Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 870
  • Last Modified:

IIS 401.3 errors.

We have a Windows 2000 server running a website within IIS on an internal network.

Security is setup within IIS as follows:

IIS is configured to block all requests from addresses unless the address is in the IP access list.
Anon access is enabled.
Intergrated Windows Authentication is also checked.
Site permissions are set to read and execute scripts.

NTFS Permissions are as follows:

Domain Admins - full access on all files and folders from the root down.
IIS IUSR ID - full access on all files and folders from the root down.
IIS IWAM ID - full access on all files and folders from the root down.
Domain users - Read & execute on all files and folders from the root down.

Scenario:

User accesses the site - able to display HTML pages in the root directory but receives a 401.3 error when accessing ASP scripts in subdirectories of the root. If an ASP script is copied up into the root, the user also receives a 403.1.

Domain Admin accesses the site - able to access HTML pages and run ASP scripts as normal.
If Intergrated Windows Authentication is unchecked the Domain Admin also receives a 401.3 error.

Anyone have a clue how to resolve this ?

From what I can see 401.3 indicates an ACL problem at the NTFS level, we have reset all rights on files and subdirectories numerous times, and granted full access to test with no joy.
0
Zenistar
Asked:
Zenistar
1 Solution
 
tncbbthositgCommented:
Enable the execute permission on the folders.
0
 
tncbbthositgCommented:
I'm sorry.  I didnt read fully.

Try this:


 Under your webpages properties in IIS, where you enable anonymous access, ensure that IUSR_yourcomputername is the username and allow IIS to control password.

 set execute permissions to scripts only under the home directory tab

  Ensure that the subfolders inherit permissions

  Allow the system user full access

0
 
tncbbthositgCommented:
Something else to consider:

  Do you use the <!-- #include --!> command or a database?  If you do, you may not have set permissions for the database, the included file, or the appropriate directories.

  You may want to check your logs.  Make sure that IUSR is trying to access the files and make sure that the correct files are causing the 401.3 error.  It's an easy error to fix when you find it :)
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
frankaCommented:
- try NTFS auditing the folder. see if it's a single .asp file or global.asa....
- have you ever played with the system privilege "traverse folders"?
0
 
frankaCommented:
2nd idea:

"Anon access is enabled.
Intergrated Windows Authentication is also checked."

this means, IIS tries to log on the Domain User first and if not possible uses the anon IUSR.
Browsing as admin means, you will probably access the files as admin.

PLease activate and check the security log of your event viewer for log on problems
0
 
frankaCommented:
and 3rd:

small correction: with " privilege "traverse folders" I meant  Lsecpol "Bypass Transverse Checking".
If you remove the guest group, you need to add at least "list folder right" to every directory above your web root.
0
 
marc_nivensCommented:
It could be permissions on a file in inetsrv, like asp.dll.  The easiest way to find out is to run the filemon utility while reproducing the problem.  This will log all access to all files and whether or not an access denied was issued.  Oh, filemon can be downloaded here:

http://sysinternals.com/ntw2k/source/filemon.shtml
0
 
ZenistarAuthor Commented:
Filemon pointed us in the right direction thanks.
0
 
zeriumCommented:
c'mon post your answer, I just ran into this problem (a 401.3 error) and it was simply that I needed to have "Everyone" as the access on security settings was limited to my personal logon and admin's weird thing was that IE could access the file but mozilla couldn't...
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now