Solved

IIS 401.3 errors.

Posted on 2003-11-10
10
866 Views
Last Modified: 2012-08-14
We have a Windows 2000 server running a website within IIS on an internal network.

Security is setup within IIS as follows:

IIS is configured to block all requests from addresses unless the address is in the IP access list.
Anon access is enabled.
Intergrated Windows Authentication is also checked.
Site permissions are set to read and execute scripts.

NTFS Permissions are as follows:

Domain Admins - full access on all files and folders from the root down.
IIS IUSR ID - full access on all files and folders from the root down.
IIS IWAM ID - full access on all files and folders from the root down.
Domain users - Read & execute on all files and folders from the root down.

Scenario:

User accesses the site - able to display HTML pages in the root directory but receives a 401.3 error when accessing ASP scripts in subdirectories of the root. If an ASP script is copied up into the root, the user also receives a 403.1.

Domain Admin accesses the site - able to access HTML pages and run ASP scripts as normal.
If Intergrated Windows Authentication is unchecked the Domain Admin also receives a 401.3 error.

Anyone have a clue how to resolve this ?

From what I can see 401.3 indicates an ACL problem at the NTFS level, we have reset all rights on files and subdirectories numerous times, and granted full access to test with no joy.
0
Comment
Question by:Zenistar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715361
Enable the execute permission on the folders.
0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715443
I'm sorry.  I didnt read fully.

Try this:


 Under your webpages properties in IIS, where you enable anonymous access, ensure that IUSR_yourcomputername is the username and allow IIS to control password.

 set execute permissions to scripts only under the home directory tab

  Ensure that the subfolders inherit permissions

  Allow the system user full access

0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715503
Something else to consider:

  Do you use the <!-- #include --!> command or a database?  If you do, you may not have set permissions for the database, the included file, or the appropriate directories.

  You may want to check your logs.  Make sure that IUSR is trying to access the files and make sure that the correct files are causing the 401.3 error.  It's an easy error to fix when you find it :)
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 11

Expert Comment

by:adonis1976
ID: 9715590
0
 
LVL 7

Expert Comment

by:franka
ID: 9715598
- try NTFS auditing the folder. see if it's a single .asp file or global.asa....
- have you ever played with the system privilege "traverse folders"?
0
 
LVL 7

Expert Comment

by:franka
ID: 9715633
2nd idea:

"Anon access is enabled.
Intergrated Windows Authentication is also checked."

this means, IIS tries to log on the Domain User first and if not possible uses the anon IUSR.
Browsing as admin means, you will probably access the files as admin.

PLease activate and check the security log of your event viewer for log on problems
0
 
LVL 7

Expert Comment

by:franka
ID: 9715655
and 3rd:

small correction: with " privilege "traverse folders" I meant  Lsecpol "Bypass Transverse Checking".
If you remove the guest group, you need to add at least "list folder right" to every directory above your web root.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 9757998
It could be permissions on a file in inetsrv, like asp.dll.  The easiest way to find out is to run the filemon utility while reproducing the problem.  This will log all access to all files and whether or not an access denied was issued.  Oh, filemon can be downloaded here:

http://sysinternals.com/ntw2k/source/filemon.shtml
0
 
LVL 1

Author Comment

by:Zenistar
ID: 9762935
Filemon pointed us in the right direction thanks.
0
 
LVL 2

Expert Comment

by:zerium
ID: 10105459
c'mon post your answer, I just ran into this problem (a 401.3 error) and it was simply that I needed to have "Everyone" as the access on security settings was limited to my personal logon and admin's weird thing was that IE could access the file but mozilla couldn't...
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question