Anonymous Account not working

Hi,
I recently built a new webserver to replace an existing server. I
copied the data to the new server and rebuilt all of the IIS directories by
hand. I replaced the broken SID of the old IUSR account on all of the
folders with the new IUSR account from the new server. Now when I try to
access any of the virtual directories anonymously, I am denied access (If I
access them with basic or integrated, I have access.) Even if I create a new
VD, I get access denied.

I've created a new folder and applied the IUSR account using the
security tab so that I know it has the right account and there isn't anything
carrying over from the old server (I also granted it Full Control just to be
certain it's not a permission problem.) I then created a new VD pointing to
the new folder. I get access denied. If I change the anonymous username and
password in IIS to another account with rights, it works.

I then used Adsutil.vbs to get the username and password that the IUSR
acct is using and I manually entered the account info into the directory
security for the anonymous account. I got access denied.

I'm thinking that the password that IIS is using is somehow different
from the password that the local account is using. I'm thinking about doing
a password change on the local account to the password that Adsutil.vbs gave
me, but I don't want to break anything worse than it already is. Also once I
make the change, I want to be able to create new VD's without having to enter
the anonymous password manually everytime.

Am I going about this the right way or is there something that I'm
missing, doing wrong, or need to do in the metabase when I'm done? Any help
is greatly appreciated.

Thanks,
Ishmeal

Re: Anonymous Account not working

As it is apparently not a content NTFS perrmissions issue it is
perhaps a user rights issue. Have you checked for event msgs
in the Security event log ? Is the Iusr you are using the one
defined during install or a custom one you have created?

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Ishmealm" wrote in message
news:2AB2309E-B23F-444A-A957-FE5539EBC4EC@microsoft.com...
> Hi,
> I recently built a new webserver to replace an existing server. I
> copied the data to the new server and rebuilt all of the IIS directories
> by
> hand. I replaced the broken SID of the old IUSR account on all of the
> folders with the new IUSR account from the new server. Now when I try to
> access any of the virtual directories anonymously, I am denied access (If
> I
> access them with basic or integrated, I have access.) Even if I create a
> new
> VD, I get access denied.
>
> I've created a new folder and applied the IUSR account using the
> security tab so that I know it has the right account and there isn't
> anything
> carrying over from the old server (I also granted it Full Control just to
> be
> certain it's not a permission problem.) I then created a new VD pointing
> to
> the new folder. I get access denied. If I change the anonymous username
> and
> password in IIS to another account with rights, it works.
>
> I then used Adsutil.vbs to get the username and password that the IUSR
> acct is using and I manually entered the account info into the directory
> security for the anonymous account. I got access denied.
>
> I'm thinking that the password that IIS is using is somehow different
> from the password that the local account is using. I'm thinking about
> doing
> a password change on the local account to the password that Adsutil.vbs
> gave
> me, but I don't want to break anything worse than it already is. Also
> once I
> make the change, I want to be able to create new VD's without having to
> enter
> the anonymous password manually everytime.
>
> Am I going about this the right way or is there something that I'm
> missing, doing wrong, or need to do in the metabase when I'm done? Any
> help
> is greatly appreciated.
>
> Thanks,
> Ishmeal
>
>

Re: Anonymous Account not working

I don't see any security log entries. I just tried to access an anonymous
link without success, but no entry was entered into the sec log (or the other
logs.)

I think the problem may be with the local account (IUSR_WEB02). When I
built the server there was another server that was named WEB02, I downed that
server, renamed this server (so that the iusr and iwam accounts would be
named correctly), installed IIS. Renamed this server and brought the old
server back on line. This is the 5th server that I've upgrade, but the only
one that I did the renaming with (the others, I backed up, rebuilt, and
restored.) This is the only one that has had any problems.

When I look in IIS, the anoymous acct is IUSR_WEB02 (the same as the local
acct.) I'm thinking about changing the password on the local acct to what I
found out was the IUSR password with this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;1845 66

I figure that if the local account matches what IIS is using and the account
is given rights to the folder, that it should work. My concern is that I
need to make a change to the metabase or somewhere else that I don't know
about and I'll break anonymous access to the point I need to rebuild. I'm
hoping that if I just change the local IUSR_WEB02 password to what I found
using:

cscript adsutil.vbs get w3svc/anonymoususerpass

That everything will sync up.
"Roger Abell [MVP]" wrote:

> As it is apparently not a content NTFS perrmissions issue it is
> perhaps a user rights issue. Have you checked for event msgs
> in the Security event log ? Is the Iusr you are using the one
> defined during install or a custom one you have created?
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> "Ishmealm" wrote in message
> news:2AB2309E-B23F-444A-A957-FE5539EBC4EC@microsoft.com...
> > Hi,
> > I recently built a new webserver to replace an existing server. I
> > copied the data to the new server and rebuilt all of the IIS directories
> > by
> > hand. I replaced the broken SID of the old IUSR account on all of the
> > folders with the new IUSR account from the new server. Now when I try to
> > access any of the virtual directories anonymously, I am denied access (If
> > I
> > access them with basic or integrated, I have access.) Even if I create a
> > new
> > VD, I get access denied.
> >
> > I've created a new folder and applied the IUSR account using the
> > security tab so that I know it has the right account and there isn't
> > anything
> > carrying over from the old server (I also granted it Full Control just to
> > be
> > certain it's not a permission problem.) I then created a new VD pointing
> > to
> > the new folder. I get access denied. If I change the anonymous username
> > and
> > password in IIS to another account with rights, it works.
> >
> > I then used Adsutil.vbs to get the username and password that the IUSR
> > acct is using and I manually entered the account info into the directory
> > security for the anonymous account. I got access denied.
> >
> > I'm thinking that the password that IIS is using is somehow different
> > from the password that the local account is using. I'm thinking about
> > doing
> > a password change on the local account to the password that Adsutil.vbs
> > gave
> > me, but I don't want to break anything worse than it already is. Also
> > once I
> > make the change, I want to be able to create new VD's without having to
> > enter
> > the anonymous password manually everytime.
> >
> > Am I going about this the right way or is there something that I'm
> > missing, doing wrong, or need to do in the metabase when I'm done? Any
> > help
> > is greatly appreciated.
> >
> > Thanks,
> > Ishmeal
> >
> >
>
>
>

Re: Anonymous Account not working

If it were the password in IIS that was wrong for Iusr_ then that
would show up in sec event log as login failure, assuming you have
events being logged. Changing in the IISmgmt interface will change
in metabase.
I am lost in the renames and apparent reinstalls, but it seems that
the Iusr_ you are using may have been defined before the final
IIS install on that box. What groups is it a member in?

"Ishmealm" wrote in message
news:30BA16C5-C225-4A60-A47D-1FB798360DF1@microsoft.com...
>I don't see any security log entries. I just tried to access an anonymous
> link without success, but no entry was entered into the sec log (or the
> other
> logs.)
>
> I think the problem may be with the local account (IUSR_WEB02). When I
> built the server there was another server that was named WEB02, I downed
> that
> server, renamed this server (so that the iusr and iwam accounts would be
> named correctly), installed IIS. Renamed this server and brought the old
> server back on line. This is the 5th server that I've upgrade, but the
> only
> one that I did the renaming with (the others, I backed up, rebuilt, and
> restored.) This is the only one that has had any problems.
>
> When I look in IIS, the anoymous acct is IUSR_WEB02 (the same as the local
> acct.) I'm thinking about changing the password on the local acct to what
> I
> found out was the IUSR password with this article:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;1845 66
>
> I figure that if the local account matches what IIS is using and the
> account
> is given rights to the folder, that it should work. My concern is that I
> need to make a change to the metabase or somewhere else that I don't know
> about and I'll break anonymous access to the point I need to rebuild. I'm
> hoping that if I just change the local IUSR_WEB02 password to what I found
> using:
>
> cscript adsutil.vbs get w3svc/anonymoususerpass
>
> That everything will sync up.
> "Roger Abell [MVP]" wrote:
>
>> As it is apparently not a content NTFS perrmissions issue it is
>> perhaps a user rights issue. Have you checked for event msgs
>> in the Security event log ? Is the Iusr you are using the one
>> defined during install or a custom one you have created?
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>>
>> "Ishmealm" wrote in message
>> news:2AB2309E-B23F-444A-A957-FE5539EBC4EC@microsoft.com...
>> > Hi,
>> > I recently built a new webserver to replace an existing server. I
>> > copied the data to the new server and rebuilt all of the IIS
>> > directories
>> > by
>> > hand. I replaced the broken SID of the old IUSR account on all of the
>> > folders with the new IUSR account from the new server. Now when I try
>> > to
>> > access any of the virtual directories anonymously, I am denied access
>> > (If
>> > I
>> > access them with basic or integrated, I have access.) Even if I create
>> > a
>> > new
>> > VD, I get access denied.
>> >
>> > I've created a new folder and applied the IUSR account using the
>> > security tab so that I know it has the right account and there isn't
>> > anything
>> > carrying over from the old server (I also granted it Full Control just
>> > to
>> > be
>> > certain it's not a permission problem.) I then created a new VD
>> > pointing
>> > to
>> > the new folder. I get access denied. If I change the anonymous
>> > username
>> > and
>> > password in IIS to another account with rights, it works.
>> >
>> > I then used Adsutil.vbs to get the username and password that the
>> > IUSR
>> > acct is using and I manually entered the account info into the
>> > directory
>> > security for the anonymous account. I got access denied.
>> >
>> > I'm thinking that the password that IIS is using is somehow
>> > different
>> > from the password that the local account is using. I'm thinking about
>> > doing
>> > a password change on the local account to the password that Adsutil.vbs
>> > gave
>> > me, but I don't want to break anything worse than it already is. Also
>> > once I
>> > make the change, I want to be able to create new VD's without having to
>> > enter
>> > the anonymous password manually everytime.
>> >
>> > Am I going about this the right way or is there something that I'm
>> > missing, doing wrong, or need to do in the metabase when I'm done? Any
>> > help
>> > is greatly appreciated.
>> >
>> > Thanks,
>> > Ishmeal
>> >
>> >
>>
>>
>>

Re: Anonymous Account not working

I think that you are right, I added it to the admin group and now it works.
I looked and it's a member of:

Administrators (because I just added it)
Guests

And has these User Rights Assignments:
Access this computer from the network
Allow Logon Locally
Bypass Traverse Checking
Log on as a Batch Job



"Roger Abell [MVP]" wrote:

> If it were the password in IIS that was wrong for Iusr_ then that
> would show up in sec event log as login failure, assuming you have
> events being logged. Changing in the IISmgmt interface will change
> in metabase.
> I am lost in the renames and apparent reinstalls, but it seems that
> the Iusr_ you are using may have been defined before the final
> IIS install on that box. What groups is it a member in?
>
> "Ishmealm" wrote in message
> news:30BA16C5-C225-4A60-A47D-1FB798360DF1@microsoft.com...
> >I don't see any security log entries. I just tried to access an anonymous
> > link without success, but no entry was entered into the sec log (or the
> > other
> > logs.)
> >
> > I think the problem may be with the local account (IUSR_WEB02). When I
> > built the server there was another server that was named WEB02, I downed
> > that
> > server, renamed this server (so that the iusr and iwam accounts would be
> > named correctly), installed IIS. Renamed this server and brought the old
> > server back on line. This is the 5th server that I've upgrade, but the
> > only
> > one that I did the renaming with (the others, I backed up, rebuilt, and
> > restored.) This is the only one that has had any problems.
> >
> > When I look in IIS, the anoymous acct is IUSR_WEB02 (the same as the local
> > acct.) I'm thinking about changing the password on the local acct to what
> > I
> > found out was the IUSR password with this article:
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;1845 66
> >
> > I figure that if the local account matches what IIS is using and the
> > account
> > is given rights to the folder, that it should work. My concern is that I
> > need to make a change to the metabase or somewhere else that I don't know
> > about and I'll break anonymous access to the point I need to rebuild. I'm
> > hoping that if I just change the local IUSR_WEB02 password to what I found
> > using:
> >
> > cscript adsutil.vbs get w3svc/anonymoususerpass
> >
> > That everything will sync up.
> > "Roger Abell [MVP]" wrote:
> >
> >> As it is apparently not a content NTFS perrmissions issue it is
> >> perhaps a user rights issue. Have you checked for event msgs
> >> in the Security event log ? Is the Iusr you are using the one
> >> defined during install or a custom one you have created?
> >>
> >> --
> >> Roger Abell
> >> Microsoft MVP (Windows Server : Security)
> >>
> >> "Ishmealm" wrote in message
> >> news:2AB2309E-B23F-444A-A957-FE5539EBC4EC@microsoft.com...
> >> > Hi,
> >> > I recently built a new webserver to replace an existing server. I
> >> > copied the data to the new server and rebuilt all of the IIS
> >> > directories
> >> > by
> >> > hand. I replaced the broken SID of the old IUSR account on all of the
> >> > folders with the new IUSR account from the new server. Now when I try
> >> > to
> >> > access any of the virtual directories anonymously, I am denied access
> >> > (If
> >> > I
> >> > access them with basic or integrated, I have access.) Even if I create
> >> > a
> >> > new
> >> > VD, I get access denied.
> >> >
> >> > I've created a new folder and applied the IUSR account using the
> >> > security tab so that I know it has the right account and there isn't
> >> > anything
> >> > carrying over from the old server (I also granted it Full Control just
> >> > to
> >> > be
> >> > certain it's not a permission problem.) I then created a new VD
> >> > pointing
> >> > to
> >> > the new folder. I get access denied. If I change the anonymous
> >> > username
> >> > and
> >> > password in IIS to another account with rights, it works.
> >> >
> >> > I then used Adsutil.vbs to get the username and password that the
> >> > IUSR
> >> > acct is using and I manually entered the account info into the
> >> > directory
> >> > security for the anonymous account. I got access denied.
> >> >
> >> > I'm thinking that the password that IIS is using is somehow
> >> > different
> >> > from the password that the local account is using. I'm thinking about
> >> > doing
> >> > a password change on the local account to the password that Adsutil.vbs
> >> > gave
> >> > me, but I don't want to break anything worse than it already is. Also
> >> > once I
> >> > make the change, I want to be able to create new VD's without having to
> >> > enter
> >> > the anonymous password manually everytime.
> >> >
> >> > Am I going about this the right way or is there something that I'm
> >> > missing, doing wrong, or need to do in the metabase when I'm done? Any
> >> > help
> >> > is greatly appreciated.
> >> >
> >> > Thanks,
> >> > Ishmeal
> >> >
> >> >
> >>
> >>
> >>
>
>
>