IIS Returning Access Denied Error Intermittently (Error Event ID 100 in System Log) - Urgent

We've had IIS 5.0 installed on a Windows 2000 server for over a year and it has functioned properly for all of that time (ie, no access problems).  Last week, suddenly, it started returning an "Error: Access denied" page when attempting to access any of the pages in the web site.  Upon checking the system logs, there is the following error:  

Event ID:100
Source: W3SVC
Text:  The server was unable to logon the Windows NT account ‘IUSR_IKE’ due to the following error: Logon failure: the user has not been granted the requested logon type at this computer.  The data is the error code.  For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp

If I restart the IIS Admin Service and the WWW Publishing service, it will work properly for a random amount of time (anywhere from about 2 hours up to 12+) but will always end up failing at some point.

IIS is configured for anonymous access using the IUSR account (as it always has been).  I've tried numerous troubleshooting steps including the following, but to no avail - the problem persists and I cannot figure out what is triggering it:
-- IIS was configured to control the password for the IUSR account, so I changed it and manually entered one for the IUSER and entered the same one for the IWAM account (because I read that these need to be in sync).  It works fine at first, but will still fail.
-- In Local Users and Groups, I've ensured that the password for the IUSER and IWAM accounts are set to "password never expires" and that neither requires that "user must change password at next logon"
-- The IUSR and IWAM accounts both have the "Log on Locally" local security policy enabled and I've ensured that while the problem is occuring these policies remain in effect (ie, they are not lost when the problem occurs).

The only recent change to the server is the installation of patch MS05019.  But this patch was installed on 6/23 and the problem did not start occurring until 6/28, so it does not seem like this triggered the problem.

I have a test installation of this same site at my office and this problem does not occur there.  This site serves over 800 users, so finding a fix to this problem has become quite urgent.  Thank you for your help.
EdgeDevAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bigbillydotcomCommented:
I have had a problem in the past after messinn with the authentication of those processes ( I know you only did so after you started having problems, but maybe that is the problem is those accounts have gotten corrupted somehow)

this is a stretch, but how about deleting the IUSR and IWAM accounts - according to Microsoft support, those accounts will be re-created when IIS admin is then restarted:

http://support.microsoft.com/default.aspx?scid=kb;en-us;822165

then I would make sure NTFS permissions weren't messing me up:

1) go to security tab of that folders properties (assume its under inetpub)
2) make sure Launch IIS process account (IWAM_servername) is in group or user name list with these permissions (read,    read and execute, list folder contents)
3) make sure Internet Guest Account (IUSR_servername) is in group or user name list with same permissionss in #2
4) click apply button then advanced button
5) take check out of the "Inherit..." box and click and click copy to copy those permissions to folder
6) put check in box "replace permissions..." and click apply and yes to continue
7) click ok twice to close those windows then close explorer window

that takes care of NTFS permissions

I'd do a server reboot after all that or at least command line IISreset

let me know if that helps
BigBilly Saxon
www.BigBilly.com

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave_DietzCommented:
Check you Local Security Policy and make sure that the IUSR account is listed in both "Log on Locally" and "Access this compter from the network".  If it is not there add it.  If it shows up in the setting but not in the 'Effective Settings' then you likely have had a domain policy added that has broken these settings.

If this is the case you will need to get the domain policy removed and get the machine moved to an OU that it doesn't apply to.

Dave Dietz

EdgeDevAuthor Commented:
An update to this problem.

Unfortunately, I can only test this once a day since the problem only occurs that often.  

So far, none of my changes have fixed the problem:  
- Because it is a production system, I can't take the risk of deleting the IUSR and IWAM accounts even though Microsoft states that it should be OK.  However, I did create a new IUSR account and disabled the old one, but it didn't make a difference.  I couldn't figure out how to associate a new IWAM account with the web site (ie, like how you associate the web site with the desired IUSR account.  If anyone knows how to do it, please let me know...
- I checked the NTFS permissions - it was set so that "Everyone" had access to everything.  I did change it so that the specific group to which IUSR belongs will have the accesses you describe.
- I have checked to make sure that the IUSR account is listed in both of the places in the Local Security Policy and it is in the Effective Settings as well - I made sure to check this after the problem occurred (prior to restarting the IIS Admin service to make sure that it wasn't disappearing momentarily, but it was still there).  The system administrators have assured me that no domain policies have been added.

I have been able to figure out when this problem occurs:  when the web site is not accessed (via a browser) for a period of approximately 2.5-3 hours.  As long as the site is accessed at least once every 2.5-3 hours, the error will not appear.  Is there some kind of time out or caching parameter??
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

bigbillydotcomCommented:
i tried deleting the IUSR and IWAM on my winxp machine and they got recreated after I ran IISreset and opened the IIS admin
after re-creation, everything worked as expected
I wouldn't lean on the "everyone" group - or any group in particular here

matter of fact, I think on Win2k server you don't want to allow the everyone group too much access as that could be a security flaw , according to http://support.microsoft.com/default.aspx?scid=kb;en-us;278259

In earlier versions of Windows, members of the Anonymous Logon security group are able to access many resources. In some cases, if administrators are not aware that members of the Anonymous Logon security group are included as members of the Everyone security group, anonymous users may be granted access to resources that are only intended for authenticated users.

The process I outlined above has worked very well for me over the years, I'd encourage you to try it
IWAM and IUSR should have Read, Read and Execute, and list Folder Contents to all folders, subfolders, and files of your site

***To add IWAM user, first make sure it is in the Local Users Group of the server - not the domain!***

To add the IWAM to the root folder of your website, rt click the root folder and then click properties
Click Security then Add
***Change the Look In to the server - not the domain***
Click the top of the Name Column (click Name) to sort the column
scroll down and you'll see IWAM_servername - highlight then click add
click apply button then advanced button
take check out of the "Inherit..." box and click and click copy to copy those permissions to folder
put check in box "replace permissions..." and click apply and yes to continue
click ok twice to close those windows then close explorer window

I'd do a server reboot after all that or at least command line IISreset

that should confirm that NTFS permissions are not the problem

then I would clean out all of my Event Logs and if it fails again, let me know and I'll give you some more steps

I think if this was a policy problem, it would stay there and not come and go
EdgeDevAuthor Commented:
bigbillydotcom - Thanks for your latest comments and detailed instructions.  I'm going to go ahead and try creating a new IWAM account tomorrow and then if that doesn't work, I think I will have to try your suggestion to delete the accounts.  Forgive my ignorance, but could you provide instructions on how to perform IISreset and what you mean by "opened the IIS admin"?  I usually just stop and restart the IIS Admin Service via the Services console...

One more note about my situation - the websites were created using FrontPage 2000 with Server Extensions 2002 installed.  Could that have anything to do with my problem?
bigbillydotcomCommented:
they all seem to work hand in hand - certainly problems witrh frontpage ext. is not unheard of  - haha :)

You'll want to make sure your FPSE is setup correctly by checking the settings under IIS Admin for the website

We'll go over FPSE problems after you do the NTFS steps I reccomended (I think that is logical, 'cause fooling around with FPSE can blow out your site if it was developed with a lot of FP features like nav bars and such)

Ok - IISreset, run from command prompt - open command prompt, type IISreset (close all other windows first - why? superstition!) then press enter - it does what it says  - resets IIS

The IIS Admin is by going into Start..Settings...Control Panel..Admin Tools...Internet Services Manager

I would do the NTFS resets I mentioned, then clear your event logs (Start..Settings...Control Panel...Admin Tools...Event Logs)

Then run IISreset - and watch your event logs to see if you have any errors on IIS reset - as well as around crash time
EdgeDevAuthor Commented:
Thanks for clarifying everything.  I tried creating a new IWAM account today.  Was successful in associating it with the web site as I disabled the originial IWAM account.  Almost thought it had done the trick as the site was accessible all day up until about 25 mins ago.  Tomorrow I will try your first suggestion about deleting the IUSR/IWAM accounts.  PS: Just so you don't think I'm a total idiot.  I do know about the Internet Services Manager console and how to use it - just didn't realize that's what you were referring to. :-)  Will keep you posted... Thanks again for your help - while there seems to be some issue with this web site almost all of the time, I've never had a problem that I couldn't fix.  This one is really depressing me.
bigbillydotcomCommented:
cheer up
didnt mean to insinuate anything
just trying to be thorough to reduce miscomms
one hack I havent mentioned is running IISreset as a scheduled task
I send opt-in builk-email each weekend to over 13000 users
and for some reason, out of the blue, SMTP was starting to hang
during the process - i set IISreset to run every 8 hours, and voila - luckily it has always restarted
and picked rightup where it left off
since it's haning on you anyway, maybe set IISreset to run a couple of hours before the typical(sic!) hang time, and see what that does. esp if you can do it outside of peak hours
lemme know
PS - anything in the event logs? what about turning on web logging??
EdgeDevAuthor Commented:
Update for today (Thursday):  Deleted the IUSR and IWAM accounts and they were successfully recreated upon IIS restart.  Site ran fine all day up until 11:30 pm.  Same error again.  I did think of running IIS as a scheduled task, but the physical server is maintained at the customer's site and their security policy does not allow for scheduled restarts of IIS.  Besides, w/o knowing what's triggering the error, I wouldn't even know when to schedule it.  I'm headed down to the customer site again tomorrow (Thursday), but I'm not even sure what to try next...  BTW, no events when IIS is restarted - it always restarts just fine.  Any thoughts?  Thanks.
bigbillydotcomCommented:
now that you have those 2 users setup again - do the NTFS permissions fix on the web folder

1) go to security tab of that folders properties (assume its under inetpub)
2) make sure Launch IIS process account (IWAM_servername) is in group or user name list with these permissions (read,    read and execute, list folder contents)
3) make sure Internet Guest Account (IUSR_servername) is in group or user name list with same permissionss in #2
4) click apply button then advanced button
5) take check out of the "Inherit..." box and click and click copy to copy those permissions to folder
6) put check in box "replace permissions..." and click apply and yes to continue
7) click ok twice to close those windows then close explorer window

that takes care of NTFS permissions

can you try turining on website logging and try and log as much as you can

also - is there any other process running at 1130pm - like a backup that might include files/folders in the IIS directory??
EdgeDevAuthor Commented:
Hi - it appears the mystery has been solved.  After deleting the original IUSR and IWAM accounts and having IIS automatically recreate them, the local security policy for IUSR and IWAM was consistently being removed from Effective Settings for "Log on Locally" and "Log on as a Batch Job."  So even though I was reassured that the domain policy had not been changed, it obviously had.  The System Administrator created a new OU for the server and since then we have not had the problem.  As I stated earlier, we had checked the "Log on Locally" for the original IUSR account and it was in the Effective Settings even when the problem occurred, so it could be that the problem was resulting from a combination of corrupted IUSR and IWAM accounts and the changed domain policy.

In the process of correcting this last Thursday, I came across this MS Knowledge Base article that proved very helpful in assuring that we had the correct NTFS permissions and Local Security Policy:  http://support.microsoft.com/default.aspx?scid=KB;EN-US;271071  entitled "How to set required NTFS permissions and user rights for an IIS 5.0 Web Server"

Thank you again for all of your help!!!
bigbillydotcomCommented:
HAHA - and everybody (except EdgeDev that is!) thinks I'm crazy when I suggest the fix for the permissions on the web folder, if they do all on that page, they'd be gald to do my little routine
THanks EdgeDev - thats a great KB article!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.