Solved

IIS | Error: Access is Denied.

Posted on 2009-04-07
11
1,653 Views
Last Modified: 2012-05-06
Recently the web sites on one of our IIS servers is giving us the "Error: Access is Denied." I am new at the organization and have ingerited the task of fixing it. Enter: Experts Exchange. Here is what I know:

The sites are coded in asp.
A user was created to control the authentication for the sites and assigned to the Directory Security TAB.
Anonymous Access is check marked.
Allow IIS to control password is NOT checkmarked.
IIS is on a 2000 machine.
The 2000 machine is in a DMZ.
All passwords in all locations for this user match: both in IIS and Users and Groups.
the user is not listed in Active Directory.

Here is what I dont know:
What version of IIS I am on [there is no "help>about>" in IIS for me to check it.

The very interesting things are:
1. It was working at one point
2. This is a virtual machine which is mirrored on another virtual machine for redundacy. My Systems Team tells me that there is a "Round Robin" DNS scenerio which will bounce back and forth if one IIS Server is down. Currently, they have re-routed things so that only the working virt is receiving all the web traffic.

My task is to bring the broken one back online so as to use the redundancy again.

Short of copying the working IIS data back over to the non-working IIS what trouble-shooting steps can I take to solve this "Error: Access is Denied" message.

Thank you,
0
Comment
Question by:jsvb1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 24092807
Hi,

>> Allow IIS to control password is NOT checkmarked.

start by enabling that option.

Cheers.
0
 

Author Comment

by:jsvb1977
ID: 24092887
I will try it again and report back my official findings. If I remember correctly when I tried that I was given a warning message indicating something about not being able to allow IIS to control a password for an account that was not in the domain. again, i will try this and report back my findings.

Jason
0
 
LVL 37

Accepted Solution

by:
meverest earned 500 total points
ID: 24092936
>> something about not being able to allow IIS to control a password for an account that was not in the domain

in that case, manually set the password both under the domain users control, and in the IIS directory security - or else change the user to a local user.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:jsvb1977
ID: 24096638
Here is the screenshot of the message IIS gives me when I checkmark "Allow IIS to control the Password."

I dug a little deeper and found out that the previous admin hardened IIS by renaming the default accounts: In an email he writes:

These links will take you to where I got a lot of the information that
I used.  The CIS and NSA guides are extremely useful.  The other link
is really a good result from searching "IIS DMZ Hardening".

Does this information help you to better understand my error?
Jason

4-8-2009-8-37-48-AM.png
0
 
LVL 37

Expert Comment

by:meverest
ID: 24102862
refer to my previous comment.

Cheers.
0
 

Author Comment

by:jsvb1977
ID: 24103197
OK -- I will do that. But to clarify, what you are asking me to do is to assign a completely new Local User to the web site for authentication?...or are you asking me to change the "status" of the current user to a local user?

Also, in a related thought -- I am getting some "Username / Password" Errors in the Event Logs. I am unclear of where IIS is comparing the passwords. What I mean is, I set both the user password and the IIS user password to be the same, but this error keeps popping up.

I ran the adstuil vbscript in the server and was able to extract the password being used. i then took that password and assigned it to both the User password as well as the IIS user password for authentication. Still the error message appears.

I then changed the password of the User and the User in IIS, ran the script again, and the password spit out by the script was the same [as if I never changed the passord]? I know I successfully changed the password beccase the security audit confirmed it.

I am lost in an IIS sea...please throw me a life jacket....

Jason
0
 

Author Comment

by:jsvb1977
ID: 24110600
I changed the user from what it was to IUSER_<Machine Name>, synced the password [or what i think is the password] and I am still getting Access Denied. There are no new events logs that give me any indication of what is wrong.

Jason
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 500 total points
ID: 24113574
>> synced the password [or what i think is the password]

make sure it is the same as the real local user password - reset it in the windows local user manager too.

then make sure that the user (IUSR_<computername>) has read access to the physical folder/s on disk (use ntfs security under windows explorer).

cheers.
0
 

Author Comment

by:jsvb1977
ID: 24116645
I think I need to get my ducks in a row here.... perhaps I am not understanding the authentication "trail" so to speak. Here is what I think I know [please correct me if I am wrong]:

Windows 2000 has local users and one of them acts as an administator. In this case it is <servername>\xxxx_adm
IIS uses users to allow access to the website files and folders. This user is typically <servername>\IUSER_<servername>.
IIS also will use an asp user if asp is installed [our IIS does have asp installed] so, IIS uses this user to authenticate against asp pages being loaded into a browser.

So, the key players are:
The Windows 2000 Adminstrator Account
The IIS User Account
The ASP User Account

Who needs to be talking with who? Which passwords need to be aligned?

Jason
0
 

Author Comment

by:jsvb1977
ID: 24131305
We have decided to revert back to the pre-existing image of the server while it was still 'working'. thank you for all of your help.
0
 

Author Closing Comment

by:jsvb1977
ID: 31567781
As in my most recent post -- we have decided to abondon trying to figure out what the previous IIS administator had done to "harden" IIS. It was a "cost of diminishing returns" decision. We will be restoring an image of the server back from when it was in a "working" state. Thank you, Jason.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question