Solved

IIS | Error: Access is Denied.

Posted on 2009-04-07
11
1,661 Views
Last Modified: 2012-05-06
Recently the web sites on one of our IIS servers is giving us the "Error: Access is Denied." I am new at the organization and have ingerited the task of fixing it. Enter: Experts Exchange. Here is what I know:

The sites are coded in asp.
A user was created to control the authentication for the sites and assigned to the Directory Security TAB.
Anonymous Access is check marked.
Allow IIS to control password is NOT checkmarked.
IIS is on a 2000 machine.
The 2000 machine is in a DMZ.
All passwords in all locations for this user match: both in IIS and Users and Groups.
the user is not listed in Active Directory.

Here is what I dont know:
What version of IIS I am on [there is no "help>about>" in IIS for me to check it.

The very interesting things are:
1. It was working at one point
2. This is a virtual machine which is mirrored on another virtual machine for redundacy. My Systems Team tells me that there is a "Round Robin" DNS scenerio which will bounce back and forth if one IIS Server is down. Currently, they have re-routed things so that only the working virt is receiving all the web traffic.

My task is to bring the broken one back online so as to use the redundancy again.

Short of copying the working IIS data back over to the non-working IIS what trouble-shooting steps can I take to solve this "Error: Access is Denied" message.

Thank you,
0
Comment
Question by:jsvb1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 24092807
Hi,

>> Allow IIS to control password is NOT checkmarked.

start by enabling that option.

Cheers.
0
 

Author Comment

by:jsvb1977
ID: 24092887
I will try it again and report back my official findings. If I remember correctly when I tried that I was given a warning message indicating something about not being able to allow IIS to control a password for an account that was not in the domain. again, i will try this and report back my findings.

Jason
0
 
LVL 37

Accepted Solution

by:
meverest earned 500 total points
ID: 24092936
>> something about not being able to allow IIS to control a password for an account that was not in the domain

in that case, manually set the password both under the domain users control, and in the IIS directory security - or else change the user to a local user.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:jsvb1977
ID: 24096638
Here is the screenshot of the message IIS gives me when I checkmark "Allow IIS to control the Password."

I dug a little deeper and found out that the previous admin hardened IIS by renaming the default accounts: In an email he writes:

These links will take you to where I got a lot of the information that
I used.  The CIS and NSA guides are extremely useful.  The other link
is really a good result from searching "IIS DMZ Hardening".

Does this information help you to better understand my error?
Jason

4-8-2009-8-37-48-AM.png
0
 
LVL 37

Expert Comment

by:meverest
ID: 24102862
refer to my previous comment.

Cheers.
0
 

Author Comment

by:jsvb1977
ID: 24103197
OK -- I will do that. But to clarify, what you are asking me to do is to assign a completely new Local User to the web site for authentication?...or are you asking me to change the "status" of the current user to a local user?

Also, in a related thought -- I am getting some "Username / Password" Errors in the Event Logs. I am unclear of where IIS is comparing the passwords. What I mean is, I set both the user password and the IIS user password to be the same, but this error keeps popping up.

I ran the adstuil vbscript in the server and was able to extract the password being used. i then took that password and assigned it to both the User password as well as the IIS user password for authentication. Still the error message appears.

I then changed the password of the User and the User in IIS, ran the script again, and the password spit out by the script was the same [as if I never changed the passord]? I know I successfully changed the password beccase the security audit confirmed it.

I am lost in an IIS sea...please throw me a life jacket....

Jason
0
 

Author Comment

by:jsvb1977
ID: 24110600
I changed the user from what it was to IUSER_<Machine Name>, synced the password [or what i think is the password] and I am still getting Access Denied. There are no new events logs that give me any indication of what is wrong.

Jason
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 500 total points
ID: 24113574
>> synced the password [or what i think is the password]

make sure it is the same as the real local user password - reset it in the windows local user manager too.

then make sure that the user (IUSR_<computername>) has read access to the physical folder/s on disk (use ntfs security under windows explorer).

cheers.
0
 

Author Comment

by:jsvb1977
ID: 24116645
I think I need to get my ducks in a row here.... perhaps I am not understanding the authentication "trail" so to speak. Here is what I think I know [please correct me if I am wrong]:

Windows 2000 has local users and one of them acts as an administator. In this case it is <servername>\xxxx_adm
IIS uses users to allow access to the website files and folders. This user is typically <servername>\IUSER_<servername>.
IIS also will use an asp user if asp is installed [our IIS does have asp installed] so, IIS uses this user to authenticate against asp pages being loaded into a browser.

So, the key players are:
The Windows 2000 Adminstrator Account
The IIS User Account
The ASP User Account

Who needs to be talking with who? Which passwords need to be aligned?

Jason
0
 

Author Comment

by:jsvb1977
ID: 24131305
We have decided to revert back to the pre-existing image of the server while it was still 'working'. thank you for all of your help.
0
 

Author Closing Comment

by:jsvb1977
ID: 31567781
As in my most recent post -- we have decided to abondon trying to figure out what the previous IIS administator had done to "harden" IIS. It was a "cost of diminishing returns" decision. We will be restoring an image of the server back from when it was in a "working" state. Thank you, Jason.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question