[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1696
  • Last Modified:

IIS | Error: Access is Denied.

Recently the web sites on one of our IIS servers is giving us the "Error: Access is Denied." I am new at the organization and have ingerited the task of fixing it. Enter: Experts Exchange. Here is what I know:

The sites are coded in asp.
A user was created to control the authentication for the sites and assigned to the Directory Security TAB.
Anonymous Access is check marked.
Allow IIS to control password is NOT checkmarked.
IIS is on a 2000 machine.
The 2000 machine is in a DMZ.
All passwords in all locations for this user match: both in IIS and Users and Groups.
the user is not listed in Active Directory.

Here is what I dont know:
What version of IIS I am on [there is no "help>about>" in IIS for me to check it.

The very interesting things are:
1. It was working at one point
2. This is a virtual machine which is mirrored on another virtual machine for redundacy. My Systems Team tells me that there is a "Round Robin" DNS scenerio which will bounce back and forth if one IIS Server is down. Currently, they have re-routed things so that only the working virt is receiving all the web traffic.

My task is to bring the broken one back online so as to use the redundancy again.

Short of copying the working IIS data back over to the non-working IIS what trouble-shooting steps can I take to solve this "Error: Access is Denied" message.

Thank you,
0
jsvb1977
Asked:
jsvb1977
  • 7
  • 4
2 Solutions
 
meverestCommented:
Hi,

>> Allow IIS to control password is NOT checkmarked.

start by enabling that option.

Cheers.
0
 
jsvb1977Author Commented:
I will try it again and report back my official findings. If I remember correctly when I tried that I was given a warning message indicating something about not being able to allow IIS to control a password for an account that was not in the domain. again, i will try this and report back my findings.

Jason
0
 
meverestCommented:
>> something about not being able to allow IIS to control a password for an account that was not in the domain

in that case, manually set the password both under the domain users control, and in the IIS directory security - or else change the user to a local user.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
jsvb1977Author Commented:
Here is the screenshot of the message IIS gives me when I checkmark "Allow IIS to control the Password."

I dug a little deeper and found out that the previous admin hardened IIS by renaming the default accounts: In an email he writes:

These links will take you to where I got a lot of the information that
I used.  The CIS and NSA guides are extremely useful.  The other link
is really a good result from searching "IIS DMZ Hardening".

Does this information help you to better understand my error?
Jason

4-8-2009-8-37-48-AM.png
0
 
meverestCommented:
refer to my previous comment.

Cheers.
0
 
jsvb1977Author Commented:
OK -- I will do that. But to clarify, what you are asking me to do is to assign a completely new Local User to the web site for authentication?...or are you asking me to change the "status" of the current user to a local user?

Also, in a related thought -- I am getting some "Username / Password" Errors in the Event Logs. I am unclear of where IIS is comparing the passwords. What I mean is, I set both the user password and the IIS user password to be the same, but this error keeps popping up.

I ran the adstuil vbscript in the server and was able to extract the password being used. i then took that password and assigned it to both the User password as well as the IIS user password for authentication. Still the error message appears.

I then changed the password of the User and the User in IIS, ran the script again, and the password spit out by the script was the same [as if I never changed the passord]? I know I successfully changed the password beccase the security audit confirmed it.

I am lost in an IIS sea...please throw me a life jacket....

Jason
0
 
jsvb1977Author Commented:
I changed the user from what it was to IUSER_<Machine Name>, synced the password [or what i think is the password] and I am still getting Access Denied. There are no new events logs that give me any indication of what is wrong.

Jason
0
 
meverestCommented:
>> synced the password [or what i think is the password]

make sure it is the same as the real local user password - reset it in the windows local user manager too.

then make sure that the user (IUSR_<computername>) has read access to the physical folder/s on disk (use ntfs security under windows explorer).

cheers.
0
 
jsvb1977Author Commented:
I think I need to get my ducks in a row here.... perhaps I am not understanding the authentication "trail" so to speak. Here is what I think I know [please correct me if I am wrong]:

Windows 2000 has local users and one of them acts as an administator. In this case it is <servername>\xxxx_adm
IIS uses users to allow access to the website files and folders. This user is typically <servername>\IUSER_<servername>.
IIS also will use an asp user if asp is installed [our IIS does have asp installed] so, IIS uses this user to authenticate against asp pages being loaded into a browser.

So, the key players are:
The Windows 2000 Adminstrator Account
The IIS User Account
The ASP User Account

Who needs to be talking with who? Which passwords need to be aligned?

Jason
0
 
jsvb1977Author Commented:
We have decided to revert back to the pre-existing image of the server while it was still 'working'. thank you for all of your help.
0
 
jsvb1977Author Commented:
As in my most recent post -- we have decided to abondon trying to figure out what the previous IIS administator had done to "harden" IIS. It was a "cost of diminishing returns" decision. We will be restoring an image of the server back from when it was in a "working" state. Thank you, Jason.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now