HTTP 401.2: Unauthorized: can"t access page

Hi,

i have iis 5.1 on windows xp sp2.
I created several asp.net applications for our intranet, using the windows
integrated authentifiaction method, because those applications are only for
internal users.

Now recently, i made an application which is accessible by any anonymous
user. I chose the allow anonymous authentifiaction method. The anonymous
user has to logon or to create an account in sqlserver.

My problem is now: all the applications with windows integrated
authentifiaction method require suddenly a logon and password before
starting the application. With the anonymous applicatio, it is not required.
I did not change any permission on file level: ASPNET (running account of
asp.net) has still Read/Map read permissions, 'everybody' has R/Read map,
even IUSR_server has the same permissions ...

What's wrong in my configuration?
Thanks for help.
Ben

Re: HTTP 401.2: Unauthorized: can"t access page

If an application has both Anonymous and Integrated enabled, the web
browser will choose Anonymous first, even for the Intranet users who
have valid Windows user login. This forces everyone down the anonymous
login path and hence your Intranet users see login dialogs now. This is
basically how web browsers and web servers are designed to do.

You will want to search the web for common solutions on how to enable
"Mixed Mode Authentication" -- where you want Intranet users to
auto-login with Windows user login and Internet users to login with
other credentials.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Jan 25, 12:21 am, "ben" <.> wrote:
> Hi,
>
> i have iis 5.1 on windows xp sp2.
> I created several asp.net applications for our intranet, using the windows
> integrated authentifiaction method, because those applications are only for
> internal users.
>
> Now recently, i made an application which is accessible by any anonymous
> user. I chose the allow anonymous authentifiaction method. The anonymous
> user has to logon or to create an account in sqlserver.
>
> My problem is now: all the applications with windows integrated
> authentifiaction method require suddenly a logon and password before
> starting the application. With the anonymous applicatio, it is not required.
> I did not change any permission on file level: ASPNET (running account of
> asp.net) has still Read/Map read permissions, 'everybody' has R/Read map,
> even IUSR_server has the same permissions ...
>
> What's wrong in my configuration?
> Thanks for help.
> Ben

Re: HTTP 401.2: Unauthorized: can"t access page

Hi David,

thanks for replying

but i have no applicaion which has both Anonymous and Integrated enabled.
Some are Anonymous enabled and orhers are Integrated enabled, but never
both.

I changed all my applications into Integrated Windows and checked that those
directories have the right NTFS permissions. I also removed IUSR_myserver
account to be sure it's not used...

Result: every application now requires an user authentification (login /pw).

What's wrong with IIS setup?

"David Wang" schreef in bericht
news:1169754647.891369.23340@l53g2000cwa.googlegroups.com...
> If an application has both Anonymous and Integrated enabled, the web
> browser will choose Anonymous first, even for the Intranet users who
> have valid Windows user login. This forces everyone down the anonymous
> login path and hence your Intranet users see login dialogs now. This is
> basically how web browsers and web servers are designed to do.
>
> You will want to search the web for common solutions on how to enable
> "Mixed Mode Authentication" -- where you want Intranet users to
> auto-login with Windows user login and Internet users to login with
> other credentials.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> On Jan 25, 12:21 am, "ben" <.> wrote:
>> Hi,
>>
>> i have iis 5.1 on windows xp sp2.
>> I created several asp.net applications for our intranet, using the
>> windows
>> integrated authentifiaction method, because those applications are only
>> for
>> internal users.
>>
>> Now recently, i made an application which is accessible by any anonymous
>> user. I chose the allow anonymous authentifiaction method. The anonymous
>> user has to logon or to create an account in sqlserver.
>>
>> My problem is now: all the applications with windows integrated
>> authentifiaction method require suddenly a logon and password before
>> starting the application. With the anonymous applicatio, it is not
>> required.
>> I did not change any permission on file level: ASPNET (running account of
>> asp.net) has still Read/Map read permissions, 'everybody' has R/Read map,
>> even IUSR_server has the same permissions ...
>>
>> What's wrong in my configuration?
>> Thanks for help.
>> Ben
>

Re: HTTP 401.2: Unauthorized: can"t access page

First, stop making changes on your server to troubleshoot. You are
making your own misconfigurations worse.

Removing IUSR_myserver account just permanently botched up anonymous
access on your server. You will have to manually manage ACLs now.
Recreating the account is insufficient because it will have a different
SID than what is already on the resources in the filesystem. You should
have just disabled the account.

Lesson: Always troubleshoot by observing, not doing.

Please read this blog entry for understanding:
http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Ba sics_of_IIS6_Troubleshooting.aspx


Since you have blurred system configuration recently, we have to start
everything all over. Let me reiterate what I think you are saying:
1. You had applications with Integrated Authentication. Works fine
2. You added applications using Anonymous authentication which requires
explicit user registration/login. Works fine
3. Now the applications with Integrated Authentication also require
login
4. You removed the IUSR_machinename
5. Now all applications, either using Integrated Authentication or
Anonymous Authentication, require login

Please do not make random server changes during investigation because
it invalidates the investigation and wastes everyone's time.


Now, when you enabled custom authentication in ASP.Net application, did
you restrict it to only the applications using anonymous or is it
incorrectly applied to the applications using Integrated.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Jan 25, 2:33 pm, "ben" <.> wrote:
> Hi David,
>
> thanks for replying
>
> but i have no applicaion which has both Anonymous and Integrated enabled.
> Some are Anonymous enabled and orhers are Integrated enabled, but never
> both.
>
> I changed all my applications into Integrated Windows and checked that those
> directories have the right NTFS permissions. I also removed IUSR_myserver
> account to be sure it's not used...
>
> Result: every application now requires an user authentification (login /pw).
>
> What's wrong with IIS setup?
>
> "David Wang" schreef in berichtnews:1169754647.891369.23340@l53g2000cwa.googlegroups .com...
>
>
>
> > If an application has both Anonymous and Integrated enabled, the web
> > browser will choose Anonymous first, even for the Intranet users who
> > have valid Windows user login. This forces everyone down the anonymous
> > login path and hence your Intranet users see login dialogs now. This is
> > basically how web browsers and web servers are designed to do.
>
> > You will want to search the web for common solutions on how to enable
> > "Mixed Mode Authentication" -- where you want Intranet users to
> > auto-login with Windows user login and Internet users to login with
> > other credentials.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Jan 25, 12:21 am, "ben" <.> wrote:
> >> Hi,
>
> >> i have iis 5.1 on windows xp sp2.
> >> I created several asp.net applications for our intranet, using the
> >> windows
> >> integrated authentifiaction method, because those applications are only
> >> for
> >> internal users.
>
> >> Now recently, i made an application which is accessible by any anonymous
> >> user. I chose the allow anonymous authentifiaction method. The anonymous
> >> user has to logon or to create an account in sqlserver.
>
> >> My problem is now: all the applications with windows integrated
> >> authentifiaction method require suddenly a logon and password before
> >> starting the application. With the anonymous applicatio, it is not
> >> required.
> >> I did not change any permission on file level: ASPNET (running account of
> >> asp.net) has still Read/Map read permissions, 'everybody' has R/Read map,
> >> even IUSR_server has the same permissions ...
>
> >> What's wrong in my configuration?
> >> Thanks for help.
> >> Ben- Hide quoted text -- Show quoted text -

Re: HTTP 401.2: Unauthorized: can"t access page

Sorry, I didn't remove the IUSR_server account, i only removed it from the
ACL of Inetpub/wwwroot.

Meanwhile i put it back in the ACL list and now all applications with
anonymous authentification work again, but all with Integrated auth. still
require a login/pw. The login shown in the login window is my
(administrator) account and that account has full rights over the whole c:
disc.
When filling the pasword, it works.
When canceling, i get the error is: 401.2 Denied by Server Configuration
I use Internet Explorer 7.
I also disabled my Firewall (Zonelabs) but same result.


About your question
Now, when you enabled custom authentication in ASP.Net application, did
> you restrict it to only the applications using anonymous or is it
> incorrectly applied to the applications using Integrated

I don't understand what you mean. The standard website (level above all
applications in IIS) is set on Integrated, but i tried Anonymous and
nothing: same result.

I read your article HOWTO: Diagnose 401.x HTTP errors on IIS but couldn't
find a solution.


"David Wang" schreef in bericht
news:1169767561.763047.204660@v45g2000cwv.googlegroups.com.. .
> First, stop making changes on your server to troubleshoot. You are
> making your own misconfigurations worse.
>
> Removing IUSR_myserver account just permanently botched up anonymous
> access on your server. You will have to manually manage ACLs now.
> Recreating the account is insufficient because it will have a different
> SID than what is already on the resources in the filesystem. You should
> have just disabled the account.
>
> Lesson: Always troubleshoot by observing, not doing.
>
> Please read this blog entry for understanding:
> http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Ba sics_of_IIS6_Troubleshooting.aspx
>
>
> Since you have blurred system configuration recently, we have to start
> everything all over. Let me reiterate what I think you are saying:
> 1. You had applications with Integrated Authentication. Works fine
> 2. You added applications using Anonymous authentication which requires
> explicit user registration/login. Works fine
> 3. Now the applications with Integrated Authentication also require
> login
> 4. You removed the IUSR_machinename
> 5. Now all applications, either using Integrated Authentication or
> Anonymous Authentication, require login
>
> Please do not make random server changes during investigation because
> it invalidates the investigation and wastes everyone's time.
>
>
> Now, when you enabled custom authentication in ASP.Net application, did
> you restrict it to only the applications using anonymous or is it
> incorrectly applied to the applications using Integrated.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> On Jan 25, 2:33 pm, "ben" <.> wrote:
>> Hi David,
>>
>> thanks for replying
>>
>> but i have no applicaion which has both Anonymous and Integrated enabled.
>> Some are Anonymous enabled and orhers are Integrated enabled, but never
>> both.
>>
>> I changed all my applications into Integrated Windows and checked that
>> those
>> directories have the right NTFS permissions. I also removed IUSR_myserver
>> account to be sure it's not used...
>>
>> Result: every application now requires an user authentification (login
>> /pw).
>>
>> What's wrong with IIS setup?
>>
>> "David Wang" schreef in
>> berichtnews:1169754647.891369.23340@l53g2000cwa.googlegroups .com...
>>
>>
>>
>> > If an application has both Anonymous and Integrated enabled, the web
>> > browser will choose Anonymous first, even for the Intranet users who
>> > have valid Windows user login. This forces everyone down the anonymous
>> > login path and hence your Intranet users see login dialogs now. This is
>> > basically how web browsers and web servers are designed to do.
>>
>> > You will want to search the web for common solutions on how to enable
>> > "Mixed Mode Authentication" -- where you want Intranet users to
>> > auto-login with Windows user login and Internet users to login with
>> > other credentials.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //
>>
>> > On Jan 25, 12:21 am, "ben" <.> wrote:
>> >> Hi,
>>
>> >> i have iis 5.1 on windows xp sp2.
>> >> I created several asp.net applications for our intranet, using the
>> >> windows
>> >> integrated authentifiaction method, because those applications are
>> >> only
>> >> for
>> >> internal users.
>>
>> >> Now recently, i made an application which is accessible by any
>> >> anonymous
>> >> user. I chose the allow anonymous authentifiaction method. The
>> >> anonymous
>> >> user has to logon or to create an account in sqlserver.
>>
>> >> My problem is now: all the applications with windows integrated
>> >> authentifiaction method require suddenly a logon and password before
>> >> starting the application. With the anonymous applicatio, it is not
>> >> required.
>> >> I did not change any permission on file level: ASPNET (running account
>> >> of
>> >> asp.net) has still Read/Map read permissions, 'everybody' has R/Read
>> >> map,
>> >> even IUSR_server has the same permissions ...
>>
>> >> What's wrong in my configuration?
>> >> Thanks for help.
>> >> Ben- Hide quoted text -- Show quoted text -
>

Re: HTTP 401.2: Unauthorized: can"t access page

Hallo David?

"David Wang" wrote in message
news:1169767561.763047.204660@v45g2000cwv.googlegroups.com.. .
> First, stop making changes on your server to troubleshoot. You are
> making your own misconfigurations worse.
>
> Removing IUSR_myserver account just permanently botched up anonymous
> access on your server. You will have to manually manage ACLs now.
> Recreating the account is insufficient because it will have a different
> SID than what is already on the resources in the filesystem. You should
> have just disabled the account.
>
> Lesson: Always troubleshoot by observing, not doing.
>
> Please read this blog entry for understanding:
>
http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Ba sics_of_IIS6_Troubleshooting.aspx
>
>
> Since you have blurred system configuration recently, we have to start
> everything all over. Let me reiterate what I think you are saying:
> 1. You had applications with Integrated Authentication. Works fine
> 2. You added applications using Anonymous authentication which requires
> explicit user registration/login. Works fine
> 3. Now the applications with Integrated Authentication also require
> login
> 4. You removed the IUSR_machinename
> 5. Now all applications, either using Integrated Authentication or
> Anonymous Authentication, require login
>
> Please do not make random server changes during investigation because
> it invalidates the investigation and wastes everyone's time.
>
>
> Now, when you enabled custom authentication in ASP.Net application, did
> you restrict it to only the applications using anonymous or is it
> incorrectly applied to the applications using Integrated.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> On Jan 25, 2:33 pm, "ben" <.> wrote:
> > Hi David,
> >
> > thanks for replying
> >
> > but i have no applicaion which has both Anonymous and Integrated
enabled.
> > Some are Anonymous enabled and orhers are Integrated enabled, but never
> > both.
> >
> > I changed all my applications into Integrated Windows and checked that
those
> > directories have the right NTFS permissions. I also removed
IUSR_myserver
> > account to be sure it's not used...
> >
> > Result: every application now requires an user authentification (login
/pw).
> >
> > What's wrong with IIS setup?
> >
> > "David Wang" schreef in
berichtnews:1169754647.891369.23340@l53g2000cwa.googlegroups .com...
> >
> >
> >
> > > If an application has both Anonymous and Integrated enabled, the web
> > > browser will choose Anonymous first, even for the Intranet users who
> > > have valid Windows user login. This forces everyone down the anonymous
> > > login path and hence your Intranet users see login dialogs now. This
is
> > > basically how web browsers and web servers are designed to do.
> >
> > > You will want to search the web for common solutions on how to enable
> > > "Mixed Mode Authentication" -- where you want Intranet users to
> > > auto-login with Windows user login and Internet users to login with
> > > other credentials.
> >
> > > //David
> > >http://w3-4u.blogspot.com
> > >http://blogs.msdn.com/David.Wang
> > > //
> >
> > > On Jan 25, 12:21 am, "ben" <.> wrote:
> > >> Hi,
> >
> > >> i have iis 5.1 on windows xp sp2.
> > >> I created several asp.net applications for our intranet, using the
> > >> windows
> > >> integrated authentifiaction method, because those applications are
only
> > >> for
> > >> internal users.
> >
> > >> Now recently, i made an application which is accessible by any
anonymous
> > >> user. I chose the allow anonymous authentifiaction method. The
anonymous
> > >> user has to logon or to create an account in sqlserver.
> >
> > >> My problem is now: all the applications with windows integrated
> > >> authentifiaction method require suddenly a logon and password before
> > >> starting the application. With the anonymous applicatio, it is not
> > >> required.
> > >> I did not change any permission on file level: ASPNET (running
account of
> > >> asp.net) has still Read/Map read permissions, 'everybody' has R/Read
map,
> > >> even IUSR_server has the same permissions ...
> >
> > >> What's wrong in my configuration?
> > >> Thanks for help.
> > >> Ben- Hide quoted text -- Show quoted text -
>

Re: HTTP 401.2: Unauthorized: can"t access page

If it works when you fill in the username/password for Integrated
Authentication, it means that the web-browser did not auto-login to
the website on your behalf. That is not a 401 issue. The 401.2 when
you hit cancel is just user misunderstanding -- browser did not
complete authentication with the server using the requested protocol
(which is true - you hit cancel).

Verify that the browser is configured to automatically login in the
Internet Zone that your website belongs to.

For example, if the website is a dotted IP address, it is assumed to
be in Internet Zone, and no auto-login occurs.


//David
http://w3-4u






On Jan 26, 12:07 am, "ben" <.> wrote:
> Sorry, I didn't remove the IUSR_server account, i only removed it from the
> ACL of Inetpub/wwwroot.
>
> Meanwhile i put it back in the ACL list and now all applications with
> anonymous authentification work again, but all with Integrated auth. still
> require a login/pw. The login shown in the login window is my
> (administrator) account and that account has full rights over the whole c:
> disc.
> When filling the pasword, it works.
> When canceling, i get the error is: 401.2 Denied by Server Configuration
> I use Internet Explorer 7.
> I also disabled my Firewall (Zonelabs) but same result.
>
> About your question
> Now, when you enabled custom authentication in ASP.Net application, did
>
> > you restrict it to only the applications using anonymous or is it
> > incorrectly applied to the applications using Integrated
>
> I don't understand what you mean. The standard website (level above all
> applications in IIS) is set on Integrated, but i tried Anonymous and
> nothing: same result.
>
> I read your article HOWTO: Diagnose 401.x HTTP errors on IIS but couldn't
> find a solution.
>
> "David Wang" schreef in berichtnews:1169767561.763047.204660@v45g2000cwv.googlegroup s.com...
>
>
>
> > First, stop making changes on your server to troubleshoot. You are
> > making your own misconfigurations worse.
>
> > Removing IUSR_myserver account just permanently botched up anonymous
> > access on your server. You will have to manually manage ACLs now.
> > Recreating the account is insufficient because it will have a different
> > SID than what is already on the resources in the filesystem. You should
> > have just disabled the account.
>
> > Lesson: Always troubleshoot by observing, not doing.
>
> > Please read this blog entry for understanding:
> >http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_B asics_of_I...
>
> > Since you have blurred system configuration recently, we have to start
> > everything all over. Let me reiterate what I think you are saying:
> > 1. You had applications with Integrated Authentication. Works fine
> > 2. You added applications using Anonymous authentication which requires
> > explicit user registration/login. Works fine
> > 3. Now the applications with Integrated Authentication also require
> > login
> > 4. You removed the IUSR_machinename
> > 5. Now all applications, either using Integrated Authentication or
> > Anonymous Authentication, require login
>
> > Please do not make random server changes during investigation because
> > it invalidates the investigation and wastes everyone's time.
>
> > Now, when you enabled custom authentication in ASP.Net application, did
> > you restrict it to only the applications using anonymous or is it
> > incorrectly applied to the applications using Integrated.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Jan 25, 2:33 pm, "ben" <.> wrote:
> >> Hi David,
>
> >> thanks for replying
>
> >> but i have no applicaion which has both Anonymous and Integrated enabled.
> >> Some are Anonymous enabled and orhers are Integrated enabled, but never
> >> both.
>
> >> I changed all my applications into Integrated Windows and checked that
> >> those
> >> directories have the right NTFS permissions. I also removed IUSR_myserver
> >> account to be sure it's not used...
>
> >> Result: every application now requires an user authentification (login
> >> /pw).
>
> >> What's wrong with IIS setup?
>
> >> "David Wang" schreef in
> >> berichtnews:1169754647.891369.23340@l53g2000cwa.googlegroups .com...
>
> >> > If an application has both Anonymous and Integrated enabled, the web
> >> > browser will choose Anonymous first, even for the Intranet users who
> >> > have valid Windows user login. This forces everyone down the anonymous
> >> > login path and hence your Intranet users see login dialogs now. This is
> >> > basically how web browsers and web servers are designed to do.
>
> >> > You will want to search the web for common solutions on how to enable
> >> > "Mixed Mode Authentication" -- where you want Intranet users to
> >> > auto-login with Windows user login and Internet users to login with
> >> > other credentials.
>
> >> > //David
> >> >http://w3-4u.blogspot.com
> >> >http://blogs.msdn.com/David.Wang
> >> > //
>
> >> > On Jan 25, 12:21 am, "ben" <.> wrote:
> >> >> Hi,
>
> >> >> i have iis 5.1 on windows xp sp2.
> >> >> I created several asp.net applications for our intranet, using the
> >> >> windows
> >> >> integrated authentifiaction method, because those applications are
> >> >> only
> >> >> for
> >> >> internal users.
>
> >> >> Now recently, i made an application which is accessible by any
> >> >> anonymous
> >> >> user. I chose the allow anonymous authentifiaction method. The
> >> >> anonymous
> >> >> user has to logon or to create an account in sqlserver.
>
> >> >> My problem is now: all the applications with windows integrated
> >> >> authentifiaction method require suddenly a logon and password before
> >> >> starting the application. With the anonymous applicatio, it is not
> >> >> required.
> >> >> I did not change any permission on file level: ASPNET (running account
> >> >> of
> >> >> asp.net) has still Read/Map read permissions, 'everybody' has R/Read
> >> >> map,
> >> >> even IUSR_server has the same permissions ...
>
> >> >> What's wrong in my configuration?
> >> >> Thanks for help.
> >> >> Ben- Hide quoted text -- Show quoted text -- Hide quoted text -
>
> - Show quoted text -