Solved

IIS 401.3 errors.

Posted on 2003-11-10
10
867 Views
Last Modified: 2012-08-14
We have a Windows 2000 server running a website within IIS on an internal network.

Security is setup within IIS as follows:

IIS is configured to block all requests from addresses unless the address is in the IP access list.
Anon access is enabled.
Intergrated Windows Authentication is also checked.
Site permissions are set to read and execute scripts.

NTFS Permissions are as follows:

Domain Admins - full access on all files and folders from the root down.
IIS IUSR ID - full access on all files and folders from the root down.
IIS IWAM ID - full access on all files and folders from the root down.
Domain users - Read & execute on all files and folders from the root down.

Scenario:

User accesses the site - able to display HTML pages in the root directory but receives a 401.3 error when accessing ASP scripts in subdirectories of the root. If an ASP script is copied up into the root, the user also receives a 403.1.

Domain Admin accesses the site - able to access HTML pages and run ASP scripts as normal.
If Intergrated Windows Authentication is unchecked the Domain Admin also receives a 401.3 error.

Anyone have a clue how to resolve this ?

From what I can see 401.3 indicates an ACL problem at the NTFS level, we have reset all rights on files and subdirectories numerous times, and granted full access to test with no joy.
0
Comment
Question by:Zenistar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715361
Enable the execute permission on the folders.
0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715443
I'm sorry.  I didnt read fully.

Try this:


 Under your webpages properties in IIS, where you enable anonymous access, ensure that IUSR_yourcomputername is the username and allow IIS to control password.

 set execute permissions to scripts only under the home directory tab

  Ensure that the subfolders inherit permissions

  Allow the system user full access

0
 
LVL 8

Expert Comment

by:tncbbthositg
ID: 9715503
Something else to consider:

  Do you use the <!-- #include --!> command or a database?  If you do, you may not have set permissions for the database, the included file, or the appropriate directories.

  You may want to check your logs.  Make sure that IUSR is trying to access the files and make sure that the correct files are causing the 401.3 error.  It's an easy error to fix when you find it :)
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 7

Expert Comment

by:franka
ID: 9715598
- try NTFS auditing the folder. see if it's a single .asp file or global.asa....
- have you ever played with the system privilege "traverse folders"?
0
 
LVL 7

Expert Comment

by:franka
ID: 9715633
2nd idea:

"Anon access is enabled.
Intergrated Windows Authentication is also checked."

this means, IIS tries to log on the Domain User first and if not possible uses the anon IUSR.
Browsing as admin means, you will probably access the files as admin.

PLease activate and check the security log of your event viewer for log on problems
0
 
LVL 7

Expert Comment

by:franka
ID: 9715655
and 3rd:

small correction: with " privilege "traverse folders" I meant  Lsecpol "Bypass Transverse Checking".
If you remove the guest group, you need to add at least "list folder right" to every directory above your web root.
0
 
LVL 21

Accepted Solution

by:
marc_nivens earned 500 total points
ID: 9757998
It could be permissions on a file in inetsrv, like asp.dll.  The easiest way to find out is to run the filemon utility while reproducing the problem.  This will log all access to all files and whether or not an access denied was issued.  Oh, filemon can be downloaded here:

http://sysinternals.com/ntw2k/source/filemon.shtml
0
 
LVL 1

Author Comment

by:Zenistar
ID: 9762935
Filemon pointed us in the right direction thanks.
0
 
LVL 2

Expert Comment

by:zerium
ID: 10105459
c'mon post your answer, I just ran into this problem (a 401.3 error) and it was simply that I needed to have "Everyone" as the access on security settings was limited to my personal logon and admin's weird thing was that IE could access the file but mozilla couldn't...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
After seeing numerous questions for Dynamic Data Validation I notice that most have used Visual Basic to solve the problem. This suggestion is purely formula based and can be used in multiple rows.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question