resd
asked on
Problem Accessing Web pages after Active Directory rebuld
Hello
First to give some info about the system and a little background.
Operating system is a Windows 2003, IIS6, and active directory with all updates applied. I have some web pages that are user name and password protected. Some of the pages connect to a database using ASP pages. The pages have been working perfect for about 2 years. All access with the users in active directory works perfect. The first problem I had was when the server would reboot; it would take 45 minutes to finally come up. I did a reboot, pressed F8 and did a rebuild for active directory. The rebuild stated that there were a couple of files that were bad and repaired them. After reboot the server came up and rebooted perfectly without any delay.
Now for the current problem with web pages. The pages that had a user name and password just keep asking for the user name and password as if you were entering it incorrectly. I checked in active directory and all looks OK. I even added a new user just to try.
Here is what I found.
If you take a web page that allowed anonymous access, changed access permissions to use Integrated windows authentication, the window will ask for user name and password but acts like the password or name is incorrect. I have checked that the files and directory permissions are correct. Change the permissions for the web page back to anonymous and it will work. I need the restricted web pages to work like they did before the active directory rebuild.
Any suggestion would be appreciated.
Thanks
First to give some info about the system and a little background.
Operating system is a Windows 2003, IIS6, and active directory with all updates applied. I have some web pages that are user name and password protected. Some of the pages connect to a database using ASP pages. The pages have been working perfect for about 2 years. All access with the users in active directory works perfect. The first problem I had was when the server would reboot; it would take 45 minutes to finally come up. I did a reboot, pressed F8 and did a rebuild for active directory. The rebuild stated that there were a couple of files that were bad and repaired them. After reboot the server came up and rebooted perfectly without any delay.
Now for the current problem with web pages. The pages that had a user name and password just keep asking for the user name and password as if you were entering it incorrectly. I checked in active directory and all looks OK. I even added a new user just to try.
Here is what I found.
If you take a web page that allowed anonymous access, changed access permissions to use Integrated windows authentication, the window will ask for user name and password but acts like the password or name is incorrect. I have checked that the files and directory permissions are correct. Change the permissions for the web page back to anonymous and it will work. I need the restricted web pages to work like they did before the active directory rebuild.
Any suggestion would be appreciated.
Thanks
TheCleaner
Is active directory on this server? Sounds like you are saying it's all in one server, right?
ASKER
>Is active directory on this server? Sounds like you are saying it's all in one server, right?
That is correct. All resides on the same server. The only cahnge was the rebuild to active directory
That is correct. All resides on the same server. The only cahnge was the rebuild to active directory
1-Make sure "Anonymous Access" is Uncheck (eventhough you have Integrated on).
2-check the event log, security, and see when you put the username/password does it log any failure?
3-Reset iis by going to Run | iisreset
4-Access the webpages
5-Check the Application and System Log (EventLog) and see if any error is logged after iis restarts
------------
Aside from these, are you running IIS 6.0 with application pool? (or isolation 5.0)?
------------
Install IIS Diagnostics toolkit from http://www.microsoft.com/downloads/details.aspx?familyid=9BFA49BC-376B-4A54-95AA-73C9156706E7&displaylang=en
This tool in the package above can help you find out where IIS eats the authentication token: Authentication and Access Control Diagnostics 1.0
thanks,
Michael.
2-check the event log, security, and see when you put the username/password does it log any failure?
3-Reset iis by going to Run | iisreset
4-Access the webpages
5-Check the Application and System Log (EventLog) and see if any error is logged after iis restarts
------------
Aside from these, are you running IIS 6.0 with application pool? (or isolation 5.0)?
------------
Install IIS Diagnostics toolkit from http://www.microsoft.com/downloads/details.aspx?familyid=9BFA49BC-376B-4A54-95AA-73C9156706E7&displaylang=en
This tool in the package above can help you find out where IIS eats the authentication token: Authentication and Access Control Diagnostics 1.0
thanks,
Michael.
I had this same type of problem. It was a database thing. I'll need to look up the resolution. Be back shortly.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306345
this might not apply to you, but it sounds like it could. Problem for me was a permission issue on a particular registry key.
My problem started when I upgraded from Oracle 8 to Oracle 9i.
this might not apply to you, but it sounds like it could. Problem for me was a permission issue on a particular registry key.
My problem started when I upgraded from Oracle 8 to Oracle 9i.
Can you explain the steps you took when you rebuilt AD?
I'm assuming since you said "F8" that you went into Directory Services Restore Mode, but do you recall the commands (like ntdsutil etc) that you ran and the parameters?
I'm assuming since you said "F8" that you went into Directory Services Restore Mode, but do you recall the commands (like ntdsutil etc) that you ran and the parameters?
ASKER
I'll try to answer everyone's questions
Comment from MichaelPro
>1-Make sure "Anonymous Access" is Uncheck (eventhough you have Integrated on).
I have done that, If that was set they would not have worked before
>2-check the event log, security, and see when you put the username/password does it log any failure?
Nothing is showing in the log files
>3-Reset iis by going to Run | iisreset
OK
>4-Access the webpages
>5-Check the Application and System Log (EventLog) and see if any error is logged after iis restarts
Here is the message from the Eventlog
Error: The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..
>Aside from these, are you running IIS 6.0 with application pool? (or isolation 5.0)?
IIS6.0 with application pool
Comment from averyb
>http://support.microsoft.com/default.aspx?scid=kb;EN-US;306345
>this might not apply to you, but it sounds like it could. Problem for me was a permission issue on a particular >registry key.
This is set correctly
Comment from TheCleaner
>Can you explain the steps you took when you rebuilt AD?
>I'm assuming since you said "F8" that you went into Directory Services Restore Mode, but do you recall the commands (like ntdsutil etc) that you ran and the parameters?
Sorry can't really remember waht the exact commands were. I found the instructions here on EE, but can't find them now. Here is the log that it generated:
Summary:
Active Objects 3050
Phantoms 2
Deleted 6
Security descriptor summary:
SD count: 82
Total SD size before single-instancing: 932 Kb
Total SD size after single-instancing: 77 Kb
What is really strange is web pages that are just plan html, like under construction, if you set to a user name and password, it will tell you you do not have permissions after several tries. It is like IIS6 can see the users in active directory, but active directory is not responding to permissions. I have tried logging on to the server with an old and new user and that works.
Comment from MichaelPro
>1-Make sure "Anonymous Access" is Uncheck (eventhough you have Integrated on).
I have done that, If that was set they would not have worked before
>2-check the event log, security, and see when you put the username/password does it log any failure?
Nothing is showing in the log files
>3-Reset iis by going to Run | iisreset
OK
>4-Access the webpages
>5-Check the Application and System Log (EventLog) and see if any error is logged after iis restarts
Here is the message from the Eventlog
Error: The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..
>Aside from these, are you running IIS 6.0 with application pool? (or isolation 5.0)?
IIS6.0 with application pool
Comment from averyb
>http://support.microsoft.com/default.aspx?scid=kb;EN-US;306345
>this might not apply to you, but it sounds like it could. Problem for me was a permission issue on a particular >registry key.
This is set correctly
Comment from TheCleaner
>Can you explain the steps you took when you rebuilt AD?
>I'm assuming since you said "F8" that you went into Directory Services Restore Mode, but do you recall the commands (like ntdsutil etc) that you ran and the parameters?
Sorry can't really remember waht the exact commands were. I found the instructions here on EE, but can't find them now. Here is the log that it generated:
Summary:
Active Objects 3050
Phantoms 2
Deleted 6
Security descriptor summary:
SD count: 82
Total SD size before single-instancing: 932 Kb
Total SD size after single-instancing: 77 Kb
What is really strange is web pages that are just plan html, like under construction, if you set to a user name and password, it will tell you you do not have permissions after several tries. It is like IIS6 can see the users in active directory, but active directory is not responding to permissions. I have tried logging on to the server with an old and new user and that works.
Exactly the information i needed! The reason for this problem is (well, most likely) because you have ActiveDirectory on the same server, there are some extra security things that Windows implementes. Because of this you need to manually give permission to that user running the application pool. By default, Application Pools run under NETWORK SERVICE account, a member of IIS_WPG. What you need to do is to give IIS_WPG group permission to that folder.
Follow the instruction in here:
http://support.microsoft.com/?id=332097
and Keep us posted.
thanks,
Michael
Follow the instruction in here:
http://support.microsoft.com/?id=332097
and Keep us posted.
thanks,
Michael
ASKER
Michael
I have done all the steps in the article Q332097 with the same results. This article would maybe explain the ASP pages not working but not a plain web page. Let's start with a basic page with nothing but the word hello in it, get it to work then work on the ASP pages. If I set anonymous access it works. If I set Integrated windows authentication even the administrator access gives you the "You do not have permission" message. Set it back to anonymous access and it works.
Thanks
Dan
I have done all the steps in the article Q332097 with the same results. This article would maybe explain the ASP pages not working but not a plain web page. Let's start with a basic page with nothing but the word hello in it, get it to work then work on the ASP pages. If I set anonymous access it works. If I set Integrated windows authentication even the administrator access gives you the "You do not have permission" message. Set it back to anonymous access and it works.
Thanks
Dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm not deep into IIS, but I wonder if when you rebuilt AD you didn't reassign some SIDs.
Does file sharing, drive mappings still work with no problem?
Is there anything else not quite right besides IIS?
Does file sharing, drive mappings still work with no problem?
Is there anything else not quite right besides IIS?
ASKER
To MichaelPro
Have check the IIS_WPG and that is all correct. Anyone can access the web pages using anonymous access. The only problem is with Integrated windows authentication selected. No matter what users even the administrator. When you enter the password after three tries it says you do not have permissions.
To TheCleaner
>I'm not deep into IIS, but I wonder if when you rebuilt AD you didn't reassign some SIDs.
No sure how to do what you ask.
>Does file sharing, drive mappings still work with no problem?
Yes
>Is there anything else not quite right besides IIS?
Not that I have found.
Have check the IIS_WPG and that is all correct. Anyone can access the web pages using anonymous access. The only problem is with Integrated windows authentication selected. No matter what users even the administrator. When you enter the password after three tries it says you do not have permissions.
To TheCleaner
>I'm not deep into IIS, but I wonder if when you rebuilt AD you didn't reassign some SIDs.
No sure how to do what you ask.
>Does file sharing, drive mappings still work with no problem?
Yes
>Is there anything else not quite right besides IIS?
Not that I have found.
OK, so SIDs are fine. Check these links, and possibly post a pointer question in the IIS channel:
https://www.experts-exchange.com/questions/21703068/IIS-Integrated-Windows-Authentication-not-working.html
https://www.experts-exchange.com/questions/21703068/IIS-Integrated-Windows-Authentication-not-working.html
===============
Have check the IIS_WPG and that is all correct. Anyone can access the web pages using anonymous access. The only problem is with Integrated windows authentication selected. No matter what users even the administrator. When you enter the password after three tries it says you do not have permissions.
================
Yes, that is because IIS runs under Application Pool's User. Whatever user is running the application-pool needs to have access to the files/folders for website. Does not matter if Administrator trying to access or someone else. You can check what user is running the AppPool but openning IIS, goign to ApplicationPools, then go to properties of that application poo. Identity Tab.
By default this is "Network Service" If it's anything else, it needs to be registered in the ActiveDirectory (setspn command). But if it is "Network Service" already, then you need to make sure your webfiles are given permission to this user (which runs in IIS_WPG group). You can try changing the AppPool Identity to LocalSystem or Administrator (because system has access to all the file) and check to see if it works.
thanks,
Michael
ASKER
Michael
The "Network Service" is the default. The IIS_WPG has all rights to the web files and each user that should be asked for permissions has all access. The permissions are everyone, IIS_WPG, the users (test) that I created for testing, all the old users, network service, network, system, administrator and even the Internet Guest Account. Still the Integrated Windows authentication does not work. Whatever is wrong is affecting all web pages. I have several different domains running and all works until I set a page to Integrated Windows authentication. I know it sounds like a permission problem but I really can not find it. Whatever changed with the AD rebuild is causing the problem.
Thanks
Dan
The "Network Service" is the default. The IIS_WPG has all rights to the web files and each user that should be asked for permissions has all access. The permissions are everyone, IIS_WPG, the users (test) that I created for testing, all the old users, network service, network, system, administrator and even the Internet Guest Account. Still the Integrated Windows authentication does not work. Whatever is wrong is affecting all web pages. I have several different domains running and all works until I set a page to Integrated Windows authentication. I know it sounds like a permission problem but I really can not find it. Whatever changed with the AD rebuild is causing the problem.
Thanks
Dan
ASKER
Michael
I have even tried logging in with a user that should have permission and they can see exactly what they are suppose to. Also remote desktop works correctly. It appears to be the connection between II6 and AD.
Thanks
Dan
I have even tried logging in with a user that should have permission and they can see exactly what they are suppose to. Also remote desktop works correctly. It appears to be the connection between II6 and AD.
Thanks
Dan
ASKER
Hi All
Sorry I did not get back to complete this, but I had a family member get hurt and I have been with them.
What I did to solve this was totally rebuild permissions. It still does not work if I am on the server, but will work if I use IE from another computer.
Thanks for all the help.
Sorry I did not get back to complete this, but I had a family member get hurt and I have been with them.
What I did to solve this was totally rebuild permissions. It still does not work if I am on the server, but will work if I use IE from another computer.
Thanks for all the help.