Solved

IIS 401.3 errors.

Posted on 2003-11-10
10
862 Views
Last Modified: 2012-08-14
We have a Windows 2000 server running a website within IIS on an internal network.

Security is setup within IIS as follows:

IIS is configured to block all requests from addresses unless the address is in the IP access list.
Anon access is enabled.
Intergrated Windows Authentication is also checked.
Site permissions are set to read and execute scripts.

NTFS Permissions are as follows:

Domain Admins - full access on all files and folders from the root down.
IIS IUSR ID - full access on all files and folders from the root down.
IIS IWAM ID - full access on all files and folders from the root down.
Domain users - Read & execute on all files and folders from the root down.

Scenario:

User accesses the site - able to display HTML pages in the root directory but receives a 401.3 error when accessing ASP scripts in subdirectories of the root. If an ASP script is copied up into the root, the user also receives a 403.1.

Domain Admin accesses the site - able to access HTML pages and run ASP scripts as normal.
If Intergrated Windows Authentication is unchecked the Domain Admin also receives a 401.3 error.

Anyone have a clue how to resolve this ?

From what I can see 401.3 indicates an ACL problem at the NTFS level, we have reset all rights on files and subdirectories numerous times, and granted full access to test with no joy.
0
Comment
Question by:Zenistar
10 Comments
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715361
Enable the execute permission on the folders.
0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715443
I'm sorry.  I didnt read fully.

Try this:


 Under your webpages properties in IIS, where you enable anonymous access, ensure that IUSR_yourcomputername is the username and allow IIS to control password.

 set execute permissions to scripts only under the home directory tab

  Ensure that the subfolders inherit permissions

  Allow the system user full access

0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715503
Something else to consider:

  Do you use the <!-- #include --!> command or a database?  If you do, you may not have set permissions for the database, the included file, or the appropriate directories.

  You may want to check your logs.  Make sure that IUSR is trying to access the files and make sure that the correct files are causing the 401.3 error.  It's an easy error to fix when you find it :)
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 11

Expert Comment

by:adonis1976
ID: 9715590
0
 
LVL 7

Expert Comment

by:franka
ID: 9715598
- try NTFS auditing the folder. see if it's a single .asp file or global.asa....
- have you ever played with the system privilege "traverse folders"?
0
 
LVL 7

Expert Comment

by:franka
ID: 9715633
2nd idea:

"Anon access is enabled.
Intergrated Windows Authentication is also checked."

this means, IIS tries to log on the Domain User first and if not possible uses the anon IUSR.
Browsing as admin means, you will probably access the files as admin.

PLease activate and check the security log of your event viewer for log on problems
0
 
LVL 7

Expert Comment

by:franka
ID: 9715655
and 3rd:

small correction: with " privilege "traverse folders" I meant  Lsecpol "Bypass Transverse Checking".
If you remove the guest group, you need to add at least "list folder right" to every directory above your web root.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 9757998
It could be permissions on a file in inetsrv, like asp.dll.  The easiest way to find out is to run the filemon utility while reproducing the problem.  This will log all access to all files and whether or not an access denied was issued.  Oh, filemon can be downloaded here:

http://sysinternals.com/ntw2k/source/filemon.shtml
0
 
LVL 1

Author Comment

by:Zenistar
ID: 9762935
Filemon pointed us in the right direction thanks.
0
 
LVL 2

Expert Comment

by:zerium
ID: 10105459
c'mon post your answer, I just ran into this problem (a 401.3 error) and it was simply that I needed to have "Everyone" as the access on security settings was limited to my personal logon and admin's weird thing was that IE could access the file but mozilla couldn't...
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question