Help with password prompt

Our website runs on a Windows 2003 server using IIS. Anonymous access is
enabled on the default website with a domain user account that has
administrative rights to the server. Integrated Windows Authentication is
also checked.

Users on our LAN connect to the website on the server with no problem
(meaning, they are not prompted for a username & password).

However, if you try to access the same website from a Terminal Server, you
get prompted to enter a username and password.

Can anyone suggest ways that authentication is either not required at all,
or at least invisible to the user? This web server is only used internally,
so we don't need super high security.

Thanks,

Jason

Re: Help with password prompt

Hi Jason,

If you want anonymous connection to work, make sure that user account that
is assigned for anonymous access has read permissions on the web content to
the site. It looks like right now the anonymous account does not have NTFS
permissions...

IIS will always honor the NTFS permissions...

Also -- you should not grant administrator permissions to anonymous account.
It can be very dangerous for security of your server...

--
Mike
Microsoft MVP - Windows Security

"Jason" wrote in message
news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com...
> Our website runs on a Windows 2003 server using IIS. Anonymous access is
> enabled on the default website with a domain user account that has
> administrative rights to the server. Integrated Windows Authentication is
> also checked.
>
> Users on our LAN connect to the website on the server with no problem
> (meaning, they are not prompted for a username & password).
>
> However, if you try to access the same website from a Terminal Server, you
> get prompted to enter a username and password.
>
> Can anyone suggest ways that authentication is either not required at all,
> or at least invisible to the user? This web server is only used
> internally,
> so we don't need super high security.
>
> Thanks,
>
> Jason

Re: Help with password prompt

Thanks Mike, but since the anonymous account has administrator permissions
not only to the website, but the server itself, I would not think that the
problem is a permissions issue? At least as far as the Anonymous Account is
concerned?

"Miha Pihler [MVP]" wrote:

> Hi Jason,
>
> If you want anonymous connection to work, make sure that user account that
> is assigned for anonymous access has read permissions on the web content to
> the site. It looks like right now the anonymous account does not have NTFS
> permissions...
>
> IIS will always honor the NTFS permissions...
>
> Also -- you should not grant administrator permissions to anonymous account.
> It can be very dangerous for security of your server...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Jason" wrote in message
> news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com...
> > Our website runs on a Windows 2003 server using IIS. Anonymous access is
> > enabled on the default website with a domain user account that has
> > administrative rights to the server. Integrated Windows Authentication is
> > also checked.
> >
> > Users on our LAN connect to the website on the server with no problem
> > (meaning, they are not prompted for a username & password).
> >
> > However, if you try to access the same website from a Terminal Server, you
> > get prompted to enter a username and password.
> >
> > Can anyone suggest ways that authentication is either not required at all,
> > or at least invisible to the user? This web server is only used
> > internally,
> > so we don't need super high security.
> >
> > Thanks,
> >
> > Jason
>
>
>

Re: Help with password prompt

Hi,

I don't know how permissions are set on the folder where your web content is
stored. My advice is to first check that this user has permissions (at least
read) on the folder where the web content is.

You can lock out even administrator from the folder - the only difference is
that administrator (or member of administrators group) can take ownership
and with it permissions to the folder.

--
Mike
Microsoft MVP - Windows Security

"Jason" wrote in message
news:452C9436-A0CE-4C9A-B098-311B31DE3E5C@microsoft.com...
> Thanks Mike, but since the anonymous account has administrator permissions
> not only to the website, but the server itself, I would not think that the
> problem is a permissions issue? At least as far as the Anonymous Account
> is
> concerned?
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi Jason,
>>
>> If you want anonymous connection to work, make sure that user account
>> that
>> is assigned for anonymous access has read permissions on the web content
>> to
>> the site. It looks like right now the anonymous account does not have
>> NTFS
>> permissions...
>>
>> IIS will always honor the NTFS permissions...
>>
>> Also -- you should not grant administrator permissions to anonymous
>> account.
>> It can be very dangerous for security of your server...
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Jason" wrote in message
>> news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com...
>> > Our website runs on a Windows 2003 server using IIS. Anonymous access
>> > is
>> > enabled on the default website with a domain user account that has
>> > administrative rights to the server. Integrated Windows Authentication
>> > is
>> > also checked.
>> >
>> > Users on our LAN connect to the website on the server with no problem
>> > (meaning, they are not prompted for a username & password).
>> >
>> > However, if you try to access the same website from a Terminal Server,
>> > you
>> > get prompted to enter a username and password.
>> >
>> > Can anyone suggest ways that authentication is either not required at
>> > all,
>> > or at least invisible to the user? This web server is only used
>> > internally,
>> > so we don't need super high security.
>> >
>> > Thanks,
>> >
>> > Jason
>>
>>
>>

Re: Help with password prompt

The user has full control permissions on the web content folders, plus admin
rights on the machine.

"Miha Pihler [MVP]" wrote:

> Hi,
>
> I don't know how permissions are set on the folder where your web content is
> stored. My advice is to first check that this user has permissions (at least
> read) on the folder where the web content is.
>
> You can lock out even administrator from the folder - the only difference is
> that administrator (or member of administrators group) can take ownership
> and with it permissions to the folder.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Jason" wrote in message
> news:452C9436-A0CE-4C9A-B098-311B31DE3E5C@microsoft.com...
> > Thanks Mike, but since the anonymous account has administrator permissions
> > not only to the website, but the server itself, I would not think that the
> > problem is a permissions issue? At least as far as the Anonymous Account
> > is
> > concerned?
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi Jason,
> >>
> >> If you want anonymous connection to work, make sure that user account
> >> that
> >> is assigned for anonymous access has read permissions on the web content
> >> to
> >> the site. It looks like right now the anonymous account does not have
> >> NTFS
> >> permissions...
> >>
> >> IIS will always honor the NTFS permissions...
> >>
> >> Also -- you should not grant administrator permissions to anonymous
> >> account.
> >> It can be very dangerous for security of your server...
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> "Jason" wrote in message
> >> news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com...
> >> > Our website runs on a Windows 2003 server using IIS. Anonymous access
> >> > is
> >> > enabled on the default website with a domain user account that has
> >> > administrative rights to the server. Integrated Windows Authentication
> >> > is
> >> > also checked.
> >> >
> >> > Users on our LAN connect to the website on the server with no problem
> >> > (meaning, they are not prompted for a username & password).
> >> >
> >> > However, if you try to access the same website from a Terminal Server,
> >> > you
> >> > get prompted to enter a username and password.
> >> >
> >> > Can anyone suggest ways that authentication is either not required at
> >> > all,
> >> > or at least invisible to the user? This web server is only used
> >> > internally,
> >> > so we don't need super high security.
> >> >
> >> > Thanks,
> >> >
> >> > Jason
> >>
> >>
> >>
>
>
>

Re: Help with password prompt

Hi Jason,

If the server has been applied with SP1, the familiar cause is the new
loopback check security feature. Please take a look at the following
article:

896861 You receive error 401.1 when you browse a Web site that uses
Integrated
http://support.microsoft.com/?id=896861

Another possible cause is there are 3 group policy permissions may be
missed by the IIS anonymous - IUSR account. You should check them in the
server's local security policy and your domain security policy on DC:

- Access this computer from the network

- Log on locally

- Log on as a batch job

Refer to:

275167 PRB: Anonymous access fails with an HTTP 401.1 error after you join
an
http://support.microsoft.com/?id=275167

Please let me know how the thing is going. Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Help with password prompt

Hi Jason,

I haven't heard back from you yet. I am just writing to see how everything
is going. I would appreciate if you could get back to me at your earliest
convenience.

If you have any questions or concerns related to this issue, please drop me
a note.

I appreciate your time and I look forward to hearing from you.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================

Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:

BCPS:
https://partner.microsoft.com/US/technicalsupport/supportove rview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportove rview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx

======================================================

This posting is provided "AS IS" with no warranties, and confers no rights.