IIS auth. problem with 2003 SP1

On a 2003 stand alone server I'm running Citrix webinterface on top of the
IIS.

This web interface implements it's own authentication for regular users, and
as such IIS sees user sessions as anonymous. But a subdirectory of the IIS
allows for administration of the web interface, and because of that I've set
it to require integrated authentication. To access these administration
pages I usually specify the local administrator (pretty much the only
existing user on that box).

Recently I installed SP1 + all existing security patches, and I thought that
everything was working all right. Now some weeks later I've found out that
I'm not able to login to the IIS anymore to access these administration web
pages. It simply keeps asking for a user ID and password and after 3 tries
it states that I'm not authorized to view the page, as if I had entered
incorrect credentials.
However I can login to the console. Furthermore I've checked policies (logon
locally, access via network) and I've checked ACLs on the files and folders
I'm trying to access. Everything seems to be ok, but I still can't login.

For each logon attempt the following message is written to the audit log:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 20-04-2006
Time: 13:08:35
User: NT AUTHORITY\SYSTEM
Computer: DKTSCSG01
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: administrator
Domain: DKTSCSG01
Logon Type: 3
Logon Process: ÐùX
`?

Authentication Package: NTLM
Workstation Name: DKTSCSG01
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 193.x.x.x
Source Port: 11611

I'm not sure, but I'm suspecting the installation of SP1 has changed some
security setting preventing this IIS login.
Has anyone seen such a problem before or have an idea of what I could try or
check ?

I tried to enable basic authentication too, but it makes no difference.


Thanks in advance,
Jan Nielsen

Re: IIS auth. problem with 2003 SP1

Hi

Error 0xC000006D
# for hex 0xc000006d / decimal -1073741715 :
STATUS_LOGON_FAILURE ntstatus.h
# The attempted logon is invalid. This is either due to a bad
# username or authentication information.

Don't know if that helps at all.

Do you get the same errors in the event log when you use Basic AuthN?

Cheers
Ken


"Jan Nielsen" wrote in message
news:OzDS2wGZGHA.4920@TK2MSFTNGP02.phx.gbl...
> On a 2003 stand alone server I'm running Citrix webinterface on top of the
> IIS.
>
> This web interface implements it's own authentication for regular users,
> and as such IIS sees user sessions as anonymous. But a subdirectory of the
> IIS allows for administration of the web interface, and because of that
> I've set it to require integrated authentication. To access these
> administration pages I usually specify the local administrator (pretty
> much the only existing user on that box).
>
> Recently I installed SP1 + all existing security patches, and I thought
> that everything was working all right. Now some weeks later I've found out
> that I'm not able to login to the IIS anymore to access these
> administration web pages. It simply keeps asking for a user ID and
> password and after 3 tries it states that I'm not authorized to view the
> page, as if I had entered incorrect credentials.
> However I can login to the console. Furthermore I've checked policies
> (logon locally, access via network) and I've checked ACLs on the files and
> folders I'm trying to access. Everything seems to be ok, but I still can't
> login.
>
> For each logon attempt the following message is written to the audit log:
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 537
> Date: 20-04-2006
> Time: 13:08:35
> User: NT AUTHORITY\SYSTEM
> Computer: DKTSCSG01
> Description:
> Logon Failure:
> Reason: An error occurred during logon
> User Name: administrator
> Domain: DKTSCSG01
> Logon Type: 3
> Logon Process: ÐùX
`?
>
> Authentication Package: NTLM
> Workstation Name: DKTSCSG01
> Status code: 0xC000006D
> Substatus code: 0x0
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 193.x.x.x
> Source Port: 11611
>
> I'm not sure, but I'm suspecting the installation of SP1 has changed some
> security setting preventing this IIS login.
> Has anyone seen such a problem before or have an idea of what I could try
> or check ?
>
> I tried to enable basic authentication too, but it makes no difference.
>
>
> Thanks in advance,
> Jan Nielsen
>
>

Re: IIS auth. problem with 2003 SP1

Hi Ken,

First of all thanks for replying.

Earlier I tried with basic and integrated authentication enabled at the same
time, and yes it produced the same event.
Now I just tried with basic autoantication only, and that succeded.

Still I think this points towards some policy that might have been set more
secure, as usual problems like wrong password, logon locally policy and ACLs
should be ok.
If no obvious explanation can be found, using basic auth is ok, as I only
access these administration pages from the console or terminal session
(limited by IP filter).


kind regards,
Jan Nielsen

Re: IIS auth. problem with 2003 SP1

Hi,

If Basic and IWA are both enabled, the browser will choose IWA (i.e. NTLM or
Kerberos), which is probably why you are seeing the same symptoms when both
are enabled.

Since Basic is working fine, check the following KB article to see if it
applies to you:
http://support.microsoft.com/default.aspx?scid=kb;en-us;8968 61

Cheers
Ken


"Jan Nielsen" wrote in message
news:%23HH8KTHZGHA.4424@TK2MSFTNGP05.phx.gbl...
> Hi Ken,
>
> First of all thanks for replying.
>
> Earlier I tried with basic and integrated authentication enabled at the
> same time, and yes it produced the same event.
> Now I just tried with basic autoantication only, and that succeded.
>
> Still I think this points towards some policy that might have been set
> more secure, as usual problems like wrong password, logon locally policy
> and ACLs should be ok.
> If no obvious explanation can be found, using basic auth is ok, as I only
> access these administration pages from the console or terminal session
> (limited by IP filter).
>
>
> kind regards,
> Jan Nielsen
>
>