Built-In IUSR_COMPUTERNAME IIS / WEB site issues

Posted on 2009-04-16
Medium Priority
Last Modified: 2013-12-04
2k3 IIS 6.0 hosting one website of a CRM app. Client app reporting "cant find www.sitename.com".   Narrowed this down to 401.3 acl and then as of late intermittent change between that error and the 401.1 user/pw issue.

1st time, after not changes/reboot to svr for over 2 wks, client app reports "can't find site". The IIS built in local IUSR_Computername is what's being used for anonymous access.  Restarting svr no change, resetting the default guests IUSR pw and reapplying to directory sec of www in IIS didn't help, using vb script to find built in pw and change didn't help,  reinstalling IIS fresh didn't work either, finally created another IUSR_madeupID add as part of "USERS" group only then used that for the site in IIS clicking ok.  Went back to comp mgnt and changed the ISUR_madeupID to Guests only and site worked.  Fix lasted until late/later that day.

Next time I followed same immediate steps above but this time leaving the Iusr_madeupID in the local users group, and restarting IIS, never putting it back to guests only group.  Site worked.  THis lated until next a.m. when I checked before office hours at 6 a.m

Since behavior keeps occuring and so far I can not truly see a pattern, but yesterday noticed that the IUsr_madupID has NOTHING IN USERS 'MEMBER OF' TAB when site errored out.  Now I am no longer clear on what error in IE i'm getting lastly, the  401.3 it's always been or 401.1 that I've seen a couple of times, will be paying closer attention now.

Any input especially on the "members of" screen being cleared out.  I'm about to call MS support and pay whatever fee....

Thanks, Anxious!!!
Question by:dee30
  • 3
LVL 51

Assisted Solution

by:Ted Bouskill
Ted Bouskill earned 600 total points
ID: 24164937
A web application has two levels of security.  One is who is allowed to access a site, the other is AFTER the user has accessed the site and determines what right the code executing the page request has. The first is web page authentication, the other is web application process authentication.

OK, the IUSER_ account is used when a website is set to anonymous to access system resources which means web page authentication is successful.

HTTP 401 errors are web page authentication.  So, that means your errors are from accessing the web site, not the web process authentication.

Did somebody change the IIS settings for Authentication?  Did someone remove the host header entry for the website?
LVL 22

Accepted Solution

cj_1969 earned 900 total points
ID: 24167497
did you change the name of the server at any point?
This sounds like a password sync option within IIS.
There is a script that comes with IIS that you can run to re-sync the passwords.
Try running ...
*** you might need to run it as ...
cscript c:\Inetpub\AdminScripts\synciwam.vbs

If you get an error on this then check out this page ... http://support.microsoft.com/kb/269367

You can try this also ...

Author Comment

ID: 24168944
k, in the middle of the morning work day the site was inaccessible again by my users.  I checked the iusr_ImadeiD and the 'member of' tab was empty where it had users in there before.  I added users group(local) to it again, went into website directory sec and clicked okay only, but site still inaccesible with HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource. So, I restarted IIS and all was accessible again.   This time it was the original 401.3 error for certain.  THis is driving me crazy and causing major interference in our smooth work day use.

Okay, I'm not IIS guru, I usually set it up as part of something else I need to administer and then leave it alone so besides the local guests and users group(latter having Bypass Traverse Checking in addition to read/execute), what membership type user can I use for anonymous access in the directory sec?  This is a CRM app behind the firewall in a single forest/domain.  THe crm client point to the www.oursite.com and our customers can also access the site externally to log calls, etc...  

Thanks !  

Author Comment

ID: 24172210
cj_1969  You MS article link is and the sync reset script is referencing this for IWAM_computer issues.   Am am not IIS proficient, but my issue is with the iusr_computername default guest account local to the 2k3 iis 6.0 server.  Also, there is a iwam_computername local user, while I do not know where by defualt that is used in IIS or the reason.   Again, per my immediatley above post maybe others can give me some insight, just for my fyi, on what type of alternate user I could use for anonymous and that users membership to local vs dc.  Ultimately, I kno the iusr_computername default guests user is what was set and therefore what is acceptable, but I am unclear on deviating from that or a duplicate iuser i manually create left only in users group vs added to guests group and used for the iis site for anonymous logon .


Author Comment

ID: 24416083
Thanks for taking the time.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
OfficeMate Freezes on login or does not load after login credentials are input.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question