I have one account on our domain that I need to allow web site access for. I
only want this account to be in the Domain guests group and I want to use
Integrated Security only for the web site. To this point I haven't been able
to get this to work. Is this possible?
Thanks.
"rdw"
news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com...
>I have one account on our domain that I need to allow web site access for.
>I
> only want this account to be in the Domain guests group and I want to use
> Integrated Security only for the web site. To this point I haven't been
> able
> to get this to work. Is this possible?
What functional level is your domain? For Win2k3 (and possibly Win2k as
well), Domain Guests group has the same permissions as Domain Users (you can
see that in the group's description).
The actual authentication technology used (IWA) has no bearing on whether
the user can load the page or not (that's authorization). IWA is just the
process of conveying the user's credentials to the server. The Authorization
process determines whether the user can perform the action (e.g. load the
page).
What is the error you are getting? What version of IIS are you using? What
client OS/browser? etc.
Cheers
Ken
The error is an http error 401.3. Unauthorized: Access is denied due to an
ACL set on the requested resource.
I've granted Domain Guests read permissions on the folder as well.
We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 SP2.
The client machine is Windows XP Pro, but I've been able to reproduce it on
2000 Pro as well.
"Ken Schaefer" wrote:
>
> "rdw"
> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com...
> >I have one account on our domain that I need to allow web site access for.
> >I
> > only want this account to be in the Domain guests group and I want to use
> > Integrated Security only for the web site. To this point I haven't been
> > able
> > to get this to work. Is this possible?
>
> What functional level is your domain? For Win2k3 (and possibly Win2k as
> well), Domain Guests group has the same permissions as Domain Users (you can
> see that in the group's description).
>
> The actual authentication technology used (IWA) has no bearing on whether
> the user can load the page or not (that's authorization). IWA is just the
> process of conveying the user's credentials to the server. The Authorization
> process determines whether the user can perform the action (e.g. load the
> page).
>
> What is the error you are getting? What version of IIS are you using? What
> client OS/browser? etc.
>
> Cheers
> Ken
>
>
>
Hi,
This should be relatively straight forward.
a) Can you post the relevant IIS logfile entries for the failed requests
please?
b) What group memberships does the user account have? If you add it to
Domain Users (assuming that you removed it), does this start working all of
a sudden?
c) What are all the ACEs on the file in question?
Cheers
Ken
"rdw"
news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com...
> The error is an http error 401.3. Unauthorized: Access is denied due to
> an
> ACL set on the requested resource.
>
> I've granted Domain Guests read permissions on the folder as well.
>
> We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 SP2.
> The client machine is Windows XP Pro, but I've been able to reproduce it
> on
> 2000 Pro as well.
>
> "Ken Schaefer" wrote:
>
>>
>> "rdw"
>> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com...
>> >I have one account on our domain that I need to allow web site access
>> >for.
>> >I
>> > only want this account to be in the Domain guests group and I want to
>> > use
>> > Integrated Security only for the web site. To this point I haven't
>> > been
>> > able
>> > to get this to work. Is this possible?
>>
>> What functional level is your domain? For Win2k3 (and possibly Win2k as
>> well), Domain Guests group has the same permissions as Domain Users (you
>> can
>> see that in the group's description).
>>
>> The actual authentication technology used (IWA) has no bearing on whether
>> the user can load the page or not (that's authorization). IWA is just the
>> process of conveying the user's credentials to the server. The
>> Authorization
>> process determines whether the user can perform the action (e.g. load the
>> page).
>>
>> What is the error you are getting? What version of IIS are you using?
>> What
>> client OS/browser? etc.
>>
>> Cheers
>> Ken
>>
>>
>>
Thanks for the assistance on this issue.
a). These are the 3 entries that are generated into the log file each time
this user browses the page.
2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254
2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 1 0
2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET /Default.asp
|-|0|401_Error:_Access_is_Denied. 80 domainname\firstname.lastname
172.18.31.5
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 5 0
b). This user is a member of Domain Guests only. He is in no other groups.
If we add him to Domain Users he can load the page successfully.
c). The permissions on the folder are set up as follows:
Domain Admins: Full Control
Domain Guests: Read & Execute, List Folder Contents, Read
Everyone: Read & Execute, List Folder Contents, Read
Network Service: Read & Execute, List Folder Contents, Read
Thanks. again
"Ken Schaefer" wrote:
> Hi,
>
> This should be relatively straight forward.
>
> a) Can you post the relevant IIS logfile entries for the failed requests
> please?
>
> b) What group memberships does the user account have? If you add it to
> Domain Users (assuming that you removed it), does this start working all of
> a sudden?
>
> c) What are all the ACEs on the file in question?
>
> Cheers
> Ken
>
> "rdw"
> news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com...
> > The error is an http error 401.3. Unauthorized: Access is denied due to
> > an
> > ACL set on the requested resource.
> >
> > I've granted Domain Guests read permissions on the folder as well.
> >
> > We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 SP2.
> > The client machine is Windows XP Pro, but I've been able to reproduce it
> > on
> > 2000 Pro as well.
> >
> > "Ken Schaefer" wrote:
> >
> >>
> >> "rdw"
> >> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com...
> >> >I have one account on our domain that I need to allow web site access
> >> >for.
> >> >I
> >> > only want this account to be in the Domain guests group and I want to
> >> > use
> >> > Integrated Security only for the web site. To this point I haven't
> >> > been
> >> > able
> >> > to get this to work. Is this possible?
> >>
> >> What functional level is your domain? For Win2k3 (and possibly Win2k as
> >> well), Domain Guests group has the same permissions as Domain Users (you
> >> can
> >> see that in the group's description).
> >>
> >> The actual authentication technology used (IWA) has no bearing on whether
> >> the user can load the page or not (that's authorization). IWA is just the
> >> process of conveying the user's credentials to the server. The
> >> Authorization
> >> process determines whether the user can perform the action (e.g. load the
> >> page).
> >>
> >> What is the error you are getting? What version of IIS are you using?
> >> What
> >> client OS/browser? etc.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >>
>
>
>
This is a user rights issue, not a permissions issue.
Likely Domain Users, or Interactive, or Authenticated Users, or some
combination
of these are in Users on the IIS machine, but Domain Guests is not a member
of
any of these until it has successfully been authenticated - sort of a catch
22.
What I do is define a custom global group in the domain, ex. WebGuests in
you
case, and use this to replace Domain Users as the web access account's
Primary
Group so that it is in no groups that grant access to other domain
resources.
Then add this domain global WebGuests group to the IIS machine's Users group
(to be excessive) or use it to grant NTFS permissions and the User Right to
Log
on over the network.
"rdw"
news:D0814CD5-FB4D-476A-90EE-8796738C69B4@microsoft.com...
> Thanks for the assistance on this issue.
>
> a). These are the 3 entries that are generated into the log file each
> time
> this user browses the page.
>
> 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727)
> 401 2 2148074254
>
> 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727)
> 401 1 0
>
> 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET /Default.asp
> |-|0|401_Error:_Access_is_Denied. 80 domainname\firstname.lastname
> 172.18.31.5
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727)
> 401 5 0
>
> b). This user is a member of Domain Guests only. He is in no other
> groups.
> If we add him to Domain Users he can load the page successfully.
>
> c). The permissions on the folder are set up as follows:
> Domain Admins: Full Control
> Domain Guests: Read & Execute, List Folder Contents, Read
> Everyone: Read & Execute, List Folder Contents, Read
> Network Service: Read & Execute, List Folder Contents, Read
>
> Thanks. again
>
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> This should be relatively straight forward.
>>
>> a) Can you post the relevant IIS logfile entries for the failed requests
>> please?
>>
>> b) What group memberships does the user account have? If you add it to
>> Domain Users (assuming that you removed it), does this start working all
>> of
>> a sudden?
>>
>> c) What are all the ACEs on the file in question?
>>
>> Cheers
>> Ken
>>
>> "rdw"
>> news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com...
>> > The error is an http error 401.3. Unauthorized: Access is denied due
>> > to
>> > an
>> > ACL set on the requested resource.
>> >
>> > I've granted Domain Guests read permissions on the folder as well.
>> >
>> > We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6
>> > SP2.
>> > The client machine is Windows XP Pro, but I've been able to reproduce
>> > it
>> > on
>> > 2000 Pro as well.
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >>
>> >> "rdw"
>> >> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com...
>> >> >I have one account on our domain that I need to allow web site access
>> >> >for.
>> >> >I
>> >> > only want this account to be in the Domain guests group and I want
>> >> > to
>> >> > use
>> >> > Integrated Security only for the web site. To this point I haven't
>> >> > been
>> >> > able
>> >> > to get this to work. Is this possible?
>> >>
>> >> What functional level is your domain? For Win2k3 (and possibly Win2k
>> >> as
>> >> well), Domain Guests group has the same permissions as Domain Users
>> >> (you
>> >> can
>> >> see that in the group's description).
>> >>
>> >> The actual authentication technology used (IWA) has no bearing on
>> >> whether
>> >> the user can load the page or not (that's authorization). IWA is just
>> >> the
>> >> process of conveying the user's credentials to the server. The
>> >> Authorization
>> >> process determines whether the user can perform the action (e.g. load
>> >> the
>> >> page).
>> >>
>> >> What is the error you are getting? What version of IIS are you using?
>> >> What
>> >> client OS/browser? etc.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>> >>
>>
>>
>>
I should have added that if the site is not purely HTML then you likely
would also need to add some grants to the custom group for components
used if you elect to use the minimal grants route instead of making the
group
a machine local Users member.
"rdw"
news:D0814CD5-FB4D-476A-90EE-8796738C69B4@microsoft.com...
> Thanks for the assistance on this issue.
>
> a). These are the 3 entries that are generated into the log file each
> time
> this user browses the page.
>
> 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727)
> 401 2 2148074254
>
> 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727)
> 401 1 0
>
> 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET /Default.asp
> |-|0|401_Error:_Access_is_Denied. 80 domainname\firstname.lastname
> 172.18.31.5
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322;+.NET+CLR+2.0.50727)
> 401 5 0
>
> b). This user is a member of Domain Guests only. He is in no other
> groups.
> If we add him to Domain Users he can load the page successfully.
>
> c). The permissions on the folder are set up as follows:
> Domain Admins: Full Control
> Domain Guests: Read & Execute, List Folder Contents, Read
> Everyone: Read & Execute, List Folder Contents, Read
> Network Service: Read & Execute, List Folder Contents, Read
>
> Thanks. again
>
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> This should be relatively straight forward.
>>
>> a) Can you post the relevant IIS logfile entries for the failed requests
>> please?
>>
>> b) What group memberships does the user account have? If you add it to
>> Domain Users (assuming that you removed it), does this start working all
>> of
>> a sudden?
>>
>> c) What are all the ACEs on the file in question?
>>
>> Cheers
>> Ken
>>
>> "rdw"
>> news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com...
>> > The error is an http error 401.3. Unauthorized: Access is denied due
>> > to
>> > an
>> > ACL set on the requested resource.
>> >
>> > I've granted Domain Guests read permissions on the folder as well.
>> >
>> > We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6
>> > SP2.
>> > The client machine is Windows XP Pro, but I've been able to reproduce
>> > it
>> > on
>> > 2000 Pro as well.
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >>
>> >> "rdw"
>> >> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com...
>> >> >I have one account on our domain that I need to allow web site access
>> >> >for.
>> >> >I
>> >> > only want this account to be in the Domain guests group and I want
>> >> > to
>> >> > use
>> >> > Integrated Security only for the web site. To this point I haven't
>> >> > been
>> >> > able
>> >> > to get this to work. Is this possible?
>> >>
>> >> What functional level is your domain? For Win2k3 (and possibly Win2k
>> >> as
>> >> well), Domain Guests group has the same permissions as Domain Users
>> >> (you
>> >> can
>> >> see that in the group's description).
>> >>
>> >> The actual authentication technology used (IWA) has no bearing on
>> >> whether
>> >> the user can load the page or not (that's authorization). IWA is just
>> >> the
>> >> process of conveying the user's credentials to the server. The
>> >> Authorization
>> >> process determines whether the user can perform the action (e.g. load
>> >> the
>> >> page).
>> >>
>> >> What is the error you are getting? What version of IIS are you using?
>> >> What
>> >> client OS/browser? etc.
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>> >>
>>
>>
>>