• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 411
  • Last Modified:

Problem Accessing Web pages after Active Directory rebuld

Hello

 First to give some info about the system and a little background.
Operating system is a Windows 2003, IIS6, and active directory with all updates applied. I have some web pages that are user name and password protected.  Some of the pages connect to a database using ASP pages. The pages have been working perfect for about 2 years. All access with the users in active directory works perfect.  The first problem I had was when the server would reboot; it would take 45 minutes to finally come up. I did a reboot, pressed F8 and did a rebuild for active directory.  The rebuild stated that there were a couple of files that were bad and repaired them. After reboot the server came up and rebooted perfectly without any delay.  

Now for the current problem with web pages.  The pages that had a user name and password just keep asking for the user name and password as if you were entering it incorrectly. I checked in active directory and all looks OK. I even added a new user just to try.
Here is what I found.
If you take a web page that allowed anonymous access, changed access permissions to use Integrated windows authentication, the window will ask for user name and password but acts like the password or name is incorrect. I have checked that the files and directory permissions are correct. Change the permissions for the web page back to anonymous and it will work.  I need the restricted web pages to work like they did before the active directory rebuild.

Any suggestion would be appreciated.
Thanks
0
resd
Asked:
resd
  • 7
  • 4
  • 4
  • +1
1 Solution
 
TheCleanerCommented:
Is active directory on this server?  Sounds like you are saying it's all in one server, right?
0
 
resdAuthor Commented:
>Is active directory on this server?  Sounds like you are saying it's all in one server, right?

That is correct. All resides on the same server. The only cahnge was the rebuild to active directory
0
 
MichaelProCommented:
1-Make sure "Anonymous Access" is Uncheck (eventhough you have Integrated on).

2-check the event log, security, and see when you put the username/password does it log any failure?

3-Reset iis by going to Run | iisreset

4-Access the webpages

5-Check the Application and System Log (EventLog) and see if any error is logged after iis restarts

------------
Aside from these, are you running IIS 6.0 with application pool? (or isolation 5.0)?
------------
Install IIS Diagnostics toolkit from http://www.microsoft.com/downloads/details.aspx?familyid=9BFA49BC-376B-4A54-95AA-73C9156706E7&displaylang=en

This tool in the package above can help you find out where IIS eats the authentication token: Authentication and Access Control Diagnostics 1.0

thanks,
Michael.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
averybCommented:
I had this same type of problem.  It was a database thing.  I'll need to look up the resolution.  Be back shortly.
0
 
averybCommented:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306345

this might not apply to you, but it sounds like it could.  Problem for me was a permission issue on a particular registry key.

My problem started when I upgraded from Oracle 8 to Oracle 9i.
0
 
TheCleanerCommented:
Can you explain the steps you took when you rebuilt AD?

I'm assuming since you said "F8" that you went into Directory Services Restore Mode, but do you recall the commands (like ntdsutil etc) that you ran and the parameters?
0
 
resdAuthor Commented:
I'll try to answer everyone's questions

Comment from MichaelPro
>1-Make sure "Anonymous Access" is Uncheck (eventhough you have Integrated on).
 I have done that, If that was set they would not have worked before
>2-check the event log, security, and see when you put the username/password does it log any failure?
 Nothing is showing in the log files
>3-Reset iis by going to Run | iisreset
 OK
>4-Access the webpages
>5-Check the Application and System Log (EventLog) and see if any error is logged after iis restarts

Here is the message from the Eventlog
Error: The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..

>Aside from these, are you running IIS 6.0 with application pool? (or isolation 5.0)?
IIS6.0 with application pool


Comment from averyb

>http://support.microsoft.com/default.aspx?scid=kb;EN-US;306345
>this might not apply to you, but it sounds like it could.  Problem for me was a permission issue on a particular >registry key.
This is set correctly

Comment from TheCleaner

>Can you explain the steps you took when you rebuilt AD?
>I'm assuming since you said "F8" that you went into Directory Services Restore Mode, but do you recall the commands (like ntdsutil etc) that you ran and the parameters?
Sorry can't really remember waht the exact commands were. I found the instructions here on EE, but can't find them now. Here is the log that it generated:
Summary:
Active Objects           3050
Phantoms              2
Deleted              6
Security descriptor summary:
SD count:             82
Total SD size before single-instancing:                932 Kb
Total SD size after single-instancing:                  77 Kb


 What is really strange is web pages that are just plan html, like under construction, if you set to a user name and password, it will tell you you do not have permissions after several tries. It is like IIS6 can see the users in active directory, but active directory is not responding to permissions. I have tried logging on to the server with an old and new user and that works.

0
 
MichaelProCommented:
Exactly the information i needed! The reason for this problem is (well, most likely) because you have ActiveDirectory on the same server, there are some extra security things that Windows implementes. Because of this you need to manually give permission to that user running the application pool. By default, Application Pools run under NETWORK SERVICE account, a member of IIS_WPG. What you need to do is to give IIS_WPG group permission to that folder.

Follow the instruction in here:
http://support.microsoft.com/?id=332097


and Keep us posted.

thanks,
Michael
0
 
resdAuthor Commented:
Michael

 I have done all the steps in the article Q332097 with the same results. This article would maybe explain the ASP pages not working but not a plain web page. Let's start with a basic page with nothing but the word hello in it, get it to work then work on the ASP pages.  If I set anonymous access it works. If I set Integrated windows authentication even the administrator access gives you the "You do not have permission" message. Set it back to anonymous access and it works.
Thanks
Dan
0
 
MichaelProCommented:
One more thing that you need to do and I noticed it wasn't on the article. you need give access IIS_WPG access to the folder your webfiles are located. unless you changd the location, it should be c:\inetpub\wwwroot   (File Security - Not Share Permission)

If the problem still doesn't get resolved, this is how you can elminate the permisison problems and find out: go to security tab in c:\inetpub and add 'everyone' see if you can access the website after resetting iis. You can then remove the 'everyone'. Let us know result of this if the first one doesn't work.

Thanks,
Michael
0
 
TheCleanerCommented:
I'm not deep into IIS, but I wonder if when you rebuilt AD you didn't reassign some SIDs.

Does file sharing, drive mappings still work with no problem?

Is there anything else not quite right besides IIS?
0
 
resdAuthor Commented:
To MichaelPro
Have check the IIS_WPG and that is all correct. Anyone can access the web pages using anonymous access. The only problem is with Integrated windows authentication selected. No matter what users even the administrator. When you enter the password after three tries it says you do not have permissions.

To TheCleaner
>I'm not deep into IIS, but I wonder if when you rebuilt AD you didn't reassign some SIDs.
No sure how to do what you ask.

>Does file sharing, drive mappings still work with no problem?
Yes
>Is there anything else not quite right besides IIS?
Not that I have found.
0
 
TheCleanerCommented:
OK, so SIDs are fine.  Check these links, and possibly post a pointer question in the IIS channel:

http://www.experts-exchange.com/Web/Web_Servers/IIS/Q_21703068.html

0
 
MichaelProCommented:

===============
Have check the IIS_WPG and that is all correct. Anyone can access the web pages using anonymous access. The only problem is with Integrated windows authentication selected. No matter what users even the administrator. When you enter the password after three tries it says you do not have permissions.
================

Yes, that is because IIS runs under Application Pool's User. Whatever user is running the application-pool needs to have access to the files/folders for website. Does not matter if Administrator trying to access or someone else. You can check what user is running the AppPool but openning IIS, goign to ApplicationPools, then go to properties of that application poo. Identity Tab.

By default this is "Network Service" If  it's anything else, it needs to be registered in the ActiveDirectory (setspn command). But if it is "Network Service" already, then you need to make sure your webfiles are given permission to this user (which runs in IIS_WPG group). You can try changing the AppPool Identity to LocalSystem or Administrator (because system has access to all the file) and check to see if it works.

thanks,
Michael
 
 
0
 
resdAuthor Commented:
Michael

 The "Network Service" is the default. The IIS_WPG has all rights to the web files and each user that should be asked for permissions has all access. The permissions are everyone, IIS_WPG, the users (test) that I created for testing, all the old users, network service, network, system, administrator and even the Internet Guest Account. Still the Integrated Windows authentication does not work. Whatever is wrong is affecting all web pages. I have several different domains running and all works until I set a page to Integrated Windows authentication. I know it sounds like a permission problem but I really can not find it. Whatever changed with the AD rebuild is causing the problem.

Thanks
Dan
0
 
resdAuthor Commented:
Michael

 I have even tried logging in with a user that should have permission and they can see exactly what they are suppose to. Also remote desktop works correctly. It appears to be the connection between II6 and AD.

Thanks
Dan
0
 
resdAuthor Commented:
Hi All

 Sorry I did not get back to complete this,  but I had a family member get hurt and I have been with them.
What I did to solve this was totally rebuild permissions. It still does not work if I am on the server, but will work if I use IE from another computer.
Thanks for all the help.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now