Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, June 9, 2009 3:30 AM
I've recently installed Office Communications Server 2007 to one of our newer servers in order to transfer it from an old server. The installation went successfully, however an hour later I noticed that legacy IIS applications resident on the same server had stopped working. I can move them to another server, but I would prefer not to. Two Web Sites in IIS have Integrated Windows Authentication as the Authentication method. They used to work fine, that the user is automatically authenticated with his domain credentials. However since the installation of OCS2007, both these sites don't accept the domain credentials as authentication. When I diagnosed the web sites with the Microsoft tool 'Authenticcation and Access Control Diagnostics', it oddly reported as the problem that 'IUSR_ account does not have Allow log on locally privilege'. The Path is from W3SVC and AuthType is Anonymous. However clearly in the IIS I have disabled anonymous access and enabled only Integrated Windows Authentication. I've also tried enabling Digest authentication and Basic authentication, but they tool still reports that the IUSR_computername account doesnt have the Allow log on locally privilege. I've also tried putting up test sites to test the behaviour, and any newly created site produces the same result. We do however have a SharePoint Front End residing on the same server, and it works just fine with Integrated Windows Authentication... Help is desperately needed here!
All replies (17)
Friday, June 12, 2009 3:25 AM ✅Answered
Seems we are failing over kerberos.
Try setting NTAuthenticationProviders metabase key to just NTLM. By default, it will be set to "Negotiate,NTLM".
Here is how you can set that.
At command Prompt - go to c:\inetpub\adminscripts folder.
Then - To view current flags set to this.
cscript.exe adsutil.vbs get w3svc/NTAuthenticationProviders.
To Set it to just NTLM.
cscript.exe adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
Restart IIS and test the site. If this does not help, revert the settings back using above commands.
HTH.
~ Ganesh
Tuesday, June 9, 2009 5:31 AM
When you mentioned "don't accept credentials", do you mean they cannot log in?
If so, please let one of the users disable IE friendly error pages according to
http://support.microsoft.com/kb/294807/
And then reproduce the problem and see what status code is displayed in the error page.
If the server does return 401.x code, David Wang has a blog post about the actions you can try.
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx
Tuesday, June 9, 2009 6:26 AM
Thanks!
The error code is 401.1. I'll go on checking what may have started causing this by that blog link you gave. It seems very useful.
Tuesday, June 9, 2009 7:29 AM
Right, I've not managed to troubleshoot this down to some specific error.
However, I've made a few notices: The error code is 401.1. Secondly, if I run Internet Explorer from the server itself with my domain login, and browse to the site, it works just fine. If I run Internet Explorer from my own computer logged in with my domain account, it returns the 401.1 error. :/
It really seems as if installing OCS2007 has hardened up the server against logging in. Any help is still deeply appreciated.
Tuesday, June 9, 2009 9:57 AM
401.1 means that IIS could not authenticate the user, either because the user was not found in AD or a bad username or password was provided.
Network-wise, what's different about your computer?
Wednesday, June 10, 2009 6:23 AM
If you like, you can open a case via Microsoft support hotline. Our experts can help analyze the problem for you.
Regards,
Thursday, June 11, 2009 6:11 AM
Right, I've done some testing here.
I noticed that the Application Pool the iis sites run under had its identity set to Network Service, while there was a local account specified along with its password. I tested changing the Application Pool to run under the IWAM_ local account, and behold, the sites started working.
However quite quickly I noticed how bad they work. If I open a new IE window, and navigate to the site, it *may* open up completely. I've noticed however that I often get login dialogues popping up for images that are in the site. The permissions are set correctly for the site, so I can't understand why. Another thing: Once I hit refresh in the browser, it just keeps asking for login, and doesn't show the original view I get when I go to the site with a new browser window.
Any help or pointers are useful. FYI the sites themselves are PHP sites, but tbh I can't find anything wrong with the PHP itself. Phpinfo checks out fine (except for one time where the image within the phpinfo page failed to load...)
Tom, afaik there's nothing that should cause anything special while connecting from my computer vs connecting from a browser window in the server itself. Network-wise, that server is in the same network and there's only one router between my pc and the server. Additionally these problems do not only occur to me, but everyone in the company.
Thursday, June 11, 2009 7:07 AM
Hope I understood the problem correctly. Let me rephrase:
When you browse to your php webiste which has anonymous access enabled, it keeps prompting for authentication. Is this understanding correct?
or Do you also have integrated windows auth enabled?
You may want to download Process monitor from www.sysinternals.com and reproduce the problem while running it. Check for access denieds in procmon logs.
As you mentioned that authdiag reports IUSR needs logon locally, you may want to do that in local policies. Check KB 812614 for default IIS permissions and compare with your machine.
Also may be the IUSR account is out of password sync. You will need to reset IUSR password in Local SAM and then set same password in IIS metabase.
If all above does not help, problem is something else like DisableLoopbackcheck or CrashonAuditFail keys.
But 1st of all you try above and let me know what you find.
HTH.
~ Ganesh
Thursday, June 11, 2009 7:18 AM
Thanks for your reply Ganesh!
I will follow your instructions when I have more time. For now I can say that the site does not have anonymous access enabled. It is disabled. The only access method that is enabled is Integrated Windows Authentication.
I may not have used AuthDiag correctly, as I ran it from my computer and used it against the dns address of the web site. (It's mapped to http://tuntiraportointi in our intra). Note that neither the DNS alias nor the direct address (e.g. http:///tuntiraportointi works.
Thursday, June 11, 2009 7:35 AM
Ok. Thanks for the reply.
So now we are dealing with just Windows Integrated auth.
Run Process Monitor from sysinternals.com and check if there is any permissions issue.
If this is not a file/registry level permissions issue then you could enable Failure Auditing from local group policies and check security event logs for reason for failure.
BTW, does all the content from this website is configured for Integrated auth? or just the pages and images works over Anonymous?
~ Ganesh
Thursday, June 11, 2009 10:28 AM
Ganesh, I could not find any permission linkable issue with Process Monitor. One thing considering the page I can load: When it's loaded and complained about permissions, some pictures may not show. However if I right click them and select 'Show Picture', it loads up just fine...
All content should be working over Integrated auth. It's not meant for anynomous access. Domain Users and Domain Admins among others have read access to Inetpub directory and that's the way it's meant to access it, as far as I know. I chose the title based on my earlier assumption, when I used AuthDiag to access the site, it returned that IUSR_SYN077 does not have allow log on locally enabled, and the authtype is reported to be 'Anonymous'. Considering the IUSR_machinename logon credentials you mentioned earlier, IUSR_ has Log on as batch job permission. Allow log on Locally has the Domain Admins and Domain Users, and if I understood correctly the IUSR_machinename should inherit that permission if you're logged in as a member of either security group.
How do I set the IUSR_ password in IIS Metabase? I believe I know where to change the password for the account though.
I do get two types of Failure audits in the Security log when I get that login window in the site (Sorry for the paragraphed lines, for me posting doesnt work correctly and all gets clumped if I use normal newlines):
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 11.6.2009
Time: 17:24:46
User: NT AUTHORITY\SYSTEM
Computer:
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: KÓ=
Authentication Package: NTLM
Workstation Name:
Status code: 0x80090308
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.57
Source Port: 2336
Mysteriously, I sometimes get this eventid also at the same time as the one above:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11.6.2009
Time: 17:24:31
User: NT AUTHORITY\SYSTEM
Computer:
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: mikaelh
Domain: SYNOCUS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SYN077
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.57
Source Port: 2261
Thursday, June 11, 2009 11:22 AM
I tested changing the Application Pool to run under the IWAM_ local account, and behold, the sites started working.
Are you on IIS 6? If so, do not use IWAM. That's only provided for backward compatiblity when running in IIS 5 isolation mode. It has no relevance to IIS 6 native mode.
If you're not using anonymous access on this site, don't worry about IUSR for now.
So I've become a little bit confused - at this point what is the problem we're trying to fix?
Friday, June 12, 2009 3:07 AM
We're using IIS 6 yes. Sorry for the confusion.
The problem we're trying to fix is that when users browse to these PHP sites, the Kerberos login fails, if the AppPool is set to run under Network Service account (Failed NTLM events in Security log came while running under the IWAM account) The problem appeared after installation of Office Communications Server 2007 on that server.
About IWAM: If I use the predefined Network Service account for running the application pool, the legacy IIS web sites don't work at all. I immediately get a login window. The Security event log has this event in it:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12.6.2009
Time: 10:03:33
User: NT AUTHORITY\SYSTEM
Computer: SYNSRV8
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.57
Source Port: 3711
Apparently Kerberos is somehow broken for the Network Service account. The other sites hosted in IIS run under separate accounts and are SharePoint sites, thus using a separate account for the Application Pools, and they work just fine...
Friday, June 12, 2009 4:28 AM
Hi, thanks for your advice. I was very reluctant to turn off Kerberos authentication. I did however try it out by quickly setting it to NTLM, resetting IIS, testing and setting it back to Negotiate,NTLM. Setting it to only NTLM did not produce any better results in my quick test.
I did notice another very odd thing while setting IWA to favor NTLM: I still get Failure audits that describe that the Logon process is still Kerberos, not NTLM. It seems as if it forcibly uses Kerberos.
Any other suggestions?
Friday, June 12, 2009 4:58 AM
I noticed another odd thing:
After settings NTAuthproviders to NTLM, which succeeded, and resetting IIS, I reviewed this setting a while later with the 'Get' command. It says that 'The parameter "NTAuthenticationProviders" is not set at this node. As if the change had never even occurred.
I'm still in the process of trying to find the reason for why this does not work. :/
Friday, June 12, 2009 5:03 AM
Ahh, the reason for the oddity I mentioned above wais that I did not do a graceful Iisreset. After resetting it to NTLM only, and not doing IISreset, I noticed that the sites started working.
I did a graceful iisreset after a while with /noforce switch, and after SharePoint had cached its pages I tried out the legacy sites. They work just fine now. The problem is fixed now. Thanks Ganesh for your help!
Friday, June 12, 2009 5:19 AM
Glad to help!