|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Domain GuestsI have one account on our domain that I need to allow web site access for. I
only want this account to be in the Domain guests group and I want to use Integrated Security only for the web site. To this point I haven't been able to get this to work. Is this possible? Thanks. "rdw" <r**@discussions.microsoft.com> wrote in message What functional level is your domain? For Win2k3 (and possibly Win2k as news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com... >I have one account on our domain that I need to allow web site access for. >I > only want this account to be in the Domain guests group and I want to use > Integrated Security only for the web site. To this point I haven't been > able > to get this to work. Is this possible? well), Domain Guests group has the same permissions as Domain Users (you can see that in the group's description). The actual authentication technology used (IWA) has no bearing on whether the user can load the page or not (that's authorization). IWA is just the process of conveying the user's credentials to the server. The Authorization process determines whether the user can perform the action (e.g. load the page). What is the error you are getting? What version of IIS are you using? What client OS/browser? etc. Cheers Ken The error is an http error 401.3. Unauthorized: Access is denied due to an
ACL set on the requested resource. I've granted Domain Guests read permissions on the folder as well. We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 SP2. The client machine is Windows XP Pro, but I've been able to reproduce it on 2000 Pro as well. Show quoteHide quote "Ken Schaefer" wrote: > > "rdw" <r**@discussions.microsoft.com> wrote in message > news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com... > >I have one account on our domain that I need to allow web site access for. > >I > > only want this account to be in the Domain guests group and I want to use > > Integrated Security only for the web site. To this point I haven't been > > able > > to get this to work. Is this possible? > > What functional level is your domain? For Win2k3 (and possibly Win2k as > well), Domain Guests group has the same permissions as Domain Users (you can > see that in the group's description). > > The actual authentication technology used (IWA) has no bearing on whether > the user can load the page or not (that's authorization). IWA is just the > process of conveying the user's credentials to the server. The Authorization > process determines whether the user can perform the action (e.g. load the > page). > > What is the error you are getting? What version of IIS are you using? What > client OS/browser? etc. > > Cheers > Ken > > > Hi,
This should be relatively straight forward. a) Can you post the relevant IIS logfile entries for the failed requests please? b) What group memberships does the user account have? If you add it to Domain Users (assuming that you removed it), does this start working all of a sudden? c) What are all the ACEs on the file in question? Cheers Ken Show quoteHide quote "rdw" <r**@discussions.microsoft.com> wrote in message news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com... > The error is an http error 401.3. Unauthorized: Access is denied due to > an > ACL set on the requested resource. > > I've granted Domain Guests read permissions on the folder as well. > > We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 SP2. > The client machine is Windows XP Pro, but I've been able to reproduce it > on > 2000 Pro as well. > > "Ken Schaefer" wrote: > >> >> "rdw" <r**@discussions.microsoft.com> wrote in message >> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com... >> >I have one account on our domain that I need to allow web site access >> >for. >> >I >> > only want this account to be in the Domain guests group and I want to >> > use >> > Integrated Security only for the web site. To this point I haven't >> > been >> > able >> > to get this to work. Is this possible? >> >> What functional level is your domain? For Win2k3 (and possibly Win2k as >> well), Domain Guests group has the same permissions as Domain Users (you >> can >> see that in the group's description). >> >> The actual authentication technology used (IWA) has no bearing on whether >> the user can load the page or not (that's authorization). IWA is just the >> process of conveying the user's credentials to the server. The >> Authorization >> process determines whether the user can perform the action (e.g. load the >> page). >> >> What is the error you are getting? What version of IIS are you using? >> What >> client OS/browser? etc. >> >> Cheers >> Ken >> >> >> Thanks for the assistance on this issue.
a). These are the 3 entries that are generated into the log file each time this user browses the page. 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 2 2148074254 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 1 0 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET /Default.asp |-|0|401_Error:_Access_is_Denied. 80 domainname\firstname.lastname 172.18.31.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 5 0 b). This user is a member of Domain Guests only. He is in no other groups. If we add him to Domain Users he can load the page successfully. c). The permissions on the folder are set up as follows: Domain Admins: Full Control Domain Guests: Read & Execute, List Folder Contents, Read Everyone: Read & Execute, List Folder Contents, Read Network Service: Read & Execute, List Folder Contents, Read Thanks. again Show quoteHide quote "Ken Schaefer" wrote: > Hi, > > This should be relatively straight forward. > > a) Can you post the relevant IIS logfile entries for the failed requests > please? > > b) What group memberships does the user account have? If you add it to > Domain Users (assuming that you removed it), does this start working all of > a sudden? > > c) What are all the ACEs on the file in question? > > Cheers > Ken > > "rdw" <r**@discussions.microsoft.com> wrote in message > news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com... > > The error is an http error 401.3. Unauthorized: Access is denied due to > > an > > ACL set on the requested resource. > > > > I've granted Domain Guests read permissions on the folder as well. > > > > We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 SP2. > > The client machine is Windows XP Pro, but I've been able to reproduce it > > on > > 2000 Pro as well. > > > > "Ken Schaefer" wrote: > > > >> > >> "rdw" <r**@discussions.microsoft.com> wrote in message > >> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com... > >> >I have one account on our domain that I need to allow web site access > >> >for. > >> >I > >> > only want this account to be in the Domain guests group and I want to > >> > use > >> > Integrated Security only for the web site. To this point I haven't > >> > been > >> > able > >> > to get this to work. Is this possible? > >> > >> What functional level is your domain? For Win2k3 (and possibly Win2k as > >> well), Domain Guests group has the same permissions as Domain Users (you > >> can > >> see that in the group's description). > >> > >> The actual authentication technology used (IWA) has no bearing on whether > >> the user can load the page or not (that's authorization). IWA is just the > >> process of conveying the user's credentials to the server. The > >> Authorization > >> process determines whether the user can perform the action (e.g. load the > >> page). > >> > >> What is the error you are getting? What version of IIS are you using? > >> What > >> client OS/browser? etc. > >> > >> Cheers > >> Ken > >> > >> > >> > > > This is a user rights issue, not a permissions issue.
Likely Domain Users, or Interactive, or Authenticated Users, or some combination of these are in Users on the IIS machine, but Domain Guests is not a member of any of these until it has successfully been authenticated - sort of a catch 22. What I do is define a custom global group in the domain, ex. WebGuests in you case, and use this to replace Domain Users as the web access account's Primary Group so that it is in no groups that grant access to other domain resources. Then add this domain global WebGuests group to the IIS machine's Users group (to be excessive) or use it to grant NTFS permissions and the User Right to Log on over the network. Show quoteHide quote "rdw" <r**@discussions.microsoft.com> wrote in message news:D0814CD5-FB4D-476A-90EE-8796738C69B4@microsoft.com... > Thanks for the assistance on this issue. > > a). These are the 3 entries that are generated into the log file each > time > this user browses the page. > > 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > 401 2 2148074254 > > 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > 401 1 0 > > 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET /Default.asp > |-|0|401_Error:_Access_is_Denied. 80 domainname\firstname.lastname > 172.18.31.5 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > 401 5 0 > > b). This user is a member of Domain Guests only. He is in no other > groups. > If we add him to Domain Users he can load the page successfully. > > c). The permissions on the folder are set up as follows: > Domain Admins: Full Control > Domain Guests: Read & Execute, List Folder Contents, Read > Everyone: Read & Execute, List Folder Contents, Read > Network Service: Read & Execute, List Folder Contents, Read > > Thanks. again > > > "Ken Schaefer" wrote: > >> Hi, >> >> This should be relatively straight forward. >> >> a) Can you post the relevant IIS logfile entries for the failed requests >> please? >> >> b) What group memberships does the user account have? If you add it to >> Domain Users (assuming that you removed it), does this start working all >> of >> a sudden? >> >> c) What are all the ACEs on the file in question? >> >> Cheers >> Ken >> >> "rdw" <r**@discussions.microsoft.com> wrote in message >> news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com... >> > The error is an http error 401.3. Unauthorized: Access is denied due >> > to >> > an >> > ACL set on the requested resource. >> > >> > I've granted Domain Guests read permissions on the folder as well. >> > >> > We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 >> > SP2. >> > The client machine is Windows XP Pro, but I've been able to reproduce >> > it >> > on >> > 2000 Pro as well. >> > >> > "Ken Schaefer" wrote: >> > >> >> >> >> "rdw" <r**@discussions.microsoft.com> wrote in message >> >> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com... >> >> >I have one account on our domain that I need to allow web site access >> >> >for. >> >> >I >> >> > only want this account to be in the Domain guests group and I want >> >> > to >> >> > use >> >> > Integrated Security only for the web site. To this point I haven't >> >> > been >> >> > able >> >> > to get this to work. Is this possible? >> >> >> >> What functional level is your domain? For Win2k3 (and possibly Win2k >> >> as >> >> well), Domain Guests group has the same permissions as Domain Users >> >> (you >> >> can >> >> see that in the group's description). >> >> >> >> The actual authentication technology used (IWA) has no bearing on >> >> whether >> >> the user can load the page or not (that's authorization). IWA is just >> >> the >> >> process of conveying the user's credentials to the server. The >> >> Authorization >> >> process determines whether the user can perform the action (e.g. load >> >> the >> >> page). >> >> >> >> What is the error you are getting? What version of IIS are you using? >> >> What >> >> client OS/browser? etc. >> >> >> >> Cheers >> >> Ken >> >> >> >> >> >> >> >> >> I should have added that if the site is not purely HTML then you likely
would also need to add some grants to the custom group for components used if you elect to use the minimal grants route instead of making the group a machine local Users member. Show quoteHide quote "rdw" <r**@discussions.microsoft.com> wrote in message news:D0814CD5-FB4D-476A-90EE-8796738C69B4@microsoft.com... > Thanks for the assistance on this issue. > > a). These are the 3 entries that are generated into the log file each > time > this user browses the page. > > 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > 401 2 2148074254 > > 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET / - 80 - 172.18.31.5 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > 401 1 0 > > 2006-08-02 11:10:20 W3SVC1515785147 172.18.40.31 GET /Default.asp > |-|0|401_Error:_Access_is_Denied. 80 domainname\firstname.lastname > 172.18.31.5 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > 401 5 0 > > b). This user is a member of Domain Guests only. He is in no other > groups. > If we add him to Domain Users he can load the page successfully. > > c). The permissions on the folder are set up as follows: > Domain Admins: Full Control > Domain Guests: Read & Execute, List Folder Contents, Read > Everyone: Read & Execute, List Folder Contents, Read > Network Service: Read & Execute, List Folder Contents, Read > > Thanks. again > > > "Ken Schaefer" wrote: > >> Hi, >> >> This should be relatively straight forward. >> >> a) Can you post the relevant IIS logfile entries for the failed requests >> please? >> >> b) What group memberships does the user account have? If you add it to >> Domain Users (assuming that you removed it), does this start working all >> of >> a sudden? >> >> c) What are all the ACEs on the file in question? >> >> Cheers >> Ken >> >> "rdw" <r**@discussions.microsoft.com> wrote in message >> news:16B530A4-70CE-4D62-B457-A7BF03AD7074@microsoft.com... >> > The error is an http error 401.3. Unauthorized: Access is denied due >> > to >> > an >> > ACL set on the requested resource. >> > >> > I've granted Domain Guests read permissions on the folder as well. >> > >> > We are using Windows Server 2003 SR2(IIS 6) and the browser is IE 6 >> > SP2. >> > The client machine is Windows XP Pro, but I've been able to reproduce >> > it >> > on >> > 2000 Pro as well. >> > >> > "Ken Schaefer" wrote: >> > >> >> >> >> "rdw" <r**@discussions.microsoft.com> wrote in message >> >> news:8DC6824B-1241-41BE-96DD-18E33B88E9C8@microsoft.com... >> >> >I have one account on our domain that I need to allow web site access >> >> >for. >> >> >I >> >> > only want this account to be in the Domain guests group and I want >> >> > to >> >> > use >> >> > Integrated Security only for the web site. To this point I haven't >> >> > been >> >> > able >> >> > to get this to work. Is this possible? >> >> >> >> What functional level is your domain? For Win2k3 (and possibly Win2k >> >> as >> >> well), Domain Guests group has the same permissions as Domain Users >> >> (you >> >> can >> >> see that in the group's description). >> >> >> >> The actual authentication technology used (IWA) has no bearing on >> >> whether >> >> the user can load the page or not (that's authorization). IWA is just >> >> the >> >> process of conveying the user's credentials to the server. The >> >> Authorization >> >> process determines whether the user can perform the action (e.g. load >> >> the >> >> page). >> >> >> >> What is the error you are getting? What version of IIS are you using? >> >> What >> >> client OS/browser? etc. >> >> >> >> Cheers >> >> Ken >> >> >> >> >> >> >> >> >> 
Other interesting topics
Network/Web Site Authentication
iis problems with some xp clients - kerberos issue? Network service default permissions Virtual Directory On UNC Share Not Writable changing "CN" name Grant Users Permissions to Modify IIS without Having Full Admin Ri automatic login with current username and password HTTP 405: The HTTP verb used to access this page is not allowed Application Pool Identity IIS 5.0 vs IIS 6.0 |
|||||||||||||||||||||||
