?
Solved

IUSR account help

Posted on 2005-03-14
19
Medium Priority
?
1,323 Views
Last Modified: 2008-02-07
I'm having trouble creating Virtual Directories on my site.  I'm using the IUSR account for anonymous access to the virtual directory (this is on a W2K domain) but for some reason it won't work.  I've reset the IUSR password in Active Directory and made sure the user has read acccess to the directory that I am using as the virtual directory.  After creating the Virtual Directory there is an error sign for the icon of the directory instead of the normal icon.  

I tested with my own username password for anonymous access and it works fine, however I am a Domain Admin.  

I've also tested on a different folder and that works fine also with the IUSR account.  So I'm pretty sure this has something to do with security on the folder level but I've checked & rechecked to make sure the IUSR account has access to this folder.

Please help with any advice to fix this problem.  Thanks

IIS 5.0 on W2K Server
0
Comment
Question by:mgcIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 3
  • +2
19 Comments
 
LVL 2

Expert Comment

by:vermon
ID: 13538848
Try adding the Everyone account with the same permissions as IUSR - it always seems to fix that problem me!
0
 
LVL 2

Expert Comment

by:vermon
ID: 13538853
for me not problem me..ahaha
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 13538874
Is the IUSR account listed in 'Bypass Traverse checking' in the Local Security Policy?

If not, the IUSR account will need permissions from the root of the drive all the way down to wherever the vdir points.

Also, are the vdirs that are having the problem local to the machine or are they pointing to fileshares on remote servers?

Dave Dietz
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 18

Author Comment

by:mgcIT
ID: 13538927
vernon: your suggestion would probably work but adding the Everyone is not secure.

Dave_Dietz: I'm not sure where the 'Bypass Traverse checking' is located in the local policy, but the policies are maintained by the domain controller anyway I believe.  the virtual dirs are located on fileshares on a remote server.

Thanks
0
 
LVL 5

Expert Comment

by:SMartinHamburg
ID: 13539001
if the vdirs are on a remote share the user accing them will have to be set up as a domain user
0
 
LVL 5

Expert Comment

by:SMartinHamburg
ID: 13539008
"accessing" that should have been
0
 
LVL 18

Author Comment

by:mgcIT
ID: 13539025
SMartinHamburg:  Thanks for the reply...the IUSR is a domain user - listed under users as IUSR_SERVERNAME

Thanks
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 13539040
Ok - the IUSR account is a lcoal account and the remote server doesn't have any idea who it is.

What is the 'Connect As' user set to for the vdirs?

Dave Dietz
0
 
LVL 18

Author Comment

by:mgcIT
ID: 13539099
the Connect As user is "MGC\IUSR_SERVERNAME" (MGC is the domain name)

Thanks
0
 
LVL 37

Expert Comment

by:meverest
ID: 13539155
Hi,

you can create a local account on the remote system with the same name as the IIS IUSR name.  for example, if the iis server has "IUSR_IISSERVERNAME", then make a user "IUSR_IISSERVERNAME" on the remote and set the password the same then add read access to the relevent resources.

now you don't need to pass any domain credentials (ie IUSR_IISSERVERNAME instead of MGC\IUSR_IISSERVERNAME)

Cheers.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 13539171
on a Domain Controller the local user accounts is disabled....therefore I must use Domain accounts

thanks
0
 
LVL 18

Author Comment

by:mgcIT
ID: 13539203
at one point when going through the "Virtual Directory Creation Wizard" it says "Enter the user name and password that will be used to gain access to the network resource"  Is this the same thing as the anonymous account?  Because I notice even when I fill in the proper info here, I still have to go back into the properties of the VirDir and check the box to allow anonymous access and fill out the username & password again.  Maybe this is my problem

Thanks
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 2000 total points
ID: 13539437
These are entirely different settings.....

The connect as user is the account used to create the UNC connection to the remote share and to access files on that share.

Anonymous acces is the account that users impersonate when they are not required to provide credentials.

What you need to do is to create a domain account that will have access to the fileshares and the files in the shares.

Set the "Connect As" user for your vdirs to this account ID.

The one issue to keep in mind is that *all* users who access the vdir will be accessing the files as the Connect As user, not as themselves.

Dave Dietz
0
 
LVL 18

Author Comment

by:mgcIT
ID: 13539529
sorry - I'm a little confused...

>>"The one issue to keep in mind is that *all* users who access the vdir will be accessing the files as the Connect As user, not as themselves."

you mean they will be accessing the files as the account specified for anonymous access? or the account used to create the UNC to the remote share?

Thanks
0
 
LVL 37

Expert Comment

by:meverest
ID: 13539732
>> on a Domain Controller the local user accounts is disabled....therefore I must use Domain accounts

i see - i missed that bit of detail...  so is the iis server also a domain controller?  is the anonymous IUSR username the same for both servers?

Cheers.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 13539820
meverest: yes the IIS server is also a Domain controller (this is a private Intranet - not on the www), and yes the anonymous IUSR username is the same for both servers.

Thanks
0
 
LVL 37

Expert Comment

by:meverest
ID: 13539881
ok....

have you checked that the anonymous user set in IIS is correct and that the password is correct?

incidentally, I am fairly sure that the error icon you see in the iis admin indicates that the iis admin account does not have correct access.  check the user running the IIS admin service (in services viewer) and give that user read access too.

Cheers.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 13539969
When you use a connect as user all users will access the content of the vdir as the connect as user, not as the anonymous user or as themselves if they are required to authenticate i.e. if individual users are given read access and the connect as user isn't then no one will be abe to acces the files.

You will need to give permissions on the files and the share to the user specified in the "connect as" entry.

Dave Dietz
0
 
LVL 18

Author Comment

by:mgcIT
ID: 13548848
ok, thanks for helping me get to the bottom of this.  I finally figured out the problem was that I had given the IUSR account access to the folders/files through the NTFS security, but I hadn't given it access on the "Sharing" tab of the shared folder.  Once I did that everything worked fine.

Thanks for the help.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question