Solved

Missing "User" Account in IIS 6.0

Posted on 2006-06-12
19
475 Views
Last Modified: 2012-05-05
OS: Win 2003 Enterprise, IIS 6.0, All SPs and updates current.

I am hosting a number of sites and one of them all of a sudden will not allow anonymous users into the index page (a logon screen appears). Checking permissions, I see that the "User" account is missing. When I go into the "Add User" in the permissions screens, the "Users" account does not appear for me to add.  How do I resolve this problem?

Thanks
0
Comment
Question by:PWyatt1
  • 10
  • 5
  • 3
  • +1
19 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Are you referring to IUSR_WAM?

0
 

Author Comment

by:PWyatt1
Comment Utility
No. The OS has the IUSR and the IWAM accounts.  I'm talking about the IIS USER account that normally shows up in the list as USERS (MachineName). This selection is not available from the permissions "Add new user" list.
Thanks
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Ah, IUSR and IWAM - that's what I meant.  Long day...

I don't have IIS installed on this DC.  I have a few servers at the office with IIS installed.  I'll check tomorrow.

In the meantime, maybe someone else will have some input.



0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
can you locate that account in AD? it hasnt been disabled has it?
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks
0
 

Author Comment

by:PWyatt1
Comment Utility
I can't find the Users account in AD, at least in AD Users and Computers. Just the usual IUSR and IWAM accounts. I don't quite know to go to look for this account. I have quite a few domains under the same shared domain name, and they don't have this access problem. i.e. if I go into IIS manager\domain\permissions\ , in any other site, I can see the Users[computername\users] account. For some reason in this problem domain, I can't see it in the permissions list and I can't find it in the add/delet list to add it back into the list of users w/ permissions.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> Users[computername\users]

That's a Group not an account.

The permissions required to view a website are pretty straight-forward.

Open up IIS Manager, then the Properties for the Website, select Directory Security and click Edit under "Anonymous access and authentication control".

The account listed in the Anonymous Access User Name box is the one that must have permission on the directory structure for the website. It will need at least Read Access if you intend people to be able to view pages.

Check that that account is mentioned in the permissions for the website folder.

Chris
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
The only thing I see on mine is Users(Domain\Users).  If you simply type in Users in the lower pane, then Check Names you should get it.

0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks Netman. That's my problem. It's not in the list.
I'll take Chris Dent's suggestion and get back to you.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:PWyatt1
Comment Utility
Hi Chris:
I tried your solution: deleted the anonymous account and reentered it from the list. Still the same problem.  What did you mean by "The account listed in the Anonymous Access User Name box is the one that must have permission on the directory structure for the website. It will need at least Read Access if you intend people to be able to view pages." How do I get to see what permissions are assigned to it i.e the read/execute permissions? I tried going to AD Users and Computers and clicking on IUSR_Machine_Name\properties and there was no option for permissions.

What bugs me is that I have about 200+ other websites under a  shared domain and the rest of the sites are fine i.e. there is anonymous access. It's just this one site. In a side-by-side comparison of entries in the Permissions list, the only difference is that the USERS group is missing and USERS is also not available in the list.

Another kink in this matter is that I have Administrator permissions, and I am logged into this server as an Administrator. Every time I try to change something on this one site, I get the logon request box (same box, different problem). I don't have this problem on the other sites.

I definitely have permissions problems that are driving me crazy!
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

It's not a property of the user account it's NTFS Permissions - there are a few common causes for an unwanted logon box. One is that the Anonymous user isn't listed in the NTFS permissions set for the site; Another is that Anonymous access has been disabled.

If you go with the default set of folders for IIS then you have:

C:\InetPub\wwwroot\Website1
C:\InetPut\wwwroot\Website2
etc

You would presumably also have Websites configured that correspond to those directories.

The Account Configured as the anonymous access account for Website1 will need to have at least Read access to C:\InetPub\wwwroot\Website1; the account configured as the anonymous access account for Website2 will need at least Read Access to C:\InetPub\wwwroot\Website2, etc etc.

Users is just a Local Group on the Server itself - it means very little and in my opinion you shouldn't be using that group for your Anonymous accounts - they should be Guests only as that gives them fewer rights on the server.

Basically there is a minimum set of permissions required on the site; exactly which you require depends on what the site is doing. You don't even have to use the default accounts the server provides you with for this, they can all be replaced.

A basic set can constitute:

IUSR_ComputerName - Read Only
IWAM_ComputerName - Read Only
ASPNET - Read Only - If .NET (ASPX) is required
Administrators - Full Control (because you need to administer the server)

And that's all.

Chris
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks Chris:

The Guests is a built in account and marked with a red X so I assume it is an AD/IIS default account and it will not allow modification, which is fine.

On the Permissions page for the IIS folder, "Anonymous Access" is clicked and the proper IUSR account and password is visible.

Nothing appears to be amiss. As I said before, something that is probably part of the problem is that I have administrator privileges, but I get the logon prompt every time I want to change any of the folder permission settings. It's like IIS has locked evry user out for this folder. All the other website folders are fine.

Any additional help would be appreciated. I am mystified.

Thanks.

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> but I get the logon prompt every time I want to change any of the folder permission settings

How are you changing the permission settings?

Chris
0
 

Author Comment

by:PWyatt1
Comment Utility
Sorry...miscommuniaction:
I'm not changing any permissions. It's just that when I try to go into the permissions add/delete user screen, I get the logon promt.

Phil
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

I'm just all that clear exactly where you're going to get that prompt... is it in the website itself?

Chris
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks CHris:
I am getting the prompt when I go to the website www.hospitalcentral.com
I also get the prompt when I try to go into the permissions add/delete user screen.
Regards,
Phil Wyatt
0
 

Author Comment

by:PWyatt1
Comment Utility
OK. I'm bumping this up to 125 points. I need this resloved.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 125 total points
Comment Utility

If you have the permissions set correctly on the file system (which are frequently the problem) and the correct accounts configured in IIS then it's difficult to say what's going on.

You could try the FileMon tool from SysInternals:

http://www.sysinternals.com/Utilities/Filemon.html

Which may help figure out what it's trying to access and can't.

You may also consider resetting the IUSR password to ensure that it matches the one configured in IIS.

Chris
0
 

Author Comment

by:PWyatt1
Comment Utility
Hi Chris-Dent.

I figured out the problem, (2 problems) or at least it is working now.

On the Permissions isse: First, I deleted the website from IIS, rstarted IIS, then added the site back into IIS. That got my IUSR permissions back in the list. I could then make sure they were set up right.

The promt was caused by a misconfigured DNS. I have AD integrated DNS. It seems that DNS does not like to have the name server HOST (A) records specified in any sub-domain, just the (name server) listing without the host record. Also in each domain's DNS, I have a WWW record pointing to the IIS server. It seems that DNS also wants a HOST (A) record pointing to the same IIS server.

Once I did these two things, everything worked out fine.

Thanks for the help
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now