• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1309
  • Last Modified:

IUSR_SERVER Unknown user name or bad password

Hi All,
I'd really appreciate some help with this as I'm struggling to get this resolved.
Everyday on the SBS2003 report I receive approx 3000 critical errors in the security log with the following:

Reason: Unknown user name or bad password
  User Name: IUSR_SERVER
  Domain: (hidden)
  Logon Type: 8
  Logon Process: Advapi
  Authentication Package: Negotiate
  Workstation Name: SERVER
  Caller User Name: NETWORK SERVICE
  Caller Domain: NT AUTHORITY
  Caller Logon ID: (0x0,0x3E4)
  Caller Process ID: 17640
  Transited Services: -
  Source Network Address: -
  Source Port: -

The process ID relates to the w3wp.exe service which is running under the Network Service account.
I've reset the username/password as per the instructions here: http://www.howtonetworking.com/Internet/resetpassword.htm and while this fixes it for a few hours, it returns the next day.
Whilst these errors are occuring, I get several login prompts when browsing the RWW - I understand this is because the anonymous access is not working when the IUSR_Server account has a bad password.
Does anybody have any ideas as to how I can fix this please?
0
keyuk
Asked:
keyuk
  • 3
  • 3
  • 3
2 Solutions
 
John JenningsOwnerCommented:
This issue has been addressed in a Microsoft Partner forum, I'm going to give you the link but you might be unable to access it.

http://social.microsoft.com/Forums/en-US/partnerwinserversbs/thread/e77df183-22dc-4f6e-b8d2-bfa3f3990147?prof=required

If you cannot, let me know, and I'll farm the content from the page and place it here.
0
 
keyukAuthor Commented:
Thanks for the response however I am unable to access the link provided so I'd appreciate it if you could let me know the content.
0
 
John JenningsOwnerCommented:
Please note this is a direct copy and paste, so it may not be in the correct context of your problem, but it appears to be the exact same issue.

From your description, I understand that: Logon failure audit events for the account IUSR_<ServerName> started being logged after you changed its password, and you have already modified Authentication and access control for Default Web Site.
 
Please correct me if I have misunderstood anything.
 
Based on my experience, after changing the password for the IUSR_<ServerName> account, we also need to modify the password for the Default Web Site as well as other related sites which have enabled anonymous access, for example, WSUS Administration. So, I suspect that the issue happens because not all the associated web sites have configured to use the new password.
 
To try to fix the issue, please perform these steps, which will first reset the password and then update it to all the related web sites in IIS :
 
1. To reset the password for the IUSR_ComputerName account, run the following commands at a Command Prompt in sequence:
cd c:\inetpub\adminscripts
cscript.exe adsutil.vbs set w3svc/anonymoususerpass "password"
 
Note that password is the password that you have changed for the IUSR_ComputerName account.
 
2. Update the starting identity of all IIS COM+ application packages by typing the following at the command prompt:
 
cscript.exe synciwam.vbs -v
Note: You may need to restart IIS for all changes to take effect. To restart IIS, click Start, click Run, type iisreset, and then click OK.

Give these steps a shot here, and let me know what you find.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
cpmcomputersCommented:
You might want to work through this again

Ensure item 2) is covered It look like something is resetting the password?



I figured out the problem. I am unsure at this point if the problem caused or was being caused by a problem with OWA but OWA went down recently. I was able to resolve the issue by manually resetting the IUSR and IWAN accounts, and then syncing the two with a standard MS VB script included within the IIS/Server 2003 system directory. Below is a copy of the instructions I followed to do that.

1)  Open AD Users & Computers.  Expand the Users OU, right-click on the IUSR_<servername> account and select 'Reset password'  Reset the password to anything you want (however, it can't be blank).


2)  Open this User Account's properties and verify that the account is not locked out  :^)  Also, make sure that 'Password never expires' and 'User cannot change password' are selected.


3)  Repeat steps 1 & 2 for the IWAM_<servername> account.  Close AD Users & Computers.


4)  Open Internet Information Services  (Start | Administrative Tools)


5)  Expand <servername> | Web Sites


6)  Right-click on 'Default Web Site' and select Properties.


7)  Go to the 'Directory Security' tab and click the Edit button under 'Authentication & Access Control'


8)  Enter the new password for the IUSR_<servername> account and click OK.


9)  Enter the password again to confirm and click OK.


10) Click OK.


11)  Open a command prompt and enter  iisreset


12)  At the command prompt, enter the following commands:
        cd c:\inetpub\adminscripts
        adsutil SET w3svc/WAMUserPass <password>    (Where <password> = the password you entered for the IWAM_<servername> account in AD Users & Computers)
        c:\windows\system32\cscript.exe "c:\inetpub\adminscripts\synciwam.vbs" -v
        iisreset

Voila!  That should fix you right up . . .    :^)
0
 
keyukAuthor Commented:
Thanks  JohnThePro and cpmcomputers, both your answers are pretty much the same so I've followed through the instructions. I think I've done most of that before except the synciwam.vbs script which is possibly where I'd been going wrong.
I'll let you know if the errors stop in a couple of days.
Thanks for your help.
0
 
John JenningsOwnerCommented:
Please let us know! Thanks! :)
0
 
cpmcomputersCommented:
Sorry our posts seem to have overlapped

The last step is critical in syncing both passwords (Iuser and Iwam) in active directory and IIS

Hopefully the devil is in the detail here

Let us know how you go - Cheers
0
 
keyukAuthor Commented:
Thanks guys, this has solved the issue.
0
 
cpmcomputersCommented:
good job !
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now