Improve company productivity with a Business Account.Sign Up

x
?
Solved

IIS | Error: Access is Denied.

Posted on 2009-04-07
11
Medium Priority
?
1,742 Views
Last Modified: 2012-05-06
Recently the web sites on one of our IIS servers is giving us the "Error: Access is Denied." I am new at the organization and have ingerited the task of fixing it. Enter: Experts Exchange. Here is what I know:

The sites are coded in asp.
A user was created to control the authentication for the sites and assigned to the Directory Security TAB.
Anonymous Access is check marked.
Allow IIS to control password is NOT checkmarked.
IIS is on a 2000 machine.
The 2000 machine is in a DMZ.
All passwords in all locations for this user match: both in IIS and Users and Groups.
the user is not listed in Active Directory.

Here is what I dont know:
What version of IIS I am on [there is no "help>about>" in IIS for me to check it.

The very interesting things are:
1. It was working at one point
2. This is a virtual machine which is mirrored on another virtual machine for redundacy. My Systems Team tells me that there is a "Round Robin" DNS scenerio which will bounce back and forth if one IIS Server is down. Currently, they have re-routed things so that only the working virt is receiving all the web traffic.

My task is to bring the broken one back online so as to use the redundancy again.

Short of copying the working IIS data back over to the non-working IIS what trouble-shooting steps can I take to solve this "Error: Access is Denied" message.

Thank you,
0
Comment
Question by:jsvb1977
  • 7
  • 4
11 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 24092807
Hi,

>> Allow IIS to control password is NOT checkmarked.

start by enabling that option.

Cheers.
0
 

Author Comment

by:jsvb1977
ID: 24092887
I will try it again and report back my official findings. If I remember correctly when I tried that I was given a warning message indicating something about not being able to allow IIS to control a password for an account that was not in the domain. again, i will try this and report back my findings.

Jason
0
 
LVL 37

Accepted Solution

by:
meverest earned 1500 total points
ID: 24092936
>> something about not being able to allow IIS to control a password for an account that was not in the domain

in that case, manually set the password both under the domain users control, and in the IIS directory security - or else change the user to a local user.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 

Author Comment

by:jsvb1977
ID: 24096638
Here is the screenshot of the message IIS gives me when I checkmark "Allow IIS to control the Password."

I dug a little deeper and found out that the previous admin hardened IIS by renaming the default accounts: In an email he writes:

These links will take you to where I got a lot of the information that
I used.  The CIS and NSA guides are extremely useful.  The other link
is really a good result from searching "IIS DMZ Hardening".

Does this information help you to better understand my error?
Jason

4-8-2009-8-37-48-AM.png
0
 
LVL 37

Expert Comment

by:meverest
ID: 24102862
refer to my previous comment.

Cheers.
0
 

Author Comment

by:jsvb1977
ID: 24103197
OK -- I will do that. But to clarify, what you are asking me to do is to assign a completely new Local User to the web site for authentication?...or are you asking me to change the "status" of the current user to a local user?

Also, in a related thought -- I am getting some "Username / Password" Errors in the Event Logs. I am unclear of where IIS is comparing the passwords. What I mean is, I set both the user password and the IIS user password to be the same, but this error keeps popping up.

I ran the adstuil vbscript in the server and was able to extract the password being used. i then took that password and assigned it to both the User password as well as the IIS user password for authentication. Still the error message appears.

I then changed the password of the User and the User in IIS, ran the script again, and the password spit out by the script was the same [as if I never changed the passord]? I know I successfully changed the password beccase the security audit confirmed it.

I am lost in an IIS sea...please throw me a life jacket....

Jason
0
 

Author Comment

by:jsvb1977
ID: 24110600
I changed the user from what it was to IUSER_<Machine Name>, synced the password [or what i think is the password] and I am still getting Access Denied. There are no new events logs that give me any indication of what is wrong.

Jason
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 1500 total points
ID: 24113574
>> synced the password [or what i think is the password]

make sure it is the same as the real local user password - reset it in the windows local user manager too.

then make sure that the user (IUSR_<computername>) has read access to the physical folder/s on disk (use ntfs security under windows explorer).

cheers.
0
 

Author Comment

by:jsvb1977
ID: 24116645
I think I need to get my ducks in a row here.... perhaps I am not understanding the authentication "trail" so to speak. Here is what I think I know [please correct me if I am wrong]:

Windows 2000 has local users and one of them acts as an administator. In this case it is <servername>\xxxx_adm
IIS uses users to allow access to the website files and folders. This user is typically <servername>\IUSER_<servername>.
IIS also will use an asp user if asp is installed [our IIS does have asp installed] so, IIS uses this user to authenticate against asp pages being loaded into a browser.

So, the key players are:
The Windows 2000 Adminstrator Account
The IIS User Account
The ASP User Account

Who needs to be talking with who? Which passwords need to be aligned?

Jason
0
 

Author Comment

by:jsvb1977
ID: 24131305
We have decided to revert back to the pre-existing image of the server while it was still 'working'. thank you for all of your help.
0
 

Author Closing Comment

by:jsvb1977
ID: 31567781
As in my most recent post -- we have decided to abondon trying to figure out what the previous IIS administator had done to "harden" IIS. It was a "cost of diminishing returns" decision. We will be restoring an image of the server back from when it was in a "working" state. Thank you, Jason.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
If you are looking for an automated solution for backup single or multiple Office 365 user mailboxes to Outlook data file, then you can use Kernel Office 365 Backup & Restore tool. Go through the video to check out the steps to backup single or mult…
Watch the video to know the process of migration of Exchange or Office 365 mailboxes in absence of MS Outlook. It is an eminent tool which can easily migrate Public, Archive user mailboxes from one another Exchange server and Office 365. Kernel Migr…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question