Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


IIS | Error: Access is Denied.

Posted on 2009-04-07
Medium Priority
Last Modified: 2012-05-06
Recently the web sites on one of our IIS servers is giving us the "Error: Access is Denied." I am new at the organization and have ingerited the task of fixing it. Enter: Experts Exchange. Here is what I know:

The sites are coded in asp.
A user was created to control the authentication for the sites and assigned to the Directory Security TAB.
Anonymous Access is check marked.
Allow IIS to control password is NOT checkmarked.
IIS is on a 2000 machine.
The 2000 machine is in a DMZ.
All passwords in all locations for this user match: both in IIS and Users and Groups.
the user is not listed in Active Directory.

Here is what I dont know:
What version of IIS I am on [there is no "help>about>" in IIS for me to check it.

The very interesting things are:
1. It was working at one point
2. This is a virtual machine which is mirrored on another virtual machine for redundacy. My Systems Team tells me that there is a "Round Robin" DNS scenerio which will bounce back and forth if one IIS Server is down. Currently, they have re-routed things so that only the working virt is receiving all the web traffic.

My task is to bring the broken one back online so as to use the redundancy again.

Short of copying the working IIS data back over to the non-working IIS what trouble-shooting steps can I take to solve this "Error: Access is Denied" message.

Thank you,
Question by:jsvb1977
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
LVL 37

Expert Comment

ID: 24092807

>> Allow IIS to control password is NOT checkmarked.

start by enabling that option.


Author Comment

ID: 24092887
I will try it again and report back my official findings. If I remember correctly when I tried that I was given a warning message indicating something about not being able to allow IIS to control a password for an account that was not in the domain. again, i will try this and report back my findings.

LVL 37

Accepted Solution

meverest earned 1500 total points
ID: 24092936
>> something about not being able to allow IIS to control a password for an account that was not in the domain

in that case, manually set the password both under the domain users control, and in the IIS directory security - or else change the user to a local user.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 24096638
Here is the screenshot of the message IIS gives me when I checkmark "Allow IIS to control the Password."

I dug a little deeper and found out that the previous admin hardened IIS by renaming the default accounts: In an email he writes:

These links will take you to where I got a lot of the information that
I used.  The CIS and NSA guides are extremely useful.  The other link
is really a good result from searching "IIS DMZ Hardening".

Does this information help you to better understand my error?

LVL 37

Expert Comment

ID: 24102862
refer to my previous comment.


Author Comment

ID: 24103197
OK -- I will do that. But to clarify, what you are asking me to do is to assign a completely new Local User to the web site for authentication?...or are you asking me to change the "status" of the current user to a local user?

Also, in a related thought -- I am getting some "Username / Password" Errors in the Event Logs. I am unclear of where IIS is comparing the passwords. What I mean is, I set both the user password and the IIS user password to be the same, but this error keeps popping up.

I ran the adstuil vbscript in the server and was able to extract the password being used. i then took that password and assigned it to both the User password as well as the IIS user password for authentication. Still the error message appears.

I then changed the password of the User and the User in IIS, ran the script again, and the password spit out by the script was the same [as if I never changed the passord]? I know I successfully changed the password beccase the security audit confirmed it.

I am lost in an IIS sea...please throw me a life jacket....


Author Comment

ID: 24110600
I changed the user from what it was to IUSER_<Machine Name>, synced the password [or what i think is the password] and I am still getting Access Denied. There are no new events logs that give me any indication of what is wrong.

LVL 37

Assisted Solution

meverest earned 1500 total points
ID: 24113574
>> synced the password [or what i think is the password]

make sure it is the same as the real local user password - reset it in the windows local user manager too.

then make sure that the user (IUSR_<computername>) has read access to the physical folder/s on disk (use ntfs security under windows explorer).


Author Comment

ID: 24116645
I think I need to get my ducks in a row here.... perhaps I am not understanding the authentication "trail" so to speak. Here is what I think I know [please correct me if I am wrong]:

Windows 2000 has local users and one of them acts as an administator. In this case it is <servername>\xxxx_adm
IIS uses users to allow access to the website files and folders. This user is typically <servername>\IUSER_<servername>.
IIS also will use an asp user if asp is installed [our IIS does have asp installed] so, IIS uses this user to authenticate against asp pages being loaded into a browser.

So, the key players are:
The Windows 2000 Adminstrator Account
The IIS User Account
The ASP User Account

Who needs to be talking with who? Which passwords need to be aligned?


Author Comment

ID: 24131305
We have decided to revert back to the pre-existing image of the server while it was still 'working'. thank you for all of your help.

Author Closing Comment

ID: 31567781
As in my most recent post -- we have decided to abondon trying to figure out what the previous IIS administator had done to "harden" IIS. It was a "cost of diminishing returns" decision. We will be restoring an image of the server back from when it was in a "working" state. Thank you, Jason.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question