I've messed with this for 2 days now and I just can't figure it out.

Any ideas?
david

"Brian P. Mueller" <bpmu...@hotmail.com> wrote in message
news:115e601c2195b$1b7165d0$3bef2ecf@TKMSFTNGXA10...

[Scott Stahlman [MS]]

When you make the remote HTTP connection to the web server what is shown in
the browser as the URL? Are you trying to connect the same way locally?
Do you have ISA installed, is your IIS server on the same subnet as the
remote machine? Try by IP address?
Good luck!

JUNE 12th: A new Security patch is available for IIS 4.0 and 5.0. This
patch is not a cumulative patch.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-028.asp

Thanks,
Scott
IIS Support

[David Rude]

For me, I use http://machinename remotely. Locally I've tried machinename,
localhost and the IP address. All fail the exact same way.

Both machines are on the same subnet, both have static (and sequential) IPs.
I do not have ISA installed.

I've also tried to force the authentication locally by changing my IE
setting to always ask for a username/pwd. IE will in fact ask for it but
the credentials always fail to give access, again with nothing whatsoever in
the audit log showing that access failed. And the IIS log still shows the
401 failures. These same credentials work flawlessly on remote machines.

I've even gone so far as creating a new user account, giveing it
permissions, and using IE with 'run as..' and then using the new user/pwd.
Works remotely but still does not work locally.

Any other ideas?

thanks,
david

"Scott Stahlman [MS]" <scot...@Onlinemicrosoft.com> wrote in message
news:WVUAIAUICHA.2556@cpmsftngxa07...

[Scott Stahlman [MS]]

What pages are you trying to access, I mean which page opens when you
access it from the remote machine? Locally on the server highlight the
default web site and in the right pane look for a file called
PostInfo.HTML, right click it and select browse, and see what happens.
This should provide us a clue!

[David Rude]

I am just trying to browse http://machinename/default.htm

For browsing postinfo.html I assume you mean in MMC under the IIS section?
If yes, then I get the same error as trying to browse any other file with
IE. If you mean just through the file explorer on the file system, then yes
I can open the file just fine.

But here's something interesting. I just realized that I can connect to the
web with FrontPage with no problems, even locally. And I can publish to the
site. I just can't browse it with IE locally.

This is really strange, anything else?

david

"Scott Stahlman [MS]" <scot...@Onlinemicrosoft.com> wrote in message

news:jXTgIMWICHA.3576@cpmsftngxa07...

[David Wang [MS]]

I'd love to be able to get a network sniff of the failing traffic, but it is on
the local machine, so it won't be possible. It seems that you are somehow
failing on the local-machine case to get IIS to try to LogonUser and access the
resource, which is weird.

--
//David

"David Rude" <dr...@nowhere.com> wrote in message
news:#85XB7YICHA.2032@tkmsftngp08...

[David Rude]

Well is there anything I can do locally to try and determine why IE's
authentication is failing. I am fairly techincal (developer type, exmsft
actually) so just point me in the right direction.

It's really strange that FrontPage can connect and authenticat locally but
IE cannot, even if I force IE to ask for credentials.

thanks,
david

"David Wang [MS]" <som...@online.microsoft.com> wrote in message
news:O4xAN1ZICHA.2060@tkmsftngp11...

[Chris]

Hello,

I haven't reviewed the entire thread entirely, but from my perspective we
have several items coming into play here. First, you are attempting to use
Integrated security (NTLM) which if IE 6 is enabled I would recommend
ensuring the following article is not coming into play since FP Webs work:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q299838
Can't Negotiate Kerberos Authentication w. Internet Explorer 6

What happens if you use http://ipaddress/page.htm instead of machine name?
I don't think this should make a difference, but htm files are served
rather non-fancy. That is to say, they simply are requested from disk (or
cache if enabled) and returned to the browser. My guess is that you are
either:

1). Not getting to the server itself.. thus Inetinfo never gets the request
2). IE is breaking somehow using Kerb or NTLM

Chris
IIS Support Technical Lead

[David Rude]

For a brief second there I thought we had solved it. Somehow enable
Integrated Security was turned off in IE6. I don't remember doing this,
perhaps it never got set when I upgraded from Win2k? I don't know.

Anyway enabling it and rebooting had no effect. IE still shows "the page
cannot be displayed" with a little note about a DNS error at the botton of
the page. IIS still shows three 401 errors in a row in it's log and the
audit log shows no failures on anything. Nether does it work by specifying
the name as machinename, locahost, or the IP address. So it's definetely
getting to IIS but failing for some reason, dispite the IE msg about a DNS
error.

Again if I enable anonymous or try these same credentials with IE6 on my
Win98 machine then everything works just fine. It just fails locally.

I seem to remember there was a KB article on disabling Kerberos on IIS,
should I try that maybe? Can you point me to it, I don't rember which one it
was.

This is sounding more and more like an IE bug.

thanks,
david

""Chris"" <chr...@microsoft.com> wrote in message
news:akXyPpiICHA.1648@cpmsftngxa07...

[David Rude]

I haven't seen any more replies to this and I'm still stuck. Anyone else
have any ideas?

thanks,
david

"David Rude" <dr...@nowhere.com> wrote in message

news:eaYuqvjICHA.1760@tkmsftngp11...