IIS Subauthentication Required

IIS Subauthentication Required

am 16.05.2007 23:43:00 von DavidV

I have 4 Web servers that should all be set up the same; once they are all
working we plan to load-balance them. Due to limitations in our in-house
application, the Web services are running in IIS 5.0 isolation mode. The Web
site on all four servers is configured to use the local IUSR account for
Anonymous access. As far as I can tell, the configuration on all 4 is
identical, and the home page works on all four.
However, within one of the subfolders, configured as an application, there
is a login.html that only works on 3 of the servers, not on the 4th. This
login page accesses a COM+ application on another server (the app was
exported to a proxy .msi file, which was then instaled on the Web server),
the anoymous access account for this folder is set to a domain account. As I
said, it works on 3 of the 4 Web servers.

On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access
is denied due to invalid credentials). The Security Log shows that the
failure was due to an unknown username or a bad password. Also, the results
of running the IIS Diags on this serverdisplays the following errors:
- AnymousPasswordSync: IIS subauthentication requires that the
AnonymousUserName metabase property be configured with an account from the
local computer.
- AnonymousUserPass: logon failed
- AnonymousPasswordSync: The current configuration requires IIS
subauthentication. However, the IIS subauthentication component, iissuba.dll,
is not currently configured.
- AnonymousPasswordSync: The current configuration uses IIS
subauthentication for anonymous authentication. This requires that the worker
process be configured to run as the Local System identity, which is not
recommended for security reasons.
- Server's response: HTTP/1.1 401 Unauthorized

As far as I can tell, subauthentication is not set on the other servers.
Why is sub-authentication required on this server and not on the other 3?
How can I fix this?

Any help is greatly appreciated.

Re: IIS Subauthentication Required

am 17.05.2007 12:00:13 von Ken Schaefer

In order for IIS to use the IUSR_ account, it needs to be able
to "logon" that user account, and to do that it needs the current password
for that IUSR account.

Now, in a normal IIS installation, IIS install creates the IUSR account (in
the Windows SAM), sets the password, and then stores a copy of the password
(encrypted) in the IIS metabase.

However, if the Windows password for the IUSR account changes, then IIS
won't know what the new password is and won't be able to logon the IUSR
account.

Solutions to this problem:
a) if the IUSR password has changed (and you know what the new password is),
then reset the IUSR password in IIS Manager, so that IIS knows what the
password is again.

b) enable SubAuthentication (which allows IIS to transparently get the
password). However SubAuthentication is a security risk you need to
consider, as it means running IIS using an account with elevated
credentials.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"David V" wrote in message
news:0027FC1F-B246-4877-A84B-30F243BC0F8F@microsoft.com...
>I have 4 Web servers that should all be set up the same; once they are all
> working we plan to load-balance them. Due to limitations in our in-house
> application, the Web services are running in IIS 5.0 isolation mode. The
> Web
> site on all four servers is configured to use the local IUSR account for
> Anonymous access. As far as I can tell, the configuration on all 4 is
> identical, and the home page works on all four.
> However, within one of the subfolders, configured as an application, there
> is a login.html that only works on 3 of the servers, not on the 4th. This
> login page accesses a COM+ application on another server (the app was
> exported to a proxy .msi file, which was then instaled on the Web server),
> the anoymous access account for this folder is set to a domain account.
> As I
> said, it works on 3 of the 4 Web servers.
>
> On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access
> is denied due to invalid credentials). The Security Log shows that the
> failure was due to an unknown username or a bad password. Also, the
> results
> of running the IIS Diags on this serverdisplays the following errors:
> - AnymousPasswordSync: IIS subauthentication requires that the
> AnonymousUserName metabase property be configured with an account from the
> local computer.
> - AnonymousUserPass: logon failed
> - AnonymousPasswordSync: The current configuration requires IIS
> subauthentication. However, the IIS subauthentication component,
> iissuba.dll,
> is not currently configured.
> - AnonymousPasswordSync: The current configuration uses IIS
> subauthentication for anonymous authentication. This requires that the
> worker
> process be configured to run as the Local System identity, which is not
> recommended for security reasons.
> - Server's response: HTTP/1.1 401 Unauthorized
>
> As far as I can tell, subauthentication is not set on the other servers.
> Why is sub-authentication required on this server and not on the other 3?
> How can I fix this?
>
> Any help is greatly appreciated.

Re: IIS Subauthentication Required

am 18.05.2007 19:48:01 von DavidV

I have tried both proposed solutions and neither solved the problem. Note
that the Web site's home page works, and it is set up for anonymous
authentication using the local IUSR account. It is the subfolder application
that does not work. This folder is set up to use a domain acocunt for
anonymous authentication. I have confirmed the password for this domain
account, by resetting it, but I am still getting the "You are not authorized
to view this page" message and an Event ID 529 failure in the Security log.

"Ken Schaefer" wrote:

> In order for IIS to use the IUSR_ account, it needs to be able
> to "logon" that user account, and to do that it needs the current password
> for that IUSR account.
>
> Now, in a normal IIS installation, IIS install creates the IUSR account (in
> the Windows SAM), sets the password, and then stores a copy of the password
> (encrypted) in the IIS metabase.
>
> However, if the Windows password for the IUSR account changes, then IIS
> won't know what the new password is and won't be able to logon the IUSR
> account.
>
> Solutions to this problem:
> a) if the IUSR password has changed (and you know what the new password is),
> then reset the IUSR password in IIS Manager, so that IIS knows what the
> password is again.
>
> b) enable SubAuthentication (which allows IIS to transparently get the
> password). However SubAuthentication is a security risk you need to
> consider, as it means running IIS using an account with elevated
> credentials.
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "David V" wrote in message
> news:0027FC1F-B246-4877-A84B-30F243BC0F8F@microsoft.com...
> >I have 4 Web servers that should all be set up the same; once they are all
> > working we plan to load-balance them. Due to limitations in our in-house
> > application, the Web services are running in IIS 5.0 isolation mode. The
> > Web
> > site on all four servers is configured to use the local IUSR account for
> > Anonymous access. As far as I can tell, the configuration on all 4 is
> > identical, and the home page works on all four.
> > However, within one of the subfolders, configured as an application, there
> > is a login.html that only works on 3 of the servers, not on the 4th. This
> > login page accesses a COM+ application on another server (the app was
> > exported to a proxy .msi file, which was then instaled on the Web server),
> > the anoymous access account for this folder is set to a domain account.
> > As I
> > said, it works on 3 of the 4 Web servers.
> >
> > On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access
> > is denied due to invalid credentials). The Security Log shows that the
> > failure was due to an unknown username or a bad password. Also, the
> > results
> > of running the IIS Diags on this serverdisplays the following errors:
> > - AnymousPasswordSync: IIS subauthentication requires that the
> > AnonymousUserName metabase property be configured with an account from the
> > local computer.
> > - AnonymousUserPass: logon failed
> > - AnonymousPasswordSync: The current configuration requires IIS
> > subauthentication. However, the IIS subauthentication component,
> > iissuba.dll,
> > is not currently configured.
> > - AnonymousPasswordSync: The current configuration uses IIS
> > subauthentication for anonymous authentication. This requires that the
> > worker
> > process be configured to run as the Local System identity, which is not
> > recommended for security reasons.
> > - Server's response: HTTP/1.1 401 Unauthorized
> >
> > As far as I can tell, subauthentication is not set on the other servers.
> > Why is sub-authentication required on this server and not on the other 3?
> > How can I fix this?
> >
> > Any help is greatly appreciated.
>
>

Re: IIS Subauthentication Required

am 19.05.2007 08:50:51 von Ken Schaefer

Hi,

>Event ID 529 failure in the Security log

Verify that the user account you created has the necessary logon permissions
(from memory this is "network logon"), and also verify that the user has the
necessary NTFS permissions to the files/folders in question (Read/Execute)

Cheers
Ken


"David V" wrote in message
news:95BF5296-BB6B-4E2E-9A8A-01A8162BD3C8@microsoft.com...
>I have tried both proposed solutions and neither solved the problem. Note
> that the Web site's home page works, and it is set up for anonymous
> authentication using the local IUSR account. It is the subfolder
> application
> that does not work. This folder is set up to use a domain acocunt for
> anonymous authentication. I have confirmed the password for this domain
> account, by resetting it, but I am still getting the "You are not
> authorized
> to view this page" message and an Event ID 529 failure in the Security
> log.
>
> "Ken Schaefer" wrote:
>
>> In order for IIS to use the IUSR_ account, it needs to be
>> able
>> to "logon" that user account, and to do that it needs the current
>> password
>> for that IUSR account.
>>
>> Now, in a normal IIS installation, IIS install creates the IUSR account
>> (in
>> the Windows SAM), sets the password, and then stores a copy of the
>> password
>> (encrypted) in the IIS metabase.
>>
>> However, if the Windows password for the IUSR account changes, then IIS
>> won't know what the new password is and won't be able to logon the IUSR
>> account.
>>
>> Solutions to this problem:
>> a) if the IUSR password has changed (and you know what the new password
>> is),
>> then reset the IUSR password in IIS Manager, so that IIS knows what the
>> password is again.
>>
>> b) enable SubAuthentication (which allows IIS to transparently get the
>> password). However SubAuthentication is a security risk you need to
>> consider, as it means running IIS using an account with elevated
>> credentials.
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>>
>> "David V" wrote in message
>> news:0027FC1F-B246-4877-A84B-30F243BC0F8F@microsoft.com...
>> >I have 4 Web servers that should all be set up the same; once they are
>> >all
>> > working we plan to load-balance them. Due to limitations in our
>> > in-house
>> > application, the Web services are running in IIS 5.0 isolation mode.
>> > The
>> > Web
>> > site on all four servers is configured to use the local IUSR account
>> > for
>> > Anonymous access. As far as I can tell, the configuration on all 4 is
>> > identical, and the home page works on all four.
>> > However, within one of the subfolders, configured as an application,
>> > there
>> > is a login.html that only works on 3 of the servers, not on the 4th.
>> > This
>> > login page accesses a COM+ application on another server (the app was
>> > exported to a proxy .msi file, which was then instaled on the Web
>> > server),
>> > the anoymous access account for this folder is set to a domain account.
>> > As I
>> > said, it works on 3 of the 4 Web servers.
>> >
>> > On the problem server, I receive an HTTP Error 401.1 (Unauthorized:
>> > Access
>> > is denied due to invalid credentials). The Security Log shows that the
>> > failure was due to an unknown username or a bad password. Also, the
>> > results
>> > of running the IIS Diags on this serverdisplays the following errors:
>> > - AnymousPasswordSync: IIS subauthentication requires that the
>> > AnonymousUserName metabase property be configured with an account from
>> > the
>> > local computer.
>> > - AnonymousUserPass: logon failed
>> > - AnonymousPasswordSync: The current configuration requires IIS
>> > subauthentication. However, the IIS subauthentication component,
>> > iissuba.dll,
>> > is not currently configured.
>> > - AnonymousPasswordSync: The current configuration uses IIS
>> > subauthentication for anonymous authentication. This requires that the
>> > worker
>> > process be configured to run as the Local System identity, which is not
>> > recommended for security reasons.
>> > - Server's response: HTTP/1.1 401 Unauthorized
>> >
>> > As far as I can tell, subauthentication is not set on the other
>> > servers.
>> > Why is sub-authentication required on this server and not on the other
>> > 3?
>> > How can I fix this?
>> >
>> > Any help is greatly appreciated.
>>
>>