mgcIT
asked on
IUSR account help
I'm having trouble creating Virtual Directories on my site. I'm using the IUSR account for anonymous access to the virtual directory (this is on a W2K domain) but for some reason it won't work. I've reset the IUSR password in Active Directory and made sure the user has read acccess to the directory that I am using as the virtual directory. After creating the Virtual Directory there is an error sign for the icon of the directory instead of the normal icon.
I tested with my own username password for anonymous access and it works fine, however I am a Domain Admin.
I've also tested on a different folder and that works fine also with the IUSR account. So I'm pretty sure this has something to do with security on the folder level but I've checked & rechecked to make sure the IUSR account has access to this folder.
Please help with any advice to fix this problem. Thanks
IIS 5.0 on W2K Server
I tested with my own username password for anonymous access and it works fine, however I am a Domain Admin.
I've also tested on a different folder and that works fine also with the IUSR account. So I'm pretty sure this has something to do with security on the folder level but I've checked & rechecked to make sure the IUSR account has access to this folder.
Please help with any advice to fix this problem. Thanks
IIS 5.0 on W2K Server
Try adding the Everyone account with the same permissions as IUSR - it always seems to fix that problem me!
for me not problem me..ahaha
Is the IUSR account listed in 'Bypass Traverse checking' in the Local Security Policy?
If not, the IUSR account will need permissions from the root of the drive all the way down to wherever the vdir points.
Also, are the vdirs that are having the problem local to the machine or are they pointing to fileshares on remote servers?
Dave Dietz
If not, the IUSR account will need permissions from the root of the drive all the way down to wherever the vdir points.
Also, are the vdirs that are having the problem local to the machine or are they pointing to fileshares on remote servers?
Dave Dietz
ASKER
vernon: your suggestion would probably work but adding the Everyone is not secure.
Dave_Dietz: I'm not sure where the 'Bypass Traverse checking' is located in the local policy, but the policies are maintained by the domain controller anyway I believe. the virtual dirs are located on fileshares on a remote server.
Thanks
Dave_Dietz: I'm not sure where the 'Bypass Traverse checking' is located in the local policy, but the policies are maintained by the domain controller anyway I believe. the virtual dirs are located on fileshares on a remote server.
Thanks
if the vdirs are on a remote share the user accing them will have to be set up as a domain user
"accessing" that should have been
ASKER
SMartinHamburg: Thanks for the reply...the IUSR is a domain user - listed under users as IUSR_SERVERNAME
Thanks
Thanks
Ok - the IUSR account is a lcoal account and the remote server doesn't have any idea who it is.
What is the 'Connect As' user set to for the vdirs?
Dave Dietz
What is the 'Connect As' user set to for the vdirs?
Dave Dietz
ASKER
the Connect As user is "MGC\IUSR_SERVERNAME" (MGC is the domain name)
Thanks
Thanks
Hi,
you can create a local account on the remote system with the same name as the IIS IUSR name. for example, if the iis server has "IUSR_IISSERVERNAME", then make a user "IUSR_IISSERVERNAME" on the remote and set the password the same then add read access to the relevent resources.
now you don't need to pass any domain credentials (ie IUSR_IISSERVERNAME instead of MGC\IUSR_IISSERVERNAME)
Cheers.
you can create a local account on the remote system with the same name as the IIS IUSR name. for example, if the iis server has "IUSR_IISSERVERNAME", then make a user "IUSR_IISSERVERNAME" on the remote and set the password the same then add read access to the relevent resources.
now you don't need to pass any domain credentials (ie IUSR_IISSERVERNAME instead of MGC\IUSR_IISSERVERNAME)
Cheers.
ASKER
on a Domain Controller the local user accounts is disabled....therefore I must use Domain accounts
thanks
thanks
ASKER
at one point when going through the "Virtual Directory Creation Wizard" it says "Enter the user name and password that will be used to gain access to the network resource" Is this the same thing as the anonymous account? Because I notice even when I fill in the proper info here, I still have to go back into the properties of the VirDir and check the box to allow anonymous access and fill out the username & password again. Maybe this is my problem
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sorry - I'm a little confused...
>>"The one issue to keep in mind is that *all* users who access the vdir will be accessing the files as the Connect As user, not as themselves."
you mean they will be accessing the files as the account specified for anonymous access? or the account used to create the UNC to the remote share?
Thanks
>>"The one issue to keep in mind is that *all* users who access the vdir will be accessing the files as the Connect As user, not as themselves."
you mean they will be accessing the files as the account specified for anonymous access? or the account used to create the UNC to the remote share?
Thanks
>> on a Domain Controller the local user accounts is disabled....therefore I must use Domain accounts
i see - i missed that bit of detail... so is the iis server also a domain controller? is the anonymous IUSR username the same for both servers?
Cheers.
i see - i missed that bit of detail... so is the iis server also a domain controller? is the anonymous IUSR username the same for both servers?
Cheers.
ASKER
meverest: yes the IIS server is also a Domain controller (this is a private Intranet - not on the www), and yes the anonymous IUSR username is the same for both servers.
Thanks
Thanks
ok....
have you checked that the anonymous user set in IIS is correct and that the password is correct?
incidentally, I am fairly sure that the error icon you see in the iis admin indicates that the iis admin account does not have correct access. check the user running the IIS admin service (in services viewer) and give that user read access too.
Cheers.
have you checked that the anonymous user set in IIS is correct and that the password is correct?
incidentally, I am fairly sure that the error icon you see in the iis admin indicates that the iis admin account does not have correct access. check the user running the IIS admin service (in services viewer) and give that user read access too.
Cheers.
When you use a connect as user all users will access the content of the vdir as the connect as user, not as the anonymous user or as themselves if they are required to authenticate i.e. if individual users are given read access and the connect as user isn't then no one will be abe to acces the files.
You will need to give permissions on the files and the share to the user specified in the "connect as" entry.
Dave Dietz
You will need to give permissions on the files and the share to the user specified in the "connect as" entry.
Dave Dietz
ASKER
ok, thanks for helping me get to the bottom of this. I finally figured out the problem was that I had given the IUSR account access to the folders/files through the NTFS security, but I hadn't given it access on the "Sharing" tab of the shared folder. Once I did that everything worked fine.
Thanks for the help.
Thanks for the help.