We are using a Win 2003 server, running IIS 6.0. We have company blogs
on this server, using Moveable Type. We are trying to restrict access
to some of our Blogs by password-protecting them at the server level.
However, we have found if we take the IUSR_Webservices user off the
list, the Blogs do not function properly (cannot rebuild them,
registered users cannot post comments.) If we leave it in, anyone can
see these blogs. I'm not getting any help from Moveable Type, and we
don't have anyone in house that seems to know anything about Windows
servers. Can anyone give me any help or suggestions?

Thanks,
Linda Snyder

Your question really has nothing to do with IIS nor Windows Server and
everything to do with your Moveable Type software package.

You really need to get support from Moveable Type - if they are not
supporting you, then you either need to:
1. Change to run software that is supported
2. Learn yourself how to support software you use
3. Obtain support for software you use from others, either for-fee or
for-free

My guess is that Moveable Type has its own customized username/password
authentication(AuthN)/authorization(AuthZ) system on TOP of IIS, so you MUST
configure IIS to allow anonymous access so that Moveable Type can enforce
its own custom authN/authZ layer on top of IIS.

If this is the case, then there is very little you can do from IIS
perspective. Moveable Type is literally disabling IIS AuthN/AuthZ and
implementing its own AuthN/AuthZ system for those requests, so the
functionality you want *MUST* come from Moveable Type.

Show quoteHide quote

There is no authentication system for Moveable Type as far as I know,
at least to be a general user. If you are a Blog administrator you have
to log into the MT system in order to place new entries on your Blog,
but that's a different set-up. When we were using the older version of
Moveable Type on our older server we didn't have this problem. We had
the Blogs set up so you had to use your network name and password to
get into private blogs. But since then we have upgrade everything: MT
software, server, Windows OS, IIS and firewall. MT is telling us it's a
server issue and they don't offer any support for that; you are
suggesting it's an MT issue and to get support from them. Unfortunately
I don't know of anyone who knows anything about how they work together.

Thanks for your help, I guess I'll keep looking...

The only piece of information you need to get from Moveable Type is:
"Is the version of Moveable Type you are using supported on Windows Server
2003/IIS6."

It tells you whether Moveable Type is legitimate and whether they support
the two working together.

- If it is supported, then Moveable Type is responsible to tell you how to
configure things from start to finish, not merely tell you that you have a
"server issue". Start from a default Windows Server 2003 - they must be able
to tell you how to get that combination working.
- If it is not supported, then you are effectively on your own and rely on
others for assistance. This is poor Moveable Type customer experience.

I can only offer you my views and advice based on your statement that
"things break when you remove IUSR" because IUSR is only used for anonymous
authentication by IIS. If you were successfully using network name/password
on the older server (I presume these names are real Windows NT user names
and not some custom Identity system's name), then to have private blogs,
either:
1. Moveable Type has its own AuthN/AuthZ system -- in which case the issue
is with Moveable Type
2. Moveable Type uses Windows AuthN/AuthZ system -- in which case it should
not break by removing IUSR

Because you say:
I am pretty certain Moveable Type has its own AuthN/AuthZ system - they are
like Community Server or any other blog web application. Here's the check:
when you login to the MT system, do you type username/password into a web
page displayed by the web browser or into a plain popup Windows dialog box?
If it is a web page, then MT uses custom AuthN/AuthZ and it makes sense to
me that disabling IUSR fails.

In any case, this is really an issue between you and Moveable Type no matter
how one looks at it. Only they know what their application's requirements
are. If general, if you want to use Moveable Type, you need to either:
1. get them to support you
2. be able to support yourself
3. move to another system that is supported

Now, the issue may come down to some system change on Windows Server 2003,
but if Moveable Type says they support Windows Server 2003, then Moveable
Type is responsible for determining that, not you or anyone else... because
that is the meaning of "support".

Sorry for sounding harsh; it is not my intent. I am only spelling out the
realities because you feel like you are being bounced around and no one is
taking responsibility. I am telling you who is responsible for what.

Show quoteHide quote

Thank you for your help with this. You are right, I am being bounced
around. Moveable Type is supposed to work in the Windows 2003
environment, but they take no responsibility in helping you set up your
server, and that is clearly stated in the documentation when you
purchase the software. Our server techs are baffled, but we really
don't have anybody who knows much about Windows servers (so why we even
have one is beyond me). Anyway, I'll lean on MT a little more and see
if I can get some kind of advice from them.

Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help
CTL_E_PERMISSIONDENIED
IISAdmin on localhost
Multiple Virtual Sites on One Server Running on Port 443
Can't import certificate to IIS
One-way trust, Kerberos & IIS
Self signed standalone CA gives: "Windows does not have enough information to verify this certificat
Can't 'get' from ftp folder
viewing text files over internet
XMLHTTP no longer works after updates