|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Help with password promptOur website runs on a Windows 2003 server using IIS. Anonymous access is
enabled on the default website with a domain user account that has administrative rights to the server. Integrated Windows Authentication is also checked. Users on our LAN connect to the website on the server with no problem (meaning, they are not prompted for a username & password). However, if you try to access the same website from a Terminal Server, you get prompted to enter a username and password. Can anyone suggest ways that authentication is either not required at all, or at least invisible to the user? This web server is only used internally, so we don't need super high security. Thanks, Jason Hi Jason,
If you want anonymous connection to work, make sure that user account that is assigned for anonymous access has read permissions on the web content to the site. It looks like right now the anonymous account does not have NTFS permissions... IIS will always honor the NTFS permissions... Also -- you should not grant administrator permissions to anonymous account. It can be very dangerous for security of your server... -- Show quoteHide quoteMike Microsoft MVP - Windows Security "Jason" <Ja***@discussions.microsoft.com> wrote in message news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com... > Our website runs on a Windows 2003 server using IIS. Anonymous access is > enabled on the default website with a domain user account that has > administrative rights to the server. Integrated Windows Authentication is > also checked. > > Users on our LAN connect to the website on the server with no problem > (meaning, they are not prompted for a username & password). > > However, if you try to access the same website from a Terminal Server, you > get prompted to enter a username and password. > > Can anyone suggest ways that authentication is either not required at all, > or at least invisible to the user? This web server is only used > internally, > so we don't need super high security. > > Thanks, > > Jason Thanks Mike, but since the anonymous account has administrator permissions
not only to the website, but the server itself, I would not think that the problem is a permissions issue? At least as far as the Anonymous Account is concerned? Show quoteHide quote "Miha Pihler [MVP]" wrote: > Hi Jason, > > If you want anonymous connection to work, make sure that user account that > is assigned for anonymous access has read permissions on the web content to > the site. It looks like right now the anonymous account does not have NTFS > permissions... > > IIS will always honor the NTFS permissions... > > Also -- you should not grant administrator permissions to anonymous account. > It can be very dangerous for security of your server... > > -- > Mike > Microsoft MVP - Windows Security > > "Jason" <Ja***@discussions.microsoft.com> wrote in message > news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com... > > Our website runs on a Windows 2003 server using IIS. Anonymous access is > > enabled on the default website with a domain user account that has > > administrative rights to the server. Integrated Windows Authentication is > > also checked. > > > > Users on our LAN connect to the website on the server with no problem > > (meaning, they are not prompted for a username & password). > > > > However, if you try to access the same website from a Terminal Server, you > > get prompted to enter a username and password. > > > > Can anyone suggest ways that authentication is either not required at all, > > or at least invisible to the user? This web server is only used > > internally, > > so we don't need super high security. > > > > Thanks, > > > > Jason > > > Hi,
I don't know how permissions are set on the folder where your web content is stored. My advice is to first check that this user has permissions (at least read) on the folder where the web content is. You can lock out even administrator from the folder - the only difference is that administrator (or member of administrators group) can take ownership and with it permissions to the folder. -- Show quoteHide quoteMike Microsoft MVP - Windows Security "Jason" <Ja***@discussions.microsoft.com> wrote in message news:452C9436-A0CE-4C9A-B098-311B31DE3E5C@microsoft.com... > Thanks Mike, but since the anonymous account has administrator permissions > not only to the website, but the server itself, I would not think that the > problem is a permissions issue? At least as far as the Anonymous Account > is > concerned? > > "Miha Pihler [MVP]" wrote: > >> Hi Jason, >> >> If you want anonymous connection to work, make sure that user account >> that >> is assigned for anonymous access has read permissions on the web content >> to >> the site. It looks like right now the anonymous account does not have >> NTFS >> permissions... >> >> IIS will always honor the NTFS permissions... >> >> Also -- you should not grant administrator permissions to anonymous >> account. >> It can be very dangerous for security of your server... >> >> -- >> Mike >> Microsoft MVP - Windows Security >> >> "Jason" <Ja***@discussions.microsoft.com> wrote in message >> news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com... >> > Our website runs on a Windows 2003 server using IIS. Anonymous access >> > is >> > enabled on the default website with a domain user account that has >> > administrative rights to the server. Integrated Windows Authentication >> > is >> > also checked. >> > >> > Users on our LAN connect to the website on the server with no problem >> > (meaning, they are not prompted for a username & password). >> > >> > However, if you try to access the same website from a Terminal Server, >> > you >> > get prompted to enter a username and password. >> > >> > Can anyone suggest ways that authentication is either not required at >> > all, >> > or at least invisible to the user? This web server is only used >> > internally, >> > so we don't need super high security. >> > >> > Thanks, >> > >> > Jason >> >> >> The user has full control permissions on the web content folders, plus admin
rights on the machine. Show quoteHide quote "Miha Pihler [MVP]" wrote: > Hi, > > I don't know how permissions are set on the folder where your web content is > stored. My advice is to first check that this user has permissions (at least > read) on the folder where the web content is. > > You can lock out even administrator from the folder - the only difference is > that administrator (or member of administrators group) can take ownership > and with it permissions to the folder. > > -- > Mike > Microsoft MVP - Windows Security > > "Jason" <Ja***@discussions.microsoft.com> wrote in message > news:452C9436-A0CE-4C9A-B098-311B31DE3E5C@microsoft.com... > > Thanks Mike, but since the anonymous account has administrator permissions > > not only to the website, but the server itself, I would not think that the > > problem is a permissions issue? At least as far as the Anonymous Account > > is > > concerned? > > > > "Miha Pihler [MVP]" wrote: > > > >> Hi Jason, > >> > >> If you want anonymous connection to work, make sure that user account > >> that > >> is assigned for anonymous access has read permissions on the web content > >> to > >> the site. It looks like right now the anonymous account does not have > >> NTFS > >> permissions... > >> > >> IIS will always honor the NTFS permissions... > >> > >> Also -- you should not grant administrator permissions to anonymous > >> account. > >> It can be very dangerous for security of your server... > >> > >> -- > >> Mike > >> Microsoft MVP - Windows Security > >> > >> "Jason" <Ja***@discussions.microsoft.com> wrote in message > >> news:75BCE773-4AA6-4D6C-BD4C-791CD7F91D20@microsoft.com... > >> > Our website runs on a Windows 2003 server using IIS. Anonymous access > >> > is > >> > enabled on the default website with a domain user account that has > >> > administrative rights to the server. Integrated Windows Authentication > >> > is > >> > also checked. > >> > > >> > Users on our LAN connect to the website on the server with no problem > >> > (meaning, they are not prompted for a username & password). > >> > > >> > However, if you try to access the same website from a Terminal Server, > >> > you > >> > get prompted to enter a username and password. > >> > > >> > Can anyone suggest ways that authentication is either not required at > >> > all, > >> > or at least invisible to the user? This web server is only used > >> > internally, > >> > so we don't need super high security. > >> > > >> > Thanks, > >> > > >> > Jason > >> > >> > >> > > > Hi Jason,
If the server has been applied with SP1, the familiar cause is the new loopback check security feature. Please take a look at the following article: 896861 You receive error 401.1 when you browse a Web site that uses Integrated http://support.microsoft.com/?id=896861 Another possible cause is there are 3 group policy permissions may be missed by the IIS anonymous - IUSR account. You should check them in the server's local security policy and your domain security policy on DC: - Access this computer from the network - Log on locally - Log on as a batch job Refer to: 275167 PRB: Anonymous access fails with an HTTP 401.1 error after you join an http://support.microsoft.com/?id=275167 Please let me know how the thing is going. Thanks. Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. Hi Jason,
I haven't heard back from you yet. I am just writing to see how everything is going. I would appreciate if you could get back to me at your earliest convenience. If you have any questions or concerns related to this issue, please drop me a note. I appreciate your time and I look forward to hearing from you. Best regards, WenJun Zhang Microsoft Online Partner Support When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== Business-Critical Phone Support (BCPS) provides you with technical phone support at no charge during critical LAN outages or "business down" situations. This benefit is available 24 hours a day, 7 days a week to all Microsoft technology partners in the United States and Canada. This and other support options are available here: BCPS: https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469 Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/ If you are outside the United States, please visit our International Support page: http://support.microsoft.com/common/international.aspx ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. 
Other interesting topics
Private & Public Key storage location
HOW TO IIS -Security Security in SMTP Virtual Server Application Pool domain credentials Access problems on "Windows Server 2003 Web Edition". using IIS 6.0 IP Address and Domain Name Restrictions button greyed out - Help ! SSL problem ASP error script and trojan IIS HTTPS + Windows XP How can digitally signed executable be "secure" ? |
|||||||||||||||||||||||
