Stumped by Authentication Problem
Stumped by Authentication Problem
am 04.12.2007 22:38:38 von SirCodesALot
Hi All,
I am stuck and could use some help. For some reason, none of our
domain users can access our webpages unless they are added to the
Administrator group on the Web server and I can't figure out why. This
just started happening recently.
We have a local group called Users that conains our Domain Users.
Here is what I have done:
1. Checked that the users gruops has access to the Web Directory -
Users - yes
IIS_WFG - yes
System - yes
Administrators - yes
Users - yes
2. Checked the authentication method for the Website
- Integrated Windows Authentication
3. Looked at the logs for a persons not in the Adminstrators groups.
Here are a few lines:
2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401
1 0
2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500
0 2148074244
So it looks like it is failing because it can't validate the user and
only works if the user is in the admin group. Anyone have any idea
why?
Thanks in advance for your help!
-SJ
Re: Stumped by Authentication Problem
am 05.12.2007 11:02:58 von Ken Schaefer
Hi,
This isn't an IIS issue - something is happening lower down in the stack
(e.g. inside LSASS or similar).
The initial request is denied with an Unauthorized (401) HTTP status. The
client then appears to be sending credentials, and the server is returning
500. The Win32 status indicates an internal security error occurred.
I would start by looking in the Windows Event Logs to see if any errors are
being logged there.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"SirCodesALot" wrote in message
news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.google groups.com...
> Hi All,
>
> I am stuck and could use some help. For some reason, none of our
> domain users can access our webpages unless they are added to the
> Administrator group on the Web server and I can't figure out why. This
> just started happening recently.
>
> We have a local group called Users that conains our Domain Users.
>
> Here is what I have done:
>
> 1. Checked that the users gruops has access to the Web Directory -
> Users - yes
> IIS_WFG - yes
> System - yes
> Administrators - yes
> Users - yes
>
> 2. Checked the authentication method for the Website
> - Integrated Windows Authentication
>
> 3. Looked at the logs for a persons not in the Adminstrators groups.
> Here are a few lines:
> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401
> 1 0
> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500
> 0 2148074244
>
> So it looks like it is failing because it can't validate the user and
> only works if the user is in the admin group. Anyone have any idea
> why?
>
> Thanks in advance for your help!
> -SJ
>
Re: Stumped by Authentication Problem
am 05.12.2007 18:05:48 von SirCodesALot
On Dec 5, 4:02 am, "Ken Schaefer"
wrote:
> Hi,
>
> This isn't an IIS issue - something is happening lower down in the stack
> (e.g. inside LSASS or similar).
>
> The initial request is denied with an Unauthorized (401) HTTP status. The
> client then appears to be sending credentials, and the server is returning
> 500. The Win32 status indicates an internal security error occurred.
>
> I would start by looking in the Windows Event Logs to see if any errors are
> being logged there.
>
> Cheers
> Ken
>
> --
> My IIS Blog:www.adOpenStatic.com/cs/blogs/ken
>
> "SirCodesALot" wrote in message
>
> news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.google groups.com...
>
>
>
> > Hi All,
>
> > I am stuck and could use some help. For some reason, none of our
> > domain users can access our webpages unless they are added to the
> > Administrator group on the Web server and I can't figure out why. This
> > just started happening recently.
>
> > We have a local group called Users that conains our Domain Users.
>
> > Here is what I have done:
>
> > 1. Checked that the users gruops has access to the Web Directory -
> > Users - yes
> > IIS_WFG - yes
> > System - yes
> > Administrators - yes
> > Users - yes
>
> > 2. Checked the authentication method for the Website
> > - Integrated Windows Authentication
>
> > 3. Looked at the logs for a persons not in the Adminstrators groups.
> > Here are a few lines:
> > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401
> > 1 0
> > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500
> > 0 2148074244
>
> > So it looks like it is failing because it can't validate the user and
> > only works if the user is in the admin group. Anyone have any idea
> > why?
>
> > Thanks in advance for your help!
> > -SJ- Hide quoted text -
>
> - Show quoted text -
Ken, thanks for your response! I will try looking into that way.
Thanks again,
-SJ
Re: Stumped by Authentication Problem
am 07.12.2007 07:50:39 von Roger Abell
"Ken Schaefer" wrote in message
news:OHKs%23YyNIHA.5980@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> This isn't an IIS issue - something is happening lower down in the stack
> (e.g. inside LSASS or similar).
>
> The initial request is denied with an Unauthorized (401) HTTP status. The
> client then appears to be sending credentials, and the server is returning
> 500. The Win32 status indicates an internal security error occurred.
>
> I would start by looking in the Windows Event Logs to see if any errors
> are being logged there.
>
Indeed Ken, and might not the app trace be useful too, as it seems
by 500 that it is not handling the (unanticipated?) access denial.
Roger
> "SirCodesALot" wrote in message
> news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.google groups.com...
>> Hi All,
>>
>> I am stuck and could use some help. For some reason, none of our
>> domain users can access our webpages unless they are added to the
>> Administrator group on the Web server and I can't figure out why. This
>> just started happening recently.
>>
>> We have a local group called Users that conains our Domain Users.
>>
>> Here is what I have done:
>>
>> 1. Checked that the users gruops has access to the Web Directory -
>> Users - yes
>> IIS_WFG - yes
>> System - yes
>> Administrators - yes
>> Users - yes
>>
>> 2. Checked the authentication method for the Website
>> - Integrated Windows Authentication
>>
>> 3. Looked at the logs for a persons not in the Adminstrators groups.
>> Here are a few lines:
>> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401
>> 1 0
>> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500
>> 0 2148074244
>>
>> So it looks like it is failing because it can't validate the user and
>> only works if the user is in the admin group. Anyone have any idea
>> why?
>>
>> Thanks in advance for your help!
>> -SJ
>>
>
Re: Stumped by Authentication Problem
am 07.12.2007 07:57:14 von Roger Abell
So this means you have looked in the event logs, and there seen
these domain users members successful at login, yet they are
denied access to the resource. Right? . . . or at least no failed
login events for them then if you don't log success?
If not so, was there a change in login rights, or in group nestings
recently?
Roger
"SirCodesALot" wrote in message
news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.google groups.com...
> Hi All,
>
> I am stuck and could use some help. For some reason, none of our
> domain users can access our webpages unless they are added to the
> Administrator group on the Web server and I can't figure out why. This
> just started happening recently.
>
> We have a local group called Users that conains our Domain Users.
>
> Here is what I have done:
>
> 1. Checked that the users gruops has access to the Web Directory -
> Users - yes
> IIS_WFG - yes
> System - yes
> Administrators - yes
> Users - yes
>
> 2. Checked the authentication method for the Website
> - Integrated Windows Authentication
>
> 3. Looked at the logs for a persons not in the Adminstrators groups.
> Here are a few lines:
> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401
> 1 0
> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500
> 0 2148074244
>
> So it looks like it is failing because it can't validate the user and
> only works if the user is in the admin group. Anyone have any idea
> why?
>
> Thanks in advance for your help!
> -SJ
>