Solved

IIS 401.3 errors.

Posted on 2003-11-10
10
860 Views
Last Modified: 2012-08-14
We have a Windows 2000 server running a website within IIS on an internal network.

Security is setup within IIS as follows:

IIS is configured to block all requests from addresses unless the address is in the IP access list.
Anon access is enabled.
Intergrated Windows Authentication is also checked.
Site permissions are set to read and execute scripts.

NTFS Permissions are as follows:

Domain Admins - full access on all files and folders from the root down.
IIS IUSR ID - full access on all files and folders from the root down.
IIS IWAM ID - full access on all files and folders from the root down.
Domain users - Read & execute on all files and folders from the root down.

Scenario:

User accesses the site - able to display HTML pages in the root directory but receives a 401.3 error when accessing ASP scripts in subdirectories of the root. If an ASP script is copied up into the root, the user also receives a 403.1.

Domain Admin accesses the site - able to access HTML pages and run ASP scripts as normal.
If Intergrated Windows Authentication is unchecked the Domain Admin also receives a 401.3 error.

Anyone have a clue how to resolve this ?

From what I can see 401.3 indicates an ACL problem at the NTFS level, we have reset all rights on files and subdirectories numerous times, and granted full access to test with no joy.
0
Comment
Question by:Zenistar
10 Comments
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715361
Enable the execute permission on the folders.
0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715443
I'm sorry.  I didnt read fully.

Try this:


 Under your webpages properties in IIS, where you enable anonymous access, ensure that IUSR_yourcomputername is the username and allow IIS to control password.

 set execute permissions to scripts only under the home directory tab

  Ensure that the subfolders inherit permissions

  Allow the system user full access

0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715503
Something else to consider:

  Do you use the <!-- #include --!> command or a database?  If you do, you may not have set permissions for the database, the included file, or the appropriate directories.

  You may want to check your logs.  Make sure that IUSR is trying to access the files and make sure that the correct files are causing the 401.3 error.  It's an easy error to fix when you find it :)
0
 
LVL 11

Expert Comment

by:adonis1976
ID: 9715590
0
 
LVL 7

Expert Comment

by:franka
ID: 9715598
- try NTFS auditing the folder. see if it's a single .asp file or global.asa....
- have you ever played with the system privilege "traverse folders"?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 7

Expert Comment

by:franka
ID: 9715633
2nd idea:

"Anon access is enabled.
Intergrated Windows Authentication is also checked."

this means, IIS tries to log on the Domain User first and if not possible uses the anon IUSR.
Browsing as admin means, you will probably access the files as admin.

PLease activate and check the security log of your event viewer for log on problems
0
 
LVL 7

Expert Comment

by:franka
ID: 9715655
and 3rd:

small correction: with " privilege "traverse folders" I meant  Lsecpol "Bypass Transverse Checking".
If you remove the guest group, you need to add at least "list folder right" to every directory above your web root.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 9757998
It could be permissions on a file in inetsrv, like asp.dll.  The easiest way to find out is to run the filemon utility while reproducing the problem.  This will log all access to all files and whether or not an access denied was issued.  Oh, filemon can be downloaded here:

http://sysinternals.com/ntw2k/source/filemon.shtml
0
 
LVL 1

Author Comment

by:Zenistar
ID: 9762935
Filemon pointed us in the right direction thanks.
0
 
LVL 2

Expert Comment

by:zerium
ID: 10105459
c'mon post your answer, I just ran into this problem (a 401.3 error) and it was simply that I needed to have "Everyone" as the access on security settings was limited to my personal logon and admin's weird thing was that IE could access the file but mozilla couldn't...
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now