PWyatt1
asked on
Missing "User" Account in IIS 6.0
OS: Win 2003 Enterprise, IIS 6.0, All SPs and updates current.
I am hosting a number of sites and one of them all of a sudden will not allow anonymous users into the index page (a logon screen appears). Checking permissions, I see that the "User" account is missing. When I go into the "Add User" in the permissions screens, the "Users" account does not appear for me to add. How do I resolve this problem?
Thanks
I am hosting a number of sites and one of them all of a sudden will not allow anonymous users into the index page (a logon screen appears). Checking permissions, I see that the "User" account is missing. When I go into the "Add User" in the permissions screens, the "Users" account does not appear for me to add. How do I resolve this problem?
Thanks
Netman66
Are you referring to IUSR_WAM?
ASKER
No. The OS has the IUSR and the IWAM accounts. I'm talking about the IIS USER account that normally shows up in the list as USERS (MachineName). This selection is not available from the permissions "Add new user" list.
Thanks
Thanks
Ah, IUSR and IWAM - that's what I meant. Long day...
I don't have IIS installed on this DC. I have a few servers at the office with IIS installed. I'll check tomorrow.
In the meantime, maybe someone else will have some input.
I don't have IIS installed on this DC. I have a few servers at the office with IIS installed. I'll check tomorrow.
In the meantime, maybe someone else will have some input.
can you locate that account in AD? it hasnt been disabled has it?
ASKER
Thanks
ASKER
I can't find the Users account in AD, at least in AD Users and Computers. Just the usual IUSR and IWAM accounts. I don't quite know to go to look for this account. I have quite a few domains under the same shared domain name, and they don't have this access problem. i.e. if I go into IIS manager\domain\permissions
> Users[computername\users]
That's a Group not an account.
The permissions required to view a website are pretty straight-forward.
Open up IIS Manager, then the Properties for the Website, select Directory Security and click Edit under "Anonymous access and authentication control".
The account listed in the Anonymous Access User Name box is the one that must have permission on the directory structure for the website. It will need at least Read Access if you intend people to be able to view pages.
Check that that account is mentioned in the permissions for the website folder.
Chris
The only thing I see on mine is Users(Domain\Users). If you simply type in Users in the lower pane, then Check Names you should get it.
ASKER
Thanks Netman. That's my problem. It's not in the list.
I'll take Chris Dent's suggestion and get back to you.
I'll take Chris Dent's suggestion and get back to you.
ASKER
Hi Chris:
I tried your solution: deleted the anonymous account and reentered it from the list. Still the same problem. What did you mean by "The account listed in the Anonymous Access User Name box is the one that must have permission on the directory structure for the website. It will need at least Read Access if you intend people to be able to view pages." How do I get to see what permissions are assigned to it i.e the read/execute permissions? I tried going to AD Users and Computers and clicking on IUSR_Machine_Name\properti
What bugs me is that I have about 200+ other websites under a shared domain and the rest of the sites are fine i.e. there is anonymous access. It's just this one site. In a side-by-side comparison of entries in the Permissions list, the only difference is that the USERS group is missing and USERS is also not available in the list.
Another kink in this matter is that I have Administrator permissions, and I am logged into this server as an Administrator. Every time I try to change something on this one site, I get the logon request box (same box, different problem). I don't have this problem on the other sites.
I definitely have permissions problems that are driving me crazy!
I tried your solution: deleted the anonymous account and reentered it from the list. Still the same problem. What did you mean by "The account listed in the Anonymous Access User Name box is the one that must have permission on the directory structure for the website. It will need at least Read Access if you intend people to be able to view pages." How do I get to see what permissions are assigned to it i.e the read/execute permissions? I tried going to AD Users and Computers and clicking on IUSR_Machine_Name\properti
What bugs me is that I have about 200+ other websites under a shared domain and the rest of the sites are fine i.e. there is anonymous access. It's just this one site. In a side-by-side comparison of entries in the Permissions list, the only difference is that the USERS group is missing and USERS is also not available in the list.
Another kink in this matter is that I have Administrator permissions, and I am logged into this server as an Administrator. Every time I try to change something on this one site, I get the logon request box (same box, different problem). I don't have this problem on the other sites.
I definitely have permissions problems that are driving me crazy!
It's not a property of the user account it's NTFS Permissions - there are a few common causes for an unwanted logon box. One is that the Anonymous user isn't listed in the NTFS permissions set for the site; Another is that Anonymous access has been disabled.
If you go with the default set of folders for IIS then you have:
C:\InetPub\wwwroot\Website
C:\InetPut\wwwroot\Website
etc
You would presumably also have Websites configured that correspond to those directories.
The Account Configured as the anonymous access account for Website1 will need to have at least Read access to C:\InetPub\wwwroot\Website
Users is just a Local Group on the Server itself - it means very little and in my opinion you shouldn't be using that group for your Anonymous accounts - they should be Guests only as that gives them fewer rights on the server.
Basically there is a minimum set of permissions required on the site; exactly which you require depends on what the site is doing. You don't even have to use the default accounts the server provides you with for this, they can all be replaced.
A basic set can constitute:
IUSR_ComputerName - Read Only
IWAM_ComputerName - Read Only
ASPNET - Read Only - If .NET (ASPX) is required
Administrators - Full Control (because you need to administer the server)
And that's all.
Chris
ASKER
Thanks Chris:
The Guests is a built in account and marked with a red X so I assume it is an AD/IIS default account and it will not allow modification, which is fine.
On the Permissions page for the IIS folder, "Anonymous Access" is clicked and the proper IUSR account and password is visible.
Nothing appears to be amiss. As I said before, something that is probably part of the problem is that I have administrator privileges, but I get the logon prompt every time I want to change any of the folder permission settings. It's like IIS has locked evry user out for this folder. All the other website folders are fine.
Any additional help would be appreciated. I am mystified.
Thanks.
The Guests is a built in account and marked with a red X so I assume it is an AD/IIS default account and it will not allow modification, which is fine.
On the Permissions page for the IIS folder, "Anonymous Access" is clicked and the proper IUSR account and password is visible.
Nothing appears to be amiss. As I said before, something that is probably part of the problem is that I have administrator privileges, but I get the logon prompt every time I want to change any of the folder permission settings. It's like IIS has locked evry user out for this folder. All the other website folders are fine.
Any additional help would be appreciated. I am mystified.
Thanks.
> but I get the logon prompt every time I want to change any of the folder permission settings
How are you changing the permission settings?
Chris
ASKER
Sorry...miscommuniaction:
I'm not changing any permissions. It's just that when I try to go into the permissions add/delete user screen, I get the logon promt.
Phil
I'm not changing any permissions. It's just that when I try to go into the permissions add/delete user screen, I get the logon promt.
Phil
I'm just all that clear exactly where you're going to get that prompt... is it in the website itself?
Chris
ASKER
Thanks CHris:
I am getting the prompt when I go to the website www.hospitalcentral.com
I also get the prompt when I try to go into the permissions add/delete user screen.
Regards,
Phil Wyatt
I am getting the prompt when I go to the website www.hospitalcentral.com
I also get the prompt when I try to go into the permissions add/delete user screen.
Regards,
Phil Wyatt
ASKER
OK. I'm bumping this up to 125 points. I need this resloved.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Chris-Dent.
I figured out the problem, (2 problems) or at least it is working now.
On the Permissions isse: First, I deleted the website from IIS, rstarted IIS, then added the site back into IIS. That got my IUSR permissions back in the list. I could then make sure they were set up right.
The promt was caused by a misconfigured DNS. I have AD integrated DNS. It seems that DNS does not like to have the name server HOST (A) records specified in any sub-domain, just the (name server) listing without the host record. Also in each domain's DNS, I have a WWW record pointing to the IIS server. It seems that DNS also wants a HOST (A) record pointing to the same IIS server.
Once I did these two things, everything worked out fine.
Thanks for the help
I figured out the problem, (2 problems) or at least it is working now.
On the Permissions isse: First, I deleted the website from IIS, rstarted IIS, then added the site back into IIS. That got my IUSR permissions back in the list. I could then make sure they were set up right.
The promt was caused by a misconfigured DNS. I have AD integrated DNS. It seems that DNS does not like to have the name server HOST (A) records specified in any sub-domain, just the (name server) listing without the host record. Also in each domain's DNS, I have a WWW record pointing to the IIS server. It seems that DNS also wants a HOST (A) record pointing to the same IIS server.
Once I did these two things, everything worked out fine.
Thanks for the help