IIS 6 authentication prompt appearing

freezingHot
freezingHot used Ask the Experts™
on
IIS 6 is prompting for a user name and password for our default web site.

We have the following settings in place for default web site:  Enable Anonymous access is selected.

the virtual directory has enable anonymous access as well as integrated windows authentication.

the folder has the proper internet guest account added with read/write/execute permissions (execute

what else could be causing the authentication prompts to appear?

thanks for the help.


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
i ran the diagnostic tools from MS and it came back with:

AnonymousUserPass
logon failedPath:W3SVC/1/ROOT/myWebsite
AuthType:Anonymous
AnonymousPasswordSync
The current configuration requires IIS subauthentication. However, the IIS subauthentication component, iissuba.dll, is not currently configured.Path:W3SVC/1/ROOT/myWebsite
AuthType:Anonymous
AnonymousPasswordSync
The current configuration uses IIS subauthentication for anonymous authentication. This requires that the worker process be configured to run as the Local System identity, which is not recommended for security reasons.Path:W3SVC/1/ROOT/myWebSite
AuthType:Anonymous
Server's response: HTTP/1.1 401 Unauthorized
Learn about IIS status codesPath:W3SVC/1/ROOT/myWebsite
AuthType:Anonymous
BUILTIN\Users does not have Access this computer from the networkprivilegePath:W3SVC/1/ROOT/myWebSite
AuthType:NTLM
Everyone does not have Access this computer from the networkprivilegePath:W3SVC/1/ROOT/myWebsite
AuthType:NTLM
Service principal name (SPN) for user 'IWAM_MyServer' not found in Active DirectoryPath:W3SVC/1/ROOT/myWebSite
AuthType:Kerberos
Test Authentication
Path:W3SVC/1/ROOT/myWebSite
AuthType:NTLM
Diagnostics complete

Commented:
did you enable windows 2000 style classic security & sharing options...???
Farhan KaziSystems Engineer
Top Expert 2007

Commented:
Make sure you have proper security permissions on "myWebsite" folder.  It should be like:
SERVER\Administrator -> Full Control
Creator Owner                -> Special
System                             -> Full Control
SERVER\Users               -> Read & Execute, List Folder Contents, Read

Best way is to set "Allow inheritable permissions from parent..." for the folder.

Also in a normal IIS installation, IIS install creates the IUSR account (in the Windows SAM), sets the password, and then stores a copy of the password (encrypted) in the IIS metabase.
However, if the Windows password for the IUSR account changes, then IIS won't know what the new password is and won't be able to logon the IUSR account.

Solutions to this problem:
a) If the IUSR password has changed (and you know what the new password is), then reset the IUSR password in IIS Manager, so that IIS knows what the password is again.

Author

Commented:
what we found was the IUSR account on the web server was trying to authenticate to our DC and failing.  we had to change the IUSR account in IIS to a domain user on the DC to make it work.

Is this ok to do as far as security issues are concerned?  if not, what is an acceptable solution?

thanks again.
Systems Engineer
Top Expert 2007
Commented:
Hi freezingHot,

As per M$:
Since this account name is known, it is recommended in some security texts that you change the name of the IUSR account to a different name in order to make it more difficult for a hacker to guess a username and password on the server. This is sound advice for high security servers; however, there are a few things to keep in mind.
When you change the name of the anonymous user account, you must change it in the Internet Information Services Manager and also in Users and Groups for the local computer (presuming you are using a local account for the anonymous user). If you delete the IUSR account or change the name in the Users and Groups and do not assign a new anonymous user account in the Internet Services Manger, the IUSR account will be recreated automatically on the next reboot. I often simply disable the IUSR account and create a new one, then assign the new account for anonymous access in Internet Services Manager. If you've run the IIS Lockdown tool, make the new user a member of the Web Anonymous Users local group.
Link: http://www.microsoft.com/technet/community/columns/insider/iisi1102.mspx

If you change IUSR_<servername> password or the user password that you have created for IIS then you'd need to change the password in two places:

[a] Change it in Active Directory Users and Computers.
[b] Change it on *every* DC-based installation of Internet Information Services
[c] Do *NOT* change the password on IIS installations that are not on DCs, because they're actually using a *local* account and password, not the domain account and password.

I would recommend that you read following articles before you start.
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_19068
http://www.tek-tips.com/viewthread.cfm?qid=1371137&page=1
http://www.microsoft.com/technet/community/columns/insider/iisi1201.mspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial