Solved

iis 5 and asp & other file extension permissions not working - need help

Posted on 2003-11-08
37
16,322 Views
Last Modified: 2011-09-20
ok this has been annoying me for sometime and i finally need it to work right. so here i am.

here are the specs.

isa server 2000 + sp1 + feature pack 1 with urlscan
iis 5 with iis lockdown and urlscan
.net framework 1.1

what i can't seem to do is configure the server to allow asp scripts. during the iislockdown installer wizard i allowed asp, in the urlscan i check to see if asp is allowed, it is. i even dissabled urlscan on isa server. the .asp extension is mapped to C:\WINNT\system32\inetsrv\asp.dll

ntfs permissions allow anonymous users. iis allows anonymous users. html extensions work, but asp won't!
also since i reinstalled to try and start from scratch, i lost the file extensions that the .net framework installed, how can i get those back?

any ideas or links to a REALLY good site on how to configure urlscan. like maybe an entire book. lol
0
Comment
Question by:nonsence
  • 18
  • 15
  • 2
  • +1
37 Comments
 
LVL 17

Expert Comment

by:Tacobell777
ID: 9706583
URLScan is quite easy to configure and all the info you need is in the ini file, just search for URLScan.ini

If I understand you correctly ASP won't allow anonymous access? Maybe you need to add the user IUSR_<machine name> to the .DLL ? Or somewhere it is missing, I am no ASP expert, never installed it so can't say for sure.

Adding a file extension to IIS is easy, right click the web server -> properties -> and I believe it's under home directory -> configuration
add another extension and point it to the right dll..

That should do it, or I am way of and finally need catch some shuteye...
0
 
LVL 3

Author Comment

by:nonsence
ID: 9708131
i already looked in the urlscan.ini file. but it still won't work, even after i setup allow permissions for .asp

and the extension in iis goes to asp.dll

as for permissions, i gave everyone full ntfs access and still it didn't work.

i tried publishing iss through isa server. didn't work. now i'm running it locally on a virtual network driver with 192.168.0.1 as the ip address. so it's only accessible by me unless i publish it through isa server or tell iis to listen on all ports.

but it still won't work. html and other static files seem to work fine
0
 
LVL 7

Expert Comment

by:franka
ID: 9715692
do you use files like global.asa? Did you set rights for the IWAM_ account on those files and folders?
What is the error message?
0
 
LVL 3

Author Comment

by:nonsence
ID: 9719466
it only works when i set the Application Protection to LOW. otherwise when it's set to Medium it doesn't work and i get an error msg in the Event Logs.

The server failed to load application '/LM/W3SVC/1/ROOT/SUSAdmin'.  The error was 'Server execution failed
'.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM within the required timeout.

that's what i get when i try to access the Software Update Services I installed a few days ago. damn thing doesn't work. and since the admin consol is an asp script i can't get access to it. and same thing goes for all other .asp files

i read a bit about it and it seems it has something to do about COM permissions, and the GUID 3D14228D-FBE1-11D0-995D-00C04FD919C1 that i get in the event logs. but i don't understand how to fix it.
0
 
LVL 7

Expert Comment

by:franka
ID: 9719568
you add dcom permissions with the tool dcomcnfg.exe

try to find the guid there or a step before in the registry. then add IWAM_ User to the access and start permissions.

0
 
LVL 7

Expert Comment

by:franka
ID: 9719586
if you have a single and clean server for SUS, and you don't want to play with dcom permissions, you can also uninstall SUS and IIS, delete the iwam/iusr accounts and reinstall IIS and SUS.
0
 
LVL 3

Author Comment

by:nonsence
ID: 9719917
it's not a clean install. that's why i know i gotta get down and dirty with the settings for dcomcnfg.exe but i've used it before just a bit and i don't know exactly what i need to do.
from what i know i did allow the IWAM_ user account Default launch permissions. and it's also allowed default configuration permissions. under default access permissions, i have no accounts there.
what about COM Internet Services on the computer? should that be enabled?
0
 
LVL 7

Expert Comment

by:franka
ID: 9721264
what do you mean with enabling COM Services? COM is always enabled...
0
 
LVL 17

Expert Comment

by:Tacobell777
ID: 9721368
Forget about the IWAM_ user account you need IUSR_<machine name>
0
 
LVL 7

Expert Comment

by:franka
ID: 9721500
Tacobell77:
not correct. IWAM ist the process owner of medium and high/isolated sites (dllhost.exe). IWAM needs to launch the objects.
0
 
LVL 3

Author Comment

by:nonsence
ID: 9721517
the IUSR_<machine name> is also in the list of allowed accounts.
by COM Services i mean; when clicking the Default Properties tab, there are two check boxes on the top of the window that can be enabled. one is "Enable Ditributed COM on this computer" and the other is "Enable COM Internet Services on this computer". and the only one i have enabled is "Enable Ditributed COM on this computer".

also, should the dllhost.exe on my computer have acl permissions to allow anonymous users to read and execute it? such as the IWAM and IUSR accounts?
0
 
LVL 7

Expert Comment

by:franka
ID: 9721534
leave Enable Ditributed COM on this computer settings default!

you also dont need to change any permission on the dllhost.exe
0
 
LVL 3

Author Comment

by:nonsence
ID: 9721616
ok i did that. but still asp isn't working.

only works when protection is set to LOW. and even with LOW susadmin doesn't load either.
0
 
LVL 7

Expert Comment

by:franka
ID: 9721628
after editing dcomcnfg, did you reboot?

what is the security log telling you? further error msgs?
0
 
LVL 3

Author Comment

by:nonsence
ID: 9721728
what do you mean edit dcomcnfg? so far all i did was add the IWAM account to the default launch permissions. what else should i be editing?
0
 
LVL 3

Author Comment

by:nonsence
ID: 9721741
oh and the event log still says same old stuff. when i try to access asp pages:

EVENT ID:36 SOURCE: W3SVC

The server failed to load application '/LM/W3SVC/1/Root'.  The error was 'Server execution failed
'.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

and

EVENT ID: 10010 SOURCE: DCOM

The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM within the required timeout.
0
 
LVL 7

Expert Comment

by:franka
ID: 9721779
after changing permissons with dcomcnfg especially the default permission, you need to reboot the server.

regarding ID 10010 I found another hint that may help but in many cases I knew not :-))

CAUSE
The NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE entries have been removed from the Users group.

RESOLUTION
Add these users back to the Users group, and then restart Internet Information Services (IIS):


0
 
LVL 3

Author Comment

by:nonsence
ID: 9721806
hmmm. you might be right about the Users group thing.
NT AUTHORITY\Authenticated Users (S-1-5-11)
NT AUTHORITY\INTERACTIVE (S-1-5-4)

from what i know, anytime there are those (s-numbers), in brackets instead of a user account it means that the sid for the user account is messed up or there is no user account that the permission is supposed to link to.

umm, should i be removing the permissions and then add them again?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Expert Comment

by:franka
ID: 9721841
if the sid 2 name resolution need some secs, that may be caused by another domain user, but if it doesnt work at all you should fix it of course
0
 
LVL 3

Author Comment

by:nonsence
ID: 9729895
it's still not working. and the s-5-11 numbers are still behind the authenticated users and interactive users accounts even after i remove them and add them to the permissions again.

is there something i'm missing here? any more info that i can give?
0
 
LVL 7

Expert Comment

by:franka
ID: 9731158
i'm still waiting for some eventlog msgs from the security part, where IWAM and IUSR are logged on the server!
BTW, is the server a domain controller?
Have you ever deleted IWAM user and recreated it?

If IIS can logon IWAM, see this:

http://support.microsoft.com/?kbid=297989

And it helps in 99%...
0
 
LVL 3

Author Comment

by:nonsence
ID: 9731233
the IUSR and IWAM accounts both pass as Success Audit in the security logs when i access the web server. as for deleting them, no i haven't ever. unless uninstalling and reinstalling iis counts.
the computer isn't a domain controller. but i have dns installed and set to system.com. but that just for my own private use really. and even when i uninstalled dns i still got the same errors in iis.

the system log is where it's all at:

Warning      11/12/2003      4:04:41 AM      W3SVC      None      36      N/A      PDC
The server failed to load application '/LM/W3SVC/1/Root'.  The error was 'Server execution failed
'.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.


Error      11/12/2003      4:04:41 AM      DCOM      None      10010      SYSTEM      PDC
The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM within the required timeout.

that's basically all i know. as for ntfs permissions. it doesn't seem like it even matters. i allow everyone full permissions and it doesn't work. in iis i've done just about everything i could to give everyone full access to everything in hopes that it would work and then i could just secure it from there, but still nothing.
0
 
LVL 7

Expert Comment

by:franka
ID: 9731264
anyway: can you please do the synciwam described in the kb article before, because IIS needs to pass credentials to COM+ too!

if some errors occur:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q269/3/67.asp

0
 
LVL 7

Expert Comment

by:franka
ID: 9749553
no updates?
0
 
LVL 3

Author Comment

by:nonsence
ID: 9751567
i haven't tried the information in the kb article though, but i have read it. but i don't think it would apply to me since i haven't changed the password on the IWAM account. but i did change the password on the IUSR account. so then, wouldn't it syn the passwords from the sam to iis to com+ afterwards? and if not, then how do i fix that. i already did it in iis. but this com+ thing i've only heard of, still don't know anything about it really...
0
 
LVL 7

Expert Comment

by:franka
ID: 9751590
try it!
com+ is nothing else than DCOM and the error msgs point to it.
0
 
LVL 3

Author Comment

by:nonsence
ID: 9751720
ok i did what the article says. but i still get the same event viewer errors and the same 500 internal server error from iis.
0
 
LVL 7

Expert Comment

by:franka
ID: 9754064
btw.: what does the IIS log tell you about the HTTP error 500 (asp error in a certain asp file and line)?

have you ever tried the tools from www.sysinternals.com for examining fine and registry access / failures? (filemon/regmon)

0
 
LVL 7

Accepted Solution

by:
franka earned 125 total points
ID: 9754105
hey this one sounds very professional:

http://www.jsifaq.com/SUBL/tip5600/rh5652.htm

start with point 3! and putting IWAM in admin group, I would bet, it will work after that.
0
 
LVL 7

Expert Comment

by:franka
ID: 9754156
did I also mentioned to check IWAM, IUSR, and other groups that may access the site or System having the privilege "Bypass Traverse Checking"?
It's in the local security policies.
0
 
LVL 3

Author Comment

by:nonsence
ID: 9767427
well i've been progressing through some of the steps you linked me to in those articles. the one that works for sure is making the iwam account part of the administrators group. nothing else works 100%
i did deleted the components in the Component Services mmc and did the command line scripts to rebuild them with iis. that didn't work either. now i'm reading through the ntfs permissions needed for iis 5. still not working yet. so from all the evidence it's definetly a problem with the iwam account permissions. but what, i haven't been able to find out yet.
0
 
LVL 7

Expert Comment

by:franka
ID: 9767468
try to put IWAM in the user or power user group (needs iisreset)

the rest the sysinternal tools like filemon and regmon will tell you.

dcom permissions are clean now?
0
 
LVL 3

Author Comment

by:nonsence
ID: 9767611
i guess dcom are clean. there seem to be missing links to user account in some of my local security policy settings.

deny local logon, and logon as a batch file

but i don't know what accounts it's supposed to be linked too. both the iusr and iwam accounts are in the, logon as a batch file permissions though.

and my Users Group, shows:
NT AUTHORITY\Authenticated Users (S-1-5-11)
NT AUTHORITY\INTERACTIVE (S-1-5-4)

what's up with the numbers behind the accounts? cus i think they are causing some sort of problem....
0
 
LVL 3

Author Comment

by:nonsence
ID: 9780961
ok well, i'm still trying to fix the problem. but i gave you the points anyways cus you helped alot, and i've been slowly progressing through this annoying thing.
if you got more links please share :-)
thanks for the help. it has so far gone a long way
0
 

Expert Comment

by:zcg
ID: 9919006
Hi,
I recently encountered same problem, and this is my solution
open component service in administrative tools
computers/COM+ Application/IIS Out-of-process Pooled Applications

then properties tab Identity and radio "Interactive usere -the current logged on user"

hmm maybe is just fine to fill right user bellow IWAM<comp name> + correct password, but I lost a day finding solution and I'm satisfationed with Inter. User.
hope this help.
0
 
LVL 7

Expert Comment

by:franka
ID: 9919479
this is no good idea:  "Interactive usere -the current logged on user" !!!

Servers don't have always logged on users!

and "fill right user bellow IWAM" is that what synciwam.vbs does....
0
 

Expert Comment

by:zcg
ID: 9942333
well, I have made some progress on this

following permisson needs to be set

winnt\system32\mmdrv.dll  - RX for USERS ( maybe just my dll needs this)
winnt\system32\  - entire directory RX for "iwam"
winnt\TEMP RX for iwam (helps but not nessesary)

just check this

if this still not work try tu turn up all fail audit in audit policy + turn audit on disk, may help tracking.

about logged on users - this means user logged on service or user logged on desktop ?



0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
IIS 8.5 3 32
URL conversion to http to https IIS/WIndows 2012 1 53
IIS7 FTP default folder 8 72
Http hosting redirect issue 2 31
Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now