|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
iis + win2k adv server problemI am running IIS on Win2k Adv Server + SP4 + .Net framework 1.1 my problem is as following -- I have default website and some other sites on the same iis (with diff port numbers) We have a domain but this server is not a part of any domain but on same network (intranet) When I try to access the default site (e.g. http://WebServer) it works just fine from any other computer but when I try to access any other sites on same IIS (e.g. http://WebServer:8080) it shows a NT login form. Now I guess that it has to do something with ACL or the web.config file. I have tried all the possible solutions given on web and on online help but I still see that NT login form. Note that it let me see the site if I enter the details of user account on my WebServer but I want others to see this intranet site without going through this login process. Thank you for the help in advance. Po.
Show quote
Hide quote
"Pohihihi" <pohih***@hotmail.com> wrote in message Is the home directory located on the same server? If it is located on a news:u8nwe.1090$aA5.628@tornado.socal.rr.com... > Hello NG, > > I am running IIS on Win2k Adv Server + SP4 + .Net framework 1.1 > > my problem is as following -- > > I have default website and some other sites on the same iis (with diff > port numbers) > We have a domain but this server is not a part of any domain but on same > network (intranet) > When I try to access the default site (e.g. http://WebServer) it works > just fine from any other computer > but when I try to access any other sites on same IIS (e.g. > http://WebServer:8080) it shows a NT login form. > > Now I guess that it has to do something with ACL or the web.config file. I > have tried all the possible solutions given on web and on online help but > I still see that NT login form. Note that it let me see the site if I > enter the details of user account on my WebServer but I want others to see > this intranet site without going through this login process. > > Thank you for the help in advance. > > Po. > remote share, you might run into some passthrough authentication issues. Also, if you connect to the server using a FQN and the FQDN contains a DOT you could also see this behavior (KB303650) Please try the following. Change the VDir from http://webserver:8080 to the VDir of your default website (http://webserver) and test if you are prompted again. Of so, check your IIS Authentication settings of the webserver:8080. If not, you need to check the ACL's on the target directory of the VDir of WebServer:8080. Or vicaversa, map the VDir of your default website to the VDir of the webserver:8080. Good luck, -- Frans Geurtsen PSS Security Microsoft This posting is provided "AS IS" with no warranties, and confers no rights. Frans,
Thanks for the reply. Before my first posting following I did 1- Checked if I get NT type login on default (I did not) 2- I checked (and gave admin rights) rights in VDir given to IUSR_Machine but nothing changed 3- I changed default site's VDir so that it can point to my http://WebServer:8080 's VDir but I started getting NT type login on default 4- I also checked web.config file but nothing in that changes anything. Also, I just followed as suggested in KB artical you noted. I am not using FQN/FQDN. This server is not a part of any domain and is independent on same network. VDir is on same server. I tried putting VDir inside wwwroot and outside of it. Same story. It works just fine as localhost but this problem comes if I access it front other computers that are part of a domain. Thanks, Po Show quoteHide quote "Fransg [MSFT]" <fra***@online.microsoft.com> wrote in message news:%23ZVZx4ffFHA.2840@tk2msftngp13.phx.gbl... > > "Pohihihi" <pohih***@hotmail.com> wrote in message > news:u8nwe.1090$aA5.628@tornado.socal.rr.com... >> Hello NG, >> >> I am running IIS on Win2k Adv Server + SP4 + .Net framework 1.1 >> >> my problem is as following -- >> >> I have default website and some other sites on the same iis (with diff >> port numbers) >> We have a domain but this server is not a part of any domain but on same >> network (intranet) >> When I try to access the default site (e.g. http://WebServer) it works >> just fine from any other computer >> but when I try to access any other sites on same IIS (e.g. >> http://WebServer:8080) it shows a NT login form. >> >> Now I guess that it has to do something with ACL or the web.config file. >> I have tried all the possible solutions given on web and on online help >> but I still see that NT login form. Note that it let me see the site if I >> enter the details of user account on my WebServer but I want others to >> see this intranet site without going through this login process. >> >> Thank you for the help in advance. >> >> Po. >> > > Is the home directory located on the same server? If it is located on a > remote share, you might run into some passthrough authentication issues. > Also, if you connect to the server using a FQN and the FQDN contains a DOT > you could also see this behavior (KB303650) > Please try the following. > Change the VDir from http://webserver:8080 to the VDir of your default > website (http://webserver) and test if you are prompted again. Of so, > check your IIS Authentication settings of the webserver:8080. If not, you > need to check the ACL's on the target directory of the VDir of > WebServer:8080. > Or vicaversa, map the VDir of your default website to the VDir of the > webserver:8080. > > Good luck, > > -- > Frans Geurtsen > PSS Security > Microsoft > > This posting is provided "AS IS" with no warranties, and confers no > rights. >
Show quote
Hide quote
"Pohihihi" <pohih***@hotmail.com> wrote in message What happens if you point your default website to the webserver:8080 VDir?news:kI9xe.4443$3o4.862@tornado.socal.rr.com... > Frans, > > Thanks for the reply. Before my first posting following I did > > 1- Checked if I get NT type login on default (I did not) > 2- I checked (and gave admin rights) rights in VDir given to IUSR_Machine > but nothing changed > 3- I changed default site's VDir so that it can point to my > http://WebServer:8080 's VDir but I started getting NT type login on > default > 4- I also checked web.config file but nothing in that changes anything. > > Also, I just followed as suggested in KB artical you noted. I am not using > FQN/FQDN. This server is not a part of any domain and is independent on > same network. > VDir is on same server. I tried putting VDir inside wwwroot and outside of > it. Same story. It works just fine as localhost but this problem comes if > I access it front other computers that are part of a domain. > > Thanks, > Po If you still get prompted, check if the IUser has rights to read the files on the VDir. (explicit) Have you enabled Anonymous access on the weserver:8080 site and disabled all other authentication options? -- Frans Geurtsen PSS Security Microsoft This posting is provided "AS IS" with no warranties, and confers no rights. > What happens if you point your default website to the webserver:8080 VDir? I get prompt> If you still get prompted, check if the IUser has rights to read the files I have given it all the rights on that VDIR> on the VDir. (explicit) > Have you enabled Anonymous access on the weserver:8080 site and disabled Yes> all other authentication options? My web.config file has following <authentication mode="Forms"> <forms name=".ASPXAUTH" protection="All" timeout="60" /> </authentication> if I change authentication mode to none then I do not see NT type login but then that is a problem because this site is pointing to intranet blog (powered by dasBlog) and not every user is allowed to have admin rights. Thanks, Po Show quoteHide quote "Fransg [MSFT]" <fra***@online.microsoft.com> wrote in message news:%23tv4hNKgFHA.3164@TK2MSFTNGP15.phx.gbl... > > "Pohihihi" <pohih***@hotmail.com> wrote in message > news:kI9xe.4443$3o4.862@tornado.socal.rr.com... >> Frans, >> >> Thanks for the reply. Before my first posting following I did >> >> 1- Checked if I get NT type login on default (I did not) >> 2- I checked (and gave admin rights) rights in VDir given to IUSR_Machine >> but nothing changed >> 3- I changed default site's VDir so that it can point to my >> http://WebServer:8080 's VDir but I started getting NT type login on >> default >> 4- I also checked web.config file but nothing in that changes anything. >> >> Also, I just followed as suggested in KB artical you noted. I am not >> using FQN/FQDN. This server is not a part of any domain and is >> independent on same network. >> VDir is on same server. I tried putting VDir inside wwwroot and outside >> of it. Same story. It works just fine as localhost but this problem comes >> if I access it front other computers that are part of a domain. >> >> Thanks, >> Po > > What happens if you point your default website to the webserver:8080 VDir? > If you still get prompted, check if the IUser has rights to read the files > on the VDir. (explicit) > Have you enabled Anonymous access on the weserver:8080 site and disabled > all other authentication options? > > > -- > Frans Geurtsen > PSS Security > Microsoft > > This posting is provided "AS IS" with no warranties, and confers no > rights. >
Show quote
Hide quote
"Pohihihi" <pohih***@hotmail.com> wrote in message Ok, Correct me if I am wrong.news:2q7ze.8581$3o4.238@tornado.socal.rr.com... >> What happens if you point your default website to the webserver:8080 >> VDir? > > I get prompt > >> If you still get prompted, check if the IUser has rights to read the >> files on the VDir. (explicit) > > I have given it all the rights on that VDIR > >> Have you enabled Anonymous access on the weserver:8080 site and disabled >> all other authentication options? > > Yes > > My web.config file has following > > <authentication mode="Forms"> > > <forms name=".ASPXAUTH" protection="All" timeout="60" /> > > </authentication> > > if I change authentication mode to none then I do not see NT type login > but then that is a problem because this site is pointing to intranet blog > (powered by dasBlog) and not every user is allowed to have admin rights. > > Thanks, > Po > > > > > "Fransg [MSFT]" <fra***@online.microsoft.com> wrote in message > news:%23tv4hNKgFHA.3164@TK2MSFTNGP15.phx.gbl... >> >> "Pohihihi" <pohih***@hotmail.com> wrote in message >> news:kI9xe.4443$3o4.862@tornado.socal.rr.com... >>> Frans, >>> >>> Thanks for the reply. Before my first posting following I did >>> >>> 1- Checked if I get NT type login on default (I did not) >>> 2- I checked (and gave admin rights) rights in VDir given to >>> IUSR_Machine but nothing changed >>> 3- I changed default site's VDir so that it can point to my >>> http://WebServer:8080 's VDir but I started getting NT type login on >>> default >>> 4- I also checked web.config file but nothing in that changes anything. >>> >>> Also, I just followed as suggested in KB artical you noted. I am not >>> using FQN/FQDN. This server is not a part of any domain and is >>> independent on same network. >>> VDir is on same server. I tried putting VDir inside wwwroot and outside >>> of it. Same story. It works just fine as localhost but this problem >>> comes if I access it front other computers that are part of a domain. >>> >>> Thanks, >>> Po The webserver is not a member of a domain. So the webserver will not be able to authenticate a user against the domain controler. So this will mean that you need all users as local user on the server. Since the server needs some form of authentication, if a user comes from another machine, it will pop-up a dailog box to prompt for Username and Pasword. If you have basic authentication enabled, the server will not be able to verify the users credentials unless it will prompt for it. From the local machine, the webserver will know who the logged on user is and will not prompt you for credentials. If the server was a domain member, it would have been able to find out who the user will be thanks to Active Directory. -- Frans Geurtsen PSS Security Microsoft This posting is provided "AS IS" with no warranties, and confers no rights. Yes that is right. But the point is that I want any user (any one in or out
of any domain) to be able to access the site but not be able to login into the server remotely (including domain admins). The blog site I am trying to put on intranet has a login button and is shown at the time of local login in the site as link for login page but other than that it should let any user view pages without forcing them to login as admin of that blog (login is only for the owner of that blog). Ultimately my goal is to make that work like any www.mysite.com server and still allow owner to be able to login when needed. This is when I start getting NT style login window when I try to access that page from other computer. Show quoteHide quote "Fransg [MSFT]" <fra***@online.microsoft.com> wrote in message news:uoGehrghFHA.2180@TK2MSFTNGP15.phx.gbl... > > "Pohihihi" <pohih***@hotmail.com> wrote in message > news:2q7ze.8581$3o4.238@tornado.socal.rr.com... >>> What happens if you point your default website to the webserver:8080 >>> VDir? >> >> I get prompt >> >>> If you still get prompted, check if the IUser has rights to read the >>> files on the VDir. (explicit) >> >> I have given it all the rights on that VDIR >> >>> Have you enabled Anonymous access on the weserver:8080 site and disabled >>> all other authentication options? >> >> Yes >> >> My web.config file has following >> >> <authentication mode="Forms"> >> >> <forms name=".ASPXAUTH" protection="All" timeout="60" /> >> >> </authentication> >> >> if I change authentication mode to none then I do not see NT type login >> but then that is a problem because this site is pointing to intranet blog >> (powered by dasBlog) and not every user is allowed to have admin rights. >> >> Thanks, >> Po >> >> >> >> >> "Fransg [MSFT]" <fra***@online.microsoft.com> wrote in message >> news:%23tv4hNKgFHA.3164@TK2MSFTNGP15.phx.gbl... >>> >>> "Pohihihi" <pohih***@hotmail.com> wrote in message >>> news:kI9xe.4443$3o4.862@tornado.socal.rr.com... >>>> Frans, >>>> >>>> Thanks for the reply. Before my first posting following I did >>>> >>>> 1- Checked if I get NT type login on default (I did not) >>>> 2- I checked (and gave admin rights) rights in VDir given to >>>> IUSR_Machine but nothing changed >>>> 3- I changed default site's VDir so that it can point to my >>>> http://WebServer:8080 's VDir but I started getting NT type login on >>>> default >>>> 4- I also checked web.config file but nothing in that changes anything. >>>> >>>> Also, I just followed as suggested in KB artical you noted. I am not >>>> using FQN/FQDN. This server is not a part of any domain and is >>>> independent on same network. >>>> VDir is on same server. I tried putting VDir inside wwwroot and outside >>>> of it. Same story. It works just fine as localhost but this problem >>>> comes if I access it front other computers that are part of a domain. >>>> >>>> Thanks, >>>> Po > > Ok, Correct me if I am wrong. > The webserver is not a member of a domain. So the webserver will not be > able to authenticate a user against the domain controler. > So this will mean that you need all users as local user on the server. > Since the server needs some form of authentication, if a user comes from > another machine, it will pop-up a dailog box to prompt for Username and > Pasword. > If you have basic authentication enabled, the server will not be able to > verify the users credentials unless it will prompt for it. > > From the local machine, the webserver will know who the logged on user is > and will not prompt you for credentials. > If the server was a domain member, it would have been able to find out who > the user will be thanks to Active Directory. > > > -- > Frans Geurtsen > PSS Security > Microsoft > > This posting is provided "AS IS" with no warranties, and confers no > rights. > Still you need useraccounts on the webserver.
Possible you can set anonymous access on your home page to prevent the logon box to show up. When you need a user to logon, you can direct him to a page where they can authenticate. In that case you will need useraccounts on the box. These accounts should be strictly limited so they can only do what they need to do on the exact locations. But just for the public parts you could/should use anonymous. -- Show quoteHide quoteFrans Geurtsen PSS Security Microsoft This posting is provided "AS IS" with no warranties, and confers no rights. "Pohihihi" <pohih***@hotmail.com> wrote in message news:ThhBe.25080$aA5.21448@tornado.socal.rr.com... > Yes that is right. But the point is that I want any user (any one in or > out of any domain) to be able to access the site but not be able to login > into the server remotely (including domain admins). The blog site I am > trying to put on intranet has a login button and is shown at the time of > local login in the site as link for login page but other than that it > should let any user view pages without forcing them to login as admin of > that blog (login is only for the owner of that blog). Ultimately my goal > is to make that work like any www.mysite.com server and still allow owner > to be able to login when needed. This is when I start getting NT style > login window when I try to access that page from other computer. > Thanks Frans, I guess I will have to connect it to domain. I might do some
research on blocking domain admins/users to login remotely or locally into the machine (other than the accounts I want to permit). Show quoteHide quote "Fransg [MSFT]" <fra***@online.microsoft.com> wrote in message news:uglbX5PiFHA.2852@TK2MSFTNGP15.phx.gbl... > Still you need useraccounts on the webserver. > Possible you can set anonymous access on your home page to prevent the > logon box to show up. > When you need a user to logon, you can direct him to a page where they can > authenticate. > > In that case you will need useraccounts on the box. These accounts should > be strictly limited so they can only do what they need to do on the exact > locations. > > But just for the public parts you could/should use anonymous. > > > -- > Frans Geurtsen > PSS Security > Microsoft > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > "Pohihihi" <pohih***@hotmail.com> wrote in message > news:ThhBe.25080$aA5.21448@tornado.socal.rr.com... >> Yes that is right. But the point is that I want any user (any one in or >> out of any domain) to be able to access the site but not be able to login >> into the server remotely (including domain admins). The blog site I am >> trying to put on intranet has a login button and is shown at the time of >> local login in the site as link for login page but other than that it >> should let any user view pages without forcing them to login as admin of >> that blog (login is only for the owner of that blog). Ultimately my goal >> is to make that work like any www.mysite.com server and still allow owner >> to be able to login when needed. This is when I start getting NT style >> login window when I try to access that page from other computer. >> > > 
Other interesting topics
Trying to understand this behavior, Ports in IIS
Domain-based IUSR and IWAM accounts IIS/NTFS persmissions help IIS/Windows Permissions/Rights Resetting IUSR user token IIS6 / W2K3 / Client Certificate - Urgent help required! SSL Site showing Page not found Is MBSchExt.xml a legitimate schema file ? Classic ASP Page not running under IIS6.0 Removing IIS Passwords |
|||||||||||||||||||||||
