|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Windows Authentication Access Denied ErrorI have two Windows 2003 servers hosting an ASP.NET site. Both servers are
using Windows Authentication. Everything was working fine, but suddenly my users are not able to access the dev site. They are still able to access prod fine. When attempting to access the site they are getting a 401 "access denied" error message. I suspect that our company's automated lockdown policies are causing the problem, but in order to have them configured so they will not interfere I need to know all the services that the Windows Authentication protocol uses, and also if there are any specific folders or directories that the users need to have access to. The lockdown policies restrict access to anything and everything on C. The web files and also the SQL Server Express engine are installed to the E directory on the server. I am still able to access both sites, as I am also on the local admins group. On Dec 2, 12:38 pm, L Nelson <L Nel***@discussions.microsoft.com>
wrote: > I have two Windows 2003 servers hosting an ASP.NET site. Both servers are It sounds like your question is more about the dependencies of your> using Windows Authentication. Everything was working fine, but suddenly my > users are not able to access the dev site. They are still able to access > prod fine. When attempting to access the site they are getting a 401 "access > denied" error message. I suspect that our company's automated lockdown > policies are causing the problem, but in order to have them configured so > they will not interfere I need to know all the services that the Windows > Authentication protocol uses, and also if there are any specific folders or > directories that the users need to have access to. The lockdown policies > restrict access to anything and everything on C. The web files and also the > SQL Server Express engine are installed to the E directory on the server. I > am still able to access both sites, as I am also on the local admins group. specific web application, unrelated to IIS. To be certain -- please check the IIS log entry for the requests which result in "401 access denied" and make sure it is not 401.1 or 401.2. http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // When the user hits the website the first response is 401 2 2148074254
For myself, it then goes to 200 0 0 as a successful login For the users who are failing, the second response is 401 3 5 At this point, a login prompt window pops up. If the user enters their login and password here, they get the access denied error and the entry in the log is 401 1 0 Show quoteHide quote "David Wang" wrote: > On Dec 2, 12:38 pm, L Nelson <L Nel***@discussions.microsoft.com> > wrote: > > I have two Windows 2003 servers hosting an ASP.NET site. Both servers are > > using Windows Authentication. Everything was working fine, but suddenly my > > users are not able to access the dev site. They are still able to access > > prod fine. When attempting to access the site they are getting a 401 "access > > denied" error message. I suspect that our company's automated lockdown > > policies are causing the problem, but in order to have them configured so > > they will not interfere I need to know all the services that the Windows > > Authentication protocol uses, and also if there are any specific folders or > > directories that the users need to have access to. The lockdown policies > > restrict access to anything and everything on C. The web files and also the > > SQL Server Express engine are installed to the E directory on the server. I > > am still able to access both sites, as I am also on the local admins group. > > > It sounds like your question is more about the dependencies of your > specific web application, unrelated to IIS. > > To be certain -- please check the IIS log entry for the requests which > result in "401 access denied" and make sure it is not 401.1 or 401.2. > http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > The second request is 401.3, indicating that IIS successfully
authenticated the user, but the user was later denied access by NTFS ACL. It confirms that the issue has nothing to do with IIS and is specific to ACLs your application depends upon. There are no service dependencies or special files/folders for Windows Authentication of the sort that you are asking about. I suggest starting by removing the web servers from your corporate group policy, or at least apply different group policies for servers. That is the source of your troubles, not IIS. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Dec 3, 4:42 am, L Nelson <LNel***@discussions.microsoft.com> wrote: Show quoteHide quote > When the user hits the website the first response is 401 2 2148074254 > For myself, it then goes to 200 0 0 as a successful login > For the users who are failing, the second response is 401 3 5 > At this point, a login prompt window pops up. If the user enters their > login and password here, they get the access denied error and the entry in > the log is 401 1 0 > > > > "David Wang" wrote: > > On Dec 2, 12:38 pm, L Nelson <L Nel***@discussions.microsoft.com> > > wrote: > > > I have two Windows 2003 servers hosting an ASP.NET site. Both servers are > > > using Windows Authentication. Everything was working fine, but suddenly my > > > users are not able to access the dev site. They are still able to access > > > prod fine. When attempting to access the site they are getting a 401 "access > > > denied" error message. I suspect that our company's automated lockdown > > > policies are causing the problem, but in order to have them configured so > > > they will not interfere I need to know all the services that the Windows > > > Authentication protocol uses, and also if there are any specific folders or > > > directories that the users need to have access to. The lockdown policies > > > restrict access to anything and everything on C. The web files and also the > > > SQL Server Express engine are installed to the E directory on the server. I > > > am still able to access both sites, as I am also on the local admins group. > > > It sounds like your question is more about the dependencies of your > > specific web application, unrelated to IIS. > > > To be certain -- please check the IIS log entry for the requests which > > result in "401 access denied" and make sure it is not 401.1 or 401.2. > >http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_II... > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > //- Hide quoted text - > > - Show quoted text - After further debugging today I came to the same conclusion that it is the
ACL's that are the root of the problem. However, I checked the permissions on all the folders specified on msdn for asp.net required access list controls (http://msdn.microsoft.com/en-us/library/kwzs111e(VS.80).aspx) and all appear to have the correct settings on my server. Unfortunately, there is no way I am going to convince our CIS group to not enforce their lockdown policy. However, if I could pinpoint the exact folder (or folders) that the NETWORK SERVICE account is failing to access, then I could probably get CIS to allow access specifically, which is why I worded the original question in that manner. I have read posts and articles on possible causes and workarounds until my head is spinning and even downloaded a couple diagnostics tools but nothing has worked so far. I am about to try reinstalling IIS, but that is a last ditch effort and not something I want to do every week to keep this site up and running. There has to be an easier way to pinpoint the root cause of this issue and fix it. Show quoteHide quote "David Wang" wrote: > The second request is 401.3, indicating that IIS successfully > authenticated the user, but the user was later denied access by NTFS > ACL. > > It confirms that the issue has nothing to do with IIS and is specific > to ACLs your application depends upon. There are no service > dependencies or special files/folders for Windows Authentication of > the sort that you are asking about. > > I suggest starting by removing the web servers from your corporate > group policy, or at least apply different group policies for servers. > That is the source of your troubles, not IIS. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > On Dec 3, 4:42 am, L Nelson <LNel***@discussions.microsoft.com> wrote: > > When the user hits the website the first response is 401 2 2148074254 > > For myself, it then goes to 200 0 0 as a successful login > > For the users who are failing, the second response is 401 3 5 > > At this point, a login prompt window pops up. If the user enters their > > login and password here, they get the access denied error and the entry in > > the log is 401 1 0 > > > > > > > > "David Wang" wrote: > > > On Dec 2, 12:38 pm, L Nelson <L Nel***@discussions.microsoft.com> > > > wrote: > > > > I have two Windows 2003 servers hosting an ASP.NET site. Both servers are > > > > using Windows Authentication. Everything was working fine, but suddenly my > > > > users are not able to access the dev site. They are still able to access > > > > prod fine. When attempting to access the site they are getting a 401 "access > > > > denied" error message. I suspect that our company's automated lockdown > > > > policies are causing the problem, but in order to have them configured so > > > > they will not interfere I need to know all the services that the Windows > > > > Authentication protocol uses, and also if there are any specific folders or > > > > directories that the users need to have access to. The lockdown policies > > > > restrict access to anything and everything on C. The web files and also the > > > > SQL Server Express engine are installed to the E directory on the server. I > > > > am still able to access both sites, as I am also on the local admins group. > > > > > It sounds like your question is more about the dependencies of your > > > specific web application, unrelated to IIS. > > > > > To be certain -- please check the IIS log entry for the requests which > > > result in "401 access denied" and make sure it is not 401.1 or 401.2. > > >http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_II... > > > > > //David > > >http://w3-4u.blogspot.com > > >http://blogs.msdn.com/David.Wang > > > //- Hide quoted text - > > > > - Show quoted text - > Reinstalling will not work. As soon as you reinstall, the Group Policy
will come back down and re-lockdown whatever is causing the issue right now, bringing back the problem. Remember, the problem has nothing to do with IIS nor IIS, so reinstalling solves nothing. Please realize that the problem here is really caused by conflict between the Group Policy from CIS and your application's dependencies. IIS is just a bystander. You are really asking for an easier way to pinpoint the root cause of arbitrary changes made by Group Policy (or anyone else), and that is complicated (and a bit of wishful thinking, as I will shortly explain). You will never find a "fix my ACL problem" button from IIS because it is beyond IIS (or anyone else) to ever deal with the root cause of such mis-configuration issues. The responsibility is ALWAYS on the policy changer (i.e. CIS) to know the ramifications of their change and test it out before hand. IIS can only tell you what works by default, but not what works in your specific environment. Blanket security policies tend to be highly problematic on servers -- it would behoove your security department to understand this and treat servers differently than desktops because otherwise, they will waste a lot of your time. In return, you should be highly motivated to fix this with CIS because you don't want to keep asking around to clean up after their changes -- you may belong to the organization, but we aren't... If the issue is file ACLs, then you can use File Monitor from sysinternals.com to see what user account and resource is getting access denied, and you can go from there. I think the tool has been integrated into "Process Monitor", which is an absolute treasure trove of tools to figure out Windows system interaction. Sometimes, it is easier to understand what exactly was changed by a givin Policy, than to reverse engineer the change by observing a broken system. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Dec 3, 10:23 am, L Nelson <LNel***@discussions.microsoft.com> wrote: Show quoteHide quote > After further debugging today I came to the same conclusion that it is the > ACL's that are the root of the problem. However, I checked the permissions > on all the folders specified on msdn for asp.net required access list > controls (http://msdn.microsoft.com/en-us/library/kwzs111e(VS.80).aspx) and > all appear to have the correct settings on my server. > > Unfortunately, there is no way I am going to convince our CIS group to not > enforce their lockdown policy. However, if I could pinpoint the exact folder > (or folders) that the NETWORK SERVICE account is failing to access, then I > could probably get CIS to allow access specifically, which is why I worded > the original question in that manner. > > I have read posts and articles on possible causes and workarounds until my > head is spinning and even downloaded a couple diagnostics tools but nothing > has worked so far. I am about to try reinstalling IIS, but that is a last > ditch effort and not something I want to do every week to keep this site up > and running. There has to be an easier way to pinpoint the root cause of > this issue and fix it. > > > > "David Wang" wrote: > > The second request is 401.3, indicating that IIS successfully > > authenticated the user, but the user was later denied access by NTFS > > ACL. > > > It confirms that the issue has nothing to do with IIS and is specific > > to ACLs your application depends upon. There are no service > > dependencies or special files/folders for Windows Authentication of > > the sort that you are asking about. > > > I suggest starting by removing the web servers from your corporate > > group policy, or at least apply different group policies for servers. > > That is the source of your troubles, not IIS. > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > // > > > On Dec 3, 4:42 am, L Nelson <LNel***@discussions.microsoft.com> wrote: > > > When the user hits the website the first response is 401 2 2148074254 > > > For myself, it then goes to 200 0 0 as a successful login > > > For the users who are failing, the second response is 401 3 5 > > > At this point, a login prompt window pops up. If the user enters their > > > login and password here, they get the access denied error and the entry in > > > the log is 401 1 0 > > > > "David Wang" wrote: > > > > On Dec 2, 12:38 pm, L Nelson <L Nel***@discussions.microsoft.com> > > > > wrote: > > > > > I have two Windows 2003 servers hosting an ASP.NET site. Both servers are > > > > > using Windows Authentication. Everything was working fine, but suddenly my > > > > > users are not able to access the dev site. They are still able to access > > > > > prod fine. When attempting to access the site they are getting a 401 "access > > > > > denied" error message. I suspect that our company's automated lockdown > > > > > policies are causing the problem, but in order to have them configured so > > > > > they will not interfere I need to know all the services that the Windows > > > > > Authentication protocol uses, and also if there are any specific folders or > > > > > directories that the users need to have access to. The lockdown policies > > > > > restrict access to anything and everything on C. The web files and also the > > > > > SQL Server Express engine are installed to the E directory on the server. I > > > > > am still able to access both sites, as I am also on the local admins group. > > > > > It sounds like your question is more about the dependencies of your > > > > specific web application, unrelated to IIS. > > > > > To be certain -- please check the IIS log entry for the requests which > > > > result in "401 access denied" and make sure it is not 401.1 or 401.2. > > > >http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_II... > > > > > //David > > > >http://w3-4u.blogspot.com > > > >http://blogs.msdn.com/David.Wang > > > > //- Hide quoted text - > > > > - Show quoted text -- Hide quoted text - > > - Show quoted text - 
Other interesting topics
Web App using integrated Active Directory Authentication
Problem processing SSL certificate response. IIS IWA no longer works after VS2008 SP1 installed ASP Authentication on IIS 6.0 Windows 2003 Server 32bit help please WEB app with OLE server works on WinXP & IIS5 but not on Server200 ASP can't use database on slave server IIS Restrictions How to use SSL host headers for multiple domains on the same serve DDOS attack ! Certificate Types |
|||||||||||||||||||||||
