Built-In IUSR_COMPUTERNAME IIS / WEB site issues

2k3 IIS 6.0 hosting one website of a CRM app. Client app reporting "cant find www.sitename.com".   Narrowed this down to 401.3 acl and then as of late intermittent change between that error and the 401.1 user/pw issue.

1st time, after not changes/reboot to svr for over 2 wks, client app reports "can't find site". The IIS built in local IUSR_Computername is what's being used for anonymous access.  Restarting svr no change, resetting the default guests IUSR pw and reapplying to directory sec of www in IIS didn't help, using vb script to find built in pw and change didn't help,  reinstalling IIS fresh didn't work either, finally created another IUSR_madeupID add as part of "USERS" group only then used that for the site in IIS clicking ok.  Went back to comp mgnt and changed the ISUR_madeupID to Guests only and site worked.  Fix lasted until late/later that day.

Next time I followed same immediate steps above but this time leaving the Iusr_madeupID in the local users group, and restarting IIS, never putting it back to guests only group.  Site worked.  THis lated until next a.m. when I checked before office hours at 6 a.m

Since behavior keeps occuring and so far I can not truly see a pattern, but yesterday noticed that the IUsr_madupID has NOTHING IN USERS 'MEMBER OF' TAB when site errored out.  Now I am no longer clear on what error in IE i'm getting lastly, the  401.3 it's always been or 401.1 that I've seen a couple of times, will be paying closer attention now.

Any input especially on the "members of" screen being cleared out.  I'm about to call MS support and pay whatever fee....

Thanks, Anxious!!!
Who is Participating?
cj_1969Connect With a Mentor Commented:
did you change the name of the server at any point?
This sounds like a password sync option within IIS.
There is a script that comes with IIS that you can run to re-sync the passwords.
Try running ...
*** you might need to run it as ...
cscript c:\Inetpub\AdminScripts\synciwam.vbs

If you get an error on this then check out this page ... http://support.microsoft.com/kb/269367

You can try this also ...
Ted BouskillConnect With a Mentor Senior Software DeveloperCommented:
A web application has two levels of security.  One is who is allowed to access a site, the other is AFTER the user has accessed the site and determines what right the code executing the page request has. The first is web page authentication, the other is web application process authentication.

OK, the IUSER_ account is used when a website is set to anonymous to access system resources which means web page authentication is successful.

HTTP 401 errors are web page authentication.  So, that means your errors are from accessing the web site, not the web process authentication.

Did somebody change the IIS settings for Authentication?  Did someone remove the host header entry for the website?
dee30Author Commented:
k, in the middle of the morning work day the site was inaccessible again by my users.  I checked the iusr_ImadeiD and the 'member of' tab was empty where it had users in there before.  I added users group(local) to it again, went into website directory sec and clicked okay only, but site still inaccesible with HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource. So, I restarted IIS and all was accessible again.   This time it was the original 401.3 error for certain.  THis is driving me crazy and causing major interference in our smooth work day use.

Okay, I'm not IIS guru, I usually set it up as part of something else I need to administer and then leave it alone so besides the local guests and users group(latter having Bypass Traverse Checking in addition to read/execute), what membership type user can I use for anonymous access in the directory sec?  This is a CRM app behind the firewall in a single forest/domain.  THe crm client point to the www.oursite.com and our customers can also access the site externally to log calls, etc...  

Thanks !  
dee30Author Commented:
cj_1969  You MS article link is and the sync reset script is referencing this for IWAM_computer issues.   Am am not IIS proficient, but my issue is with the iusr_computername default guest account local to the 2k3 iis 6.0 server.  Also, there is a iwam_computername local user, while I do not know where by defualt that is used in IIS or the reason.   Again, per my immediatley above post maybe others can give me some insight, just for my fyi, on what type of alternate user I could use for anonymous and that users membership to local vs dc.  Ultimately, I kno the iusr_computername default guests user is what was set and therefore what is acceptable, but I am unclear on deviating from that or a duplicate iuser i manually create left only in users group vs added to guests group and used for the iis site for anonymous logon .

dee30Author Commented:
Thanks for taking the time.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.