• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1328
  • Last Modified:

IUSR account help

I'm having trouble creating Virtual Directories on my site.  I'm using the IUSR account for anonymous access to the virtual directory (this is on a W2K domain) but for some reason it won't work.  I've reset the IUSR password in Active Directory and made sure the user has read acccess to the directory that I am using as the virtual directory.  After creating the Virtual Directory there is an error sign for the icon of the directory instead of the normal icon.  

I tested with my own username password for anonymous access and it works fine, however I am a Domain Admin.  

I've also tested on a different folder and that works fine also with the IUSR account.  So I'm pretty sure this has something to do with security on the folder level but I've checked & rechecked to make sure the IUSR account has access to this folder.

Please help with any advice to fix this problem.  Thanks

IIS 5.0 on W2K Server
0
mgcIT
Asked:
mgcIT
  • 8
  • 4
  • 3
  • +2
1 Solution
 
vermonCommented:
Try adding the Everyone account with the same permissions as IUSR - it always seems to fix that problem me!
0
 
vermonCommented:
for me not problem me..ahaha
0
 
Dave_DietzCommented:
Is the IUSR account listed in 'Bypass Traverse checking' in the Local Security Policy?

If not, the IUSR account will need permissions from the root of the drive all the way down to wherever the vdir points.

Also, are the vdirs that are having the problem local to the machine or are they pointing to fileshares on remote servers?

Dave Dietz
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
mgcITAuthor Commented:
vernon: your suggestion would probably work but adding the Everyone is not secure.

Dave_Dietz: I'm not sure where the 'Bypass Traverse checking' is located in the local policy, but the policies are maintained by the domain controller anyway I believe.  the virtual dirs are located on fileshares on a remote server.

Thanks
0
 
SMartinHamburgCommented:
if the vdirs are on a remote share the user accing them will have to be set up as a domain user
0
 
SMartinHamburgCommented:
"accessing" that should have been
0
 
mgcITAuthor Commented:
SMartinHamburg:  Thanks for the reply...the IUSR is a domain user - listed under users as IUSR_SERVERNAME

Thanks
0
 
Dave_DietzCommented:
Ok - the IUSR account is a lcoal account and the remote server doesn't have any idea who it is.

What is the 'Connect As' user set to for the vdirs?

Dave Dietz
0
 
mgcITAuthor Commented:
the Connect As user is "MGC\IUSR_SERVERNAME" (MGC is the domain name)

Thanks
0
 
meverestCommented:
Hi,

you can create a local account on the remote system with the same name as the IIS IUSR name.  for example, if the iis server has "IUSR_IISSERVERNAME", then make a user "IUSR_IISSERVERNAME" on the remote and set the password the same then add read access to the relevent resources.

now you don't need to pass any domain credentials (ie IUSR_IISSERVERNAME instead of MGC\IUSR_IISSERVERNAME)

Cheers.
0
 
mgcITAuthor Commented:
on a Domain Controller the local user accounts is disabled....therefore I must use Domain accounts

thanks
0
 
mgcITAuthor Commented:
at one point when going through the "Virtual Directory Creation Wizard" it says "Enter the user name and password that will be used to gain access to the network resource"  Is this the same thing as the anonymous account?  Because I notice even when I fill in the proper info here, I still have to go back into the properties of the VirDir and check the box to allow anonymous access and fill out the username & password again.  Maybe this is my problem

Thanks
0
 
Dave_DietzCommented:
These are entirely different settings.....

The connect as user is the account used to create the UNC connection to the remote share and to access files on that share.

Anonymous acces is the account that users impersonate when they are not required to provide credentials.

What you need to do is to create a domain account that will have access to the fileshares and the files in the shares.

Set the "Connect As" user for your vdirs to this account ID.

The one issue to keep in mind is that *all* users who access the vdir will be accessing the files as the Connect As user, not as themselves.

Dave Dietz
0
 
mgcITAuthor Commented:
sorry - I'm a little confused...

>>"The one issue to keep in mind is that *all* users who access the vdir will be accessing the files as the Connect As user, not as themselves."

you mean they will be accessing the files as the account specified for anonymous access? or the account used to create the UNC to the remote share?

Thanks
0
 
meverestCommented:
>> on a Domain Controller the local user accounts is disabled....therefore I must use Domain accounts

i see - i missed that bit of detail...  so is the iis server also a domain controller?  is the anonymous IUSR username the same for both servers?

Cheers.
0
 
mgcITAuthor Commented:
meverest: yes the IIS server is also a Domain controller (this is a private Intranet - not on the www), and yes the anonymous IUSR username is the same for both servers.

Thanks
0
 
meverestCommented:
ok....

have you checked that the anonymous user set in IIS is correct and that the password is correct?

incidentally, I am fairly sure that the error icon you see in the iis admin indicates that the iis admin account does not have correct access.  check the user running the IIS admin service (in services viewer) and give that user read access too.

Cheers.
0
 
Dave_DietzCommented:
When you use a connect as user all users will access the content of the vdir as the connect as user, not as the anonymous user or as themselves if they are required to authenticate i.e. if individual users are given read access and the connect as user isn't then no one will be abe to acces the files.

You will need to give permissions on the files and the share to the user specified in the "connect as" entry.

Dave Dietz
0
 
mgcITAuthor Commented:
ok, thanks for helping me get to the bottom of this.  I finally figured out the problem was that I had given the IUSR account access to the folders/files through the NTFS security, but I hadn't given it access on the "Sharing" tab of the shared folder.  Once I did that everything worked fine.

Thanks for the help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now