IIS requiring authentication

Using IIS on a standalone Win2003 server. Users hit the server IP from any
workstation on the LAN and get the default web page. Setup has been in place
for about a year with no problems. Last week, we start getting errors when
users try to hit the site. Users get "Authentication Required" popup when
they use their bookmark to get to the site.

First time this happened, entering the admin user credentials would allow
the user to proceed to the default web site. That is no longer the case; no
credentials are validated. Have verified user/pw for the admin user on the
server, so that is not the issue.

Point is, we should *never* need to authenticate to get to this page. I went
into IIS Manager and checked the Directory Security settings. "Enable
anonymous access" is selected. Down below, in the "Authenticated Access"
area, it had shown "Integrated Windows authentication" for when anonymous
access was disabled, or when NTFS permissions caused restrictions.

I have not been at the keyboard of this server for over a month, prior to
this issue arising last week. It is not auto-updating--i.e. zero changes have
been made that could account for this. I have tried disabling the Windows
Authentication, then restarting. I have tried using admin user to get past
authentication; only worked the first few times (?). I've tried changing the
password for the IUSR_computername user both in the Local Users and Groups
and in IIS Manager. Nothing is working.

Some random changes do happen. I had taken off the Integrated Windows
authentication, restarted the server, took a screenshot of IIS Mgr with that
setting *off*. Users had access to the default web page. 30 min. later, same
problem. Checked IIS Mgr, and integ win auth was back on...? Nobody has
physical or remote access to this sever except me, and except for users'
access to the default web page.

When at the server console, typing the server IP in the web browser yields
"authentication required." Typing "localhost" takes me to the default web
page. Now, that's just weird.

Any help would be oh-so-appreciated!

Re: IIS requiring authentication

On Nov 26, 8:51 am, awshaffer
wrote:
> Using IIS on a standalone Win2003 server. Users hit the server IP from any
> workstation on the LAN and get the default web page. Setup has been in place
> for about a year with no problems. Last week, we start getting errors when
> users try to hit the site. Users get "Authentication Required" popup when
> they use their bookmark to get to the site.
>
> First time this happened, entering the admin user credentials would allow
> the user to proceed to the default web site. That is no longer the case; no
> credentials are validated. Have verified user/pw for the admin user on the
> server, so that is not the issue.
>
> Point is, we should *never* need to authenticate to get to this page. I went
> into IIS Manager and checked the Directory Security settings. "Enable
> anonymous access" is selected. Down below, in the "Authenticated Access"
> area, it had shown "Integrated Windows authentication" for when anonymous
> access was disabled, or when NTFS permissions caused restrictions.
>
> I have not been at the keyboard of this server for over a month, prior to
> this issue arising last week. It is not auto-updating--i.e. zero changes have
> been made that could account for this. I have tried disabling the Windows
> Authentication, then restarting. I have tried using admin user to get past
> authentication; only worked the first few times (?). I've tried changing the
> password for the IUSR_computername user both in the Local Users and Groups
> and in IIS Manager. Nothing is working.
>
> Some random changes do happen. I had taken off the Integrated Windows
> authentication, restarted the server, took a screenshot of IIS Mgr with that
> setting *off*. Users had access to the default web page. 30 min. later, same
> problem. Checked IIS Mgr, and integ win auth was back on...? Nobody has
> physical or remote access to this sever except me, and except for users'
> access to the default web page.
>
> When at the server console, typing the server IP in the web browser yields
> "authentication required." Typing "localhost" takes me to the default web
> page. Now, that's just weird.
>
> Any help would be oh-so-appreciated!



Anonymous access and Authenticated Access does *NOT* mean that you
*never* need to authenticate to get to a page. You MUST understand
this point. A user ALWAYS need to authenticate to get to ANY content
on Windows because content on NTFS is ACL'd. The question is *who*
does the automatic authentication, client or server, such that you
have the illusion of never needing to authenticate.

http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_D enied_to_Administrators_or_Anonymous_User.aspx


My suspicion is that this is not an IIS issue. You said that you had
not changed server configuration. I add that IIS doesn't change
configuration on its own -- it does not have a user token with
permissions to change its own configuration. Your type of issue
usually indicate some combination of :
1. Domain Controllers pushing down security policies, user/ACL
lockdown, configuration scripts, etc that prevent proper functioning
of IIS (*very* frequently the culprit)
2. Something else on the server is crashing inetinfo.exe and reverting
your IIS configuration changes (for example, if you run in IIS5
Compatibility Mode, or if you run other applications in inetinfo.exe)
3. Security attacks (intentional or unintentional) on the IIS
anonymous account that cause account lockout (for example, the Guest
group may get locked down by group policy, or you change the anonymous
user's password to be out of sync with the cached value in metabase,
etc)
4. Something else is authenticating on IIS and overriding IIS's
configured behavior (for example, someone installed/activated custom
authentication ISAPI Filter)

Your observation with "localhost" and IP going to different places
indicate either a networking problem or user misconfiguration/
misunderstanding of IIS. For example, you could have a website with
host header of "localhost" that can funnel your localhost requests to
one website (with one set of behaviors) and those with IP to another
website (with different behaviors). Or DNS could be messed up on your
internal network such that localhost is resolving to another computer
and not this IIS server, etc. In order for your result to be weird,
you have to show that the request to "localhost" and by IP was
serviced by the SAME IIS Website and server, and even then, there are
other possible explanations.


I recommend you read the following blog entries to get an
understanding of how to troubleshoot and use the IIS-related logs, and
what each 401 means in an IIS log file:
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Di agnose_IIS_401_Access_Denied.aspx
http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Ba sics_of_IIS6_Troubleshooting.aspx

My experience with your type of "funny" behavior with IIS is that it
is rarely an IIS bug/issue. It is almost always something external,
related to security or lockdown from a domain policy, whose unintended
effects on IIS gets recognized as the "funny" behavior because people
use web applications on IIS. Thus, I recommend against fiddling with
any IIS settings and always start from "what does IIS log files
complain about being the problem" and go from there.

My suspicion is that you've always had a network misconfiguration that
is just now exposed, and you had an external security policy applied
to lock down this IIS server from functioning. I highly recommend just
looking around for clues and not changing any IIS server
configuration.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS requiring authentication

Thanks for a *very* complete and quick reply. You've given me a lot to check
into. Some responses to points you raise:

"David Wang" wrote:


>
>
> Anonymous access and Authenticated Access does *NOT* mean that you
> *never* need to authenticate to get to a page. You MUST understand
> this point.

Right, just meant that from a user standpoint, they never had to enter
credentials, and now they are being required to do so. I'm assuming, in fact,
that this is some sort of authentication issue, which is why I changed the
IUSR pw.


>
> http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_D enied_to_Administrators_or_Anonymous_User.aspx

Thanks for the reference!
>
>
> My suspicion is that this is not an IIS issue. You said that you had
> not changed server configuration. I add that IIS doesn't change
> configuration on its own -- it does not have a user token with
> permissions to change its own configuration. Your type of issue
> usually indicate some combination of :
> 1. Domain Controllers pushing down security policies, user/ACL
> lockdown, configuration scripts, etc that prevent proper functioning
> of IIS (*very* frequently the culprit)

No DC here, so should not be that, no?

> 2. Something else on the server is crashing inetinfo.exe and reverting
> your IIS configuration changes (for example, if you run in IIS5
> Compatibility Mode, or if you run other applications in inetinfo.exe)

Very likely. Will work to check those out.

> 3. Security attacks (intentional or unintentional) on the IIS
> anonymous account that cause account lockout (for example, the Guest
> group may get locked down by group policy, or you change the anonymous
> user's password to be out of sync with the cached value in metabase,
> etc)

Very possibly. When you refer to cached value in the metabase, that gets
renewed if I go into IIS Mgr and change the pw for the anon user, does it
not?

> 4. Something else is authenticating on IIS and overriding IIS's
> configured behavior (for example, someone installed/activated custom
> authentication ISAPI Filter)

Should be very unlikely, but I'll track it down. Thanks.

>
> Your observation with "localhost" and IP going to different places
> indicate either a networking problem or user misconfiguration/
> misunderstanding of IIS.

Yep, although, again, this should not be new. Something had to *cause* it.
I've gone directly to the IP w/out errors, so something has changed.

For example, you could have a website with
> host header of "localhost" that can funnel your localhost requests to
> one website (with one set of behaviors) and those with IP to another
> website (with different behaviors). Or DNS could be messed up on your
> internal network such that localhost is resolving to another computer
> and not this IIS server, etc. In order for your result to be weird,
> you have to show that the request to "localhost" and by IP was
> serviced by the SAME IIS Website and server, and even then, there are
> other possible explanations.

No other IIS Websites present, no other Win2k3 servers present, no entries
in DNS that account for this, but I agree with your premise.

>
>
> I recommend you read the following blog entries to get an
> understanding of how to troubleshoot and use the IIS-related logs, and
> what each 401 means in an IIS log file:
>

Thanks very much. I'll head over to those, as well!

http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Di agnose_IIS_401_Access_Denied.aspx
> http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Ba sics_of_IIS6_Troubleshooting.aspx
>
> My experience with your type of "funny" behavior with IIS is that it
> is rarely an IIS bug/issue. It is almost always something external,
> related to security or lockdown from a domain policy, whose unintended
> effects on IIS gets recognized as the "funny" behavior because people
> use web applications on IIS. Thus, I recommend against fiddling with
> any IIS settings and always start from "what does IIS log files
> complain about being the problem" and go from there.
>
> My suspicion is that you've always had a network misconfiguration that
> is just now exposed, and you had an external security policy applied
> to lock down this IIS server from functioning. I highly recommend just
> looking around for clues and not changing any IIS server
> configuration.
>

Thanks for a great combination of detail and summary info!
tony


>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>

Re: IIS requiring authentication

Something I should have clarified in the first post (sorry): error is 401.1,
so it's specifically due to invalid credentials. I've gone back and looked at
the ACL, and the admin user has the proper permissions. Also created a new
user to run as anonymous, disabled the IUSR account and gave the new user
explicit allows on the ACL for the wwwroot directory. Went into IIS mgr and
identified the new anon user as the anon user. No change, still not working.

One thing that made sense was a security lockout, as you mention, David, but
that should not be possible with a newly-created user..., no?

Re: IIS requiring authentication

On Nov 27, 10:01 am, awshaffer
wrote:
> Something I should have clarified in the first post (sorry): error is 401.1,
> so it's specifically due to invalid credentials. I've gone back and looked at
> the ACL, and the admin user has the proper permissions. Also created a new
> user to run as anonymous, disabled the IUSR account and gave the new user
> explicit allows on the ACL for the wwwroot directory. Went into IIS mgr and
> identified the new anon user as the anon user. No change, still not working.
>
> One thing that made sense was a security lockout, as you mention, David, but
> that should not be possible with a newly-created user..., no?



401.1 error tells me to look at user privileges, Application Pool
identity, and credentials/passwords. ACLs, IIS Authentication
configuration, ISAPI, etc are usually not involved.

I would start looking at securiy lockout by group membership, missing
logon privileges by group membership, or even change of how IIS
performs user login for authentication (which is configurable but
should not have changed).


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS requiring authentication

>
> 401.1 error tells me to look at user privileges, Application Pool
> identity, and credentials/passwords. ACLs, IIS Authentication
> configuration, ISAPI, etc are usually not involved.
>

Exactly. That's my frustration--it cannot be nothing, but it can only be a
limited number of somethings, and it's not any of the somethings. Frankly,
I'm feeling now like I've either got a corrupt file somewhere that I just
cannot track down using any avail monitors, or a ditto for a security issue.
Came in today and tried to logon to the server console and got "not enough
storage is available to process this command". All the references I find to
this have to do with apps running on a functioning o/s, or to Dell
Poweredges, which this is not.

Rather than leave my whole site w/out access to the things they need, I'm
going to stop my pitiful troubleshooting attempts, blow the thing away and
recreate it. Thanks for all your help and for teaching me a lot that I did
not know.

> I would start looking at securiy lockout by group membership, missing
> logon privileges by group membership, or even change of how IIS
> performs user login for authentication (which is configurable but
> should not have changed).

Can't get in, so I can't check any of that, but to the extent that I had
looked at those issues before, none was the cause. Yesterday I had the
developer who wrote the app I was using with IIS remote in and drive that
server for a couple hours, and he could not explain the error.

Thanks again,
tony

>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>

Re: IIS requiring authentication

At the end, it sounds like something was leaking memory on your system
(probably non-paged pool) such that it prevented login.

You'd be able to determine that from a Kernel Debugger attached to
this machine. And figure out what's leaking that memory because it'll
eventually cause IIS to return "Connections_Refused" (which I also
have a blog entry about).

Now, this sort of thing does not happen suddenly on its own. You must
have had some hardware of software change at a system level which is
causing this issue.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Nov 28, 8:03 am, awshaffer
wrote:
> > 401.1 error tells me to look at user privileges, Application Pool
> > identity, and credentials/passwords. ACLs, IIS Authentication
> > configuration, ISAPI, etc are usually not involved.
>
> Exactly. That's my frustration--it cannot be nothing, but it can only be a
> limited number of somethings, and it's not any of the somethings. Frankly,
> I'm feeling now like I've either got a corrupt file somewhere that I just
> cannot track down using any avail monitors, or a ditto for a security issue.
> Came in today and tried to logon to the server console and got "not enough
> storage is available to process this command". All the references I find to
> this have to do with apps running on a functioning o/s, or to Dell
> Poweredges, which this is not.
>
> Rather than leave my whole site w/out access to the things they need, I'm
> going to stop my pitiful troubleshooting attempts, blow the thing away and
> recreate it. Thanks for all your help and for teaching me a lot that I did
> not know.
>
> > I would start looking at securiy lockout by group membership, missing
> > logon privileges by group membership, or even change of how IIS
> > performs user login for authentication (which is configurable but
> > should not have changed).
>
> Can't get in, so I can't check any of that, but to the extent that I had
> looked at those issues before, none was the cause. Yesterday I had the
> developer who wrote the app I was using with IIS remote in and drive that
> server for a couple hours, and he could not explain the error.
>
> Thanks again,
> tony
>
>
>
>
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -