IIS7 Pass-through authentication failing
in [IIS]
|
From: clintonG on 4 Apr 2008 21:11 On Vista I've tried creating websites at Documents\My Web Sites\website1 for example. Despite adding the accounts and permissions for NETWORK SERVICE, IIS_USRS as well as accounts for Administrators and my own self as a user I'm getting a 401.3 when requesting http://website1/. Note I also use the hosts file for bindings to localhost. Using IIS Manager > Add a Web Site > Test Settings I get the following warning: Test Connection: Authorization Cannot verify access to path ... The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again. When I try to request the site as http://website1/ I get the following error: HTTP Error 401.3 - Unauthorized You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server. I've set up Failed Request Tracing Rules for the 401.3 and no clues how to resolve there. I can use IIS Manager > Advanced Settings to change the Physical Path Credentials using my user name and password and website1 will load just fine. I'd really like to understand how to resolve this and don't understand why the pass through authentication is not passing through so to speak allowing me as an anonymous user to request and load website1 without using IIS Manager to apply impersonation.
From: Steve Schofield on 5 Apr 2008 15:46 Try running process monitor aka Filemon to see what folder is being blocked. Enable auditing to see object access. Here is a post that discusses how to enable auditing and links to process monitor. http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx -- Best regards, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield "clintonG" <nobody(a)nowhere.com> wrote in message news:ev76%23nrlIHA.696(a)TK2MSFTNGP05.phx.gbl... > On Vista I've tried creating websites at Documents\My Web Sites\website1 > for example. Despite adding the accounts and permissions for NETWORK > SERVICE, IIS_USRS as well as accounts for Administrators and my own self > as a user I'm getting a 401.3 when requesting http://website1/. Note I > also use the hosts file for bindings to localhost. > > Using IIS Manager > Add a Web Site > Test Settings I get the following > warning: > > Test Connection: > Authorization Cannot verify access to path ... > > The server is configured to use pass-through authentication with a > built-in account to access the specified physical path. However, IIS > Manager cannot verify whether the built-in account has access. Make sure > that the application pool identity has Read access to the physical path. > If this server is joined to a domain, and the application pool identity is > NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has > Read access to the physical path. Then test these settings again. > > When I try to request the site as http://website1/ I get the following > error: > > HTTP Error 401.3 - Unauthorized > You do not have permission to view this directory or page because of the > access control list (ACL) configuration or encryption settings for this > resource on the Web server. > > I've set up Failed Request Tracing Rules for the 401.3 and no clues how to > resolve there. > > I can use IIS Manager > Advanced Settings to change the Physical Path > Credentials using my user name and password and website1 will load just > fine. > > I'd really like to understand how to resolve this and don't understand why > the pass through authentication is not passing through so to speak > allowing me as an anonymous user to request and load website1 without > using IIS Manager to apply impersonation.
From: clintonG on 5 Apr 2008 20:36 Thanks Steve. I'm going to follow up on your referrals but get this... I use the hosts file to enable multiple web sites on Vista when using IIS7 and bind each website to the loopback adapter (127.0.0.1). This makes testing web sites in a browser fast, easy and perhaps reliable using short names such as http://css1. In fact we no longer even have to provide the browser with the http protocol, just type css1 into a browser for example and the web site will load. So while trying to learn more about this physical path pass-through authentication issue I went back into IIS Manager and deleted a web site named css1. I recreated css1 and bound it to the IP of the machine (instead of All Assigned). Requesting the web site then loads the Default Website. I then used IIS Manager to delete css1 and then recreated css1 leaving All Assigned and binding in the hosts file to the loopback IP. Now lo and behold --Vista Voodoo-- the pass-through authentication now allows the anonymous user to request css1 when the physical path is in the My Web Sites directory I have discussed having problems with. Now, to figure out what was going on I have to actually figure out how to make it fail again? I am ready for a long long rest in a nice quiet place where they have a nurse keep an eye on the patients ;-) <%= Clinton "Steve Schofield" <steve(a)iislogs.com> wrote in message news:%23WPK7W1lIHA.3636(a)TK2MSFTNGP02.phx.gbl... > Try running process monitor aka Filemon to see what folder is being > blocked. Enable auditing to see object access. Here is a post that > discusses how to enable auditing and links to process monitor. > > http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx > > -- > > Best regards, > > Steve Schofield > Windows Server MVP - IIS > http://weblogs.asp.net/steveschofield > > > "clintonG" <nobody(a)nowhere.com> wrote in message > news:ev76%23nrlIHA.696(a)TK2MSFTNGP05.phx.gbl... >> On Vista I've tried creating websites at Documents\My Web Sites\website1 >> for example. Despite adding the accounts and permissions for NETWORK >> SERVICE, IIS_USRS as well as accounts for Administrators and my own self >> as a user I'm getting a 401.3 when requesting http://website1/. Note I >> also use the hosts file for bindings to localhost. >> >> Using IIS Manager > Add a Web Site > Test Settings I get the following >> warning: >> >> Test Connection: >> Authorization Cannot verify access to path ... >> >> The server is configured to use pass-through authentication with a >> built-in account to access the specified physical path. However, IIS >> Manager cannot verify whether the built-in account has access. Make sure >> that the application pool identity has Read access to the physical path. >> If this server is joined to a domain, and the application pool identity >> is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ >> has Read access to the physical path. Then test these settings again. >> >> When I try to request the site as http://website1/ I get the following >> error: >> >> HTTP Error 401.3 - Unauthorized >> You do not have permission to view this directory or page because of the >> access control list (ACL) configuration or encryption settings for this >> resource on the Web server. >> >> I've set up Failed Request Tracing Rules for the 401.3 and no clues how >> to resolve there. >> >> I can use IIS Manager > Advanced Settings to change the Physical Path >> Credentials using my user name and password and website1 will load just >> fine. >> >> I'd really like to understand how to resolve this and don't understand >> why the pass through authentication is not passing through so to speak >> allowing me as an anonymous user to request and load website1 without >> using IIS Manager to apply impersonation. >
From: Steve Schofield on 6 Apr 2008 22:57 That sounds like par for the course. :) Personally, I would let it go if it's working. If you are really interested in what is going on. I would check the applicationHost.config to see what the bindings are during each test. Look in the <sites> section. I would setup your original config and see if you can reproduce the error, it sounds like you can't do that, but if you have access to another Vista box, use that machine to see if the behavior is the same. Other things that comes up when this happens is browser caching can cause inconsistent results. I would recycle IIS after each test so no credentials are cached. Those are a couple things that come to mind. -- Best regards, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield "clintonG" <nobody(a)nowhere.com> wrote in message news:e1fpSB4lIHA.2368(a)TK2MSFTNGP03.phx.gbl... > Thanks Steve. I'm going to follow up on your referrals but get this... > > I use the hosts file to enable multiple web sites on Vista when using IIS7 > and bind each website to the loopback adapter (127.0.0.1). This makes > testing web sites in a browser fast, easy and perhaps reliable using short > names such as http://css1. In fact we no longer even have to provide the > browser with the http protocol, just type css1 into a browser for example > and the web site will load. > > So while trying to learn more about this physical path pass-through > authentication issue I went back into IIS Manager and deleted a web site > named css1. I recreated css1 and bound it to the IP of the machine > (instead of All Assigned). Requesting the web site then loads the Default > Website. I then used IIS Manager to delete css1 and then recreated css1 > leaving All Assigned and binding in the hosts file to the loopback IP. > > Now lo and behold --Vista Voodoo-- the pass-through authentication now > allows the anonymous user to request css1 when the physical path is in the > My Web Sites directory I have discussed having problems with. > > Now, to figure out what was going on I have to actually figure out how to > make it fail again? I am ready for a long long rest in a nice quiet place > where they have a nurse keep an eye on the patients ;-) > > <%= Clinton > > > "Steve Schofield" <steve(a)iislogs.com> wrote in message > news:%23WPK7W1lIHA.3636(a)TK2MSFTNGP02.phx.gbl... >> Try running process monitor aka Filemon to see what folder is being >> blocked. Enable auditing to see object access. Here is a post that >> discusses how to enable auditing and links to process monitor. >> >> http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx >> >> -- >> >> Best regards, >> >> Steve Schofield >> Windows Server MVP - IIS >> http://weblogs.asp.net/steveschofield >> >> >> "clintonG" <nobody(a)nowhere.com> wrote in message >> news:ev76%23nrlIHA.696(a)TK2MSFTNGP05.phx.gbl... >>> On Vista I've tried creating websites at Documents\My Web Sites\website1 >>> for example. Despite adding the accounts and permissions for NETWORK >>> SERVICE, IIS_USRS as well as accounts for Administrators and my own self >>> as a user I'm getting a 401.3 when requesting http://website1/. Note I >>> also use the hosts file for bindings to localhost. >>> >>> Using IIS Manager > Add a Web Site > Test Settings I get the following >>> warning: >>> >>> Test Connection: >>> Authorization Cannot verify access to path ... >>> >>> The server is configured to use pass-through authentication with a >>> built-in account to access the specified physical path. However, IIS >>> Manager cannot verify whether the built-in account has access. Make sure >>> that the application pool identity has Read access to the physical path. >>> If this server is joined to a domain, and the application pool identity >>> is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ >>> has Read access to the physical path. Then test these settings again. >>> >>> When I try to request the site as http://website1/ I get the following >>> error: >>> >>> HTTP Error 401.3 - Unauthorized >>> You do not have permission to view this directory or page because of the >>> access control list (ACL) configuration or encryption settings for this >>> resource on the Web server. >>> >>> I've set up Failed Request Tracing Rules for the 401.3 and no clues how >>> to resolve there. >>> >>> I can use IIS Manager > Advanced Settings to change the Physical Path >>> Credentials using my user name and password and website1 will load just >>> fine. >>> >>> I'd really like to understand how to resolve this and don't understand >>> why the pass through authentication is not passing through so to speak >>> allowing me as an anonymous user to request and load website1 without >>> using IIS Manager to apply impersonation. >> >
From: Steve Schofield on 6 Apr 2008 23:17 One thing I forgot to add was when troubleshooting odd things, use Wfetch when you are getting inconsistent results. Fiddler can help too. How to use Wfetch http://support.microsoft.com/kb/284285 -- Best regards, Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution. Install, Configure, Forget "clintonG" <nobody(a)nowhere.com> wrote in message news:e1fpSB4lIHA.2368(a)TK2MSFTNGP03.phx.gbl... > Thanks Steve. I'm going to follow up on your referrals but get this... > > I use the hosts file to enable multiple web sites on Vista when using IIS7 > and bind each website to the loopback adapter (127.0.0.1). This makes > testing web sites in a browser fast, easy and perhaps reliable using short > names such as http://css1. In fact we no longer even have to provide the > browser with the http protocol, just type css1 into a browser for example > and the web site will load. > > So while trying to learn more about this physical path pass-through > authentication issue I went back into IIS Manager and deleted a web site > named css1. I recreated css1 and bound it to the IP of the machine > (instead of All Assigned). Requesting the web site then loads the Default > Website. I then used IIS Manager to delete css1 and then recreated css1 > leaving All Assigned and binding in the hosts file to the loopback IP. > > Now lo and behold --Vista Voodoo-- the pass-through authentication now > allows the anonymous user to request css1 when the physical path is in the > My Web Sites directory I have discussed having problems with. > > Now, to figure out what was going on I have to actually figure out how to > make it fail again? I am ready for a long long rest in a nice quiet place > where they have a nurse keep an eye on the patients ;-) > > <%= Clinton > > > "Steve Schofield" <steve(a)iislogs.com> wrote in message > news:%23WPK7W1lIHA.3636(a)TK2MSFTNGP02.phx.gbl... >> Try running process monitor aka Filemon to see what folder is being >> blocked. Enable auditing to see object access. Here is a post that >> discusses how to enable auditing and links to process monitor. >> >> http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx >> >> -- >> >> Best regards, >> >> Steve Schofield >> Windows Server MVP - IIS >> http://weblogs.asp.net/steveschofield >> >> >> "clintonG" <nobody(a)nowhere.com> wrote in message >> news:ev76%23nrlIHA.696(a)TK2MSFTNGP05.phx.gbl... >>> On Vista I've tried creating websites at Documents\My Web Sites\website1 >>> for example. Despite adding the accounts and permissions for NETWORK >>> SERVICE, IIS_USRS as well as accounts for Administrators and my own self >>> as a user I'm getting a 401.3 when requesting http://website1/. Note I >>> also use the hosts file for bindings to localhost. >>> >>> Using IIS Manager > Add a Web Site > Test Settings I get the following >>> warning: >>> >>> Test Connection: >>> Authorization Cannot verify access to path ... >>> >>> The server is configured to use pass-through authentication with a >>> built-in account to access the specified physical path. However, IIS >>> Manager cannot verify whether the built-in account has access. Make sure >>> that the application pool identity has Read access to the physical path. >>> If this server is joined to a domain, and the application pool identity >>> is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ >>> has Read access to the physical path. Then test these settings again. >>> >>> When I try to request the site as http://website1/ I get the following >>> error: >>> >>> HTTP Error 401.3 - Unauthorized >>> You do not have permission to view this directory or page because of the >>> access control list (ACL) configuration or encryption settings for this >>> resource on the Web server. >>> >>> I've set up Failed Request Tracing Rules for the 401.3 and no clues how >>> to resolve there. >>> >>> I can use IIS Manager > Advanced Settings to change the Physical Path >>> Credentials using my user name and password and website1 will load just >>> fine. >>> >>> I'd really like to understand how to resolve this and don't understand >>> why the pass through authentication is not passing through so to speak >>> allowing me as an anonymous user to request and load website1 without >>> using IIS Manager to apply impersonation. >> >
|
Pages: 1 Prev: Am I dealing for a policy of security setting in Win2003? Next: IIS and Certificate Authority |