Sunday, April 19, 2009

Troubleshooting: “HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials” when website is configured to use Anonymous Authentication in IIS 6.0 with default IUSR account.

Alright, I know what might have caused this. But how do I fix it?

In IIS 6.0, its possible use sub-authentication to manage passwords for anonymous accounts and to do so, your configuration must meet the following requirements:

  • For applications for which you grant anonymous access, the worker process must run as LocalSystem.
  • The sub-authentication component, Iissuba.dll, must be registered.
  • The AnonymousPasswordSync metabase property must be enabled (set to true).

Which I hope most of us will never want to do, Why? we all know and I don’t think I need to answer that, but still due to potential security risk. So, now what is the alternative? Alternative or preferred solution is to manually synchronize the username/password of the anonymous user principle in IIS with that of the real user principle. So let’s see how we can do to get it fixed:

1. First place to start troubleshooting this issue is Security Logs in Event Viewer, and what are we looking for failure logs

2. Failure Event Log will tell us as to why the authentication for Anonymous user principle (IUSR) is failing, it may list reasons as follows:

  • Logon Failure: Reason: User not allowed to logon at this computer
  • Logon Failure: Reason: Account locked
  • Logon Failure: Reason: User not allowed to logon at this computer
  • Logon Failure: Reason: The user has not been granted the requested logon type at this machine
  • Logon Failure: Reason: Account logon time restriction violation

2. So now we know what exactly has caused it, hence it’s real easy to fix the same:

Fixing: Bad username or Unknown password

1. Finding Locations/Node where anonymoususerpass value is listed:

a. Open command prompt (Click Start > Run > Type : cmd)
b. Navigate to the C:\inetpub\adminscripts directory.
c. Enter the following command: cscript adsutil.vbs find anonymoususerpass
d. Press Enter: This will return a listing of all the nodes where the anonymoususerpass appears in the metabase. Ideally it should display only the W3SVC node/location (it may also appear in the MSFTPSVC node if you are running FTP).

If it displays locations “under” W3SVC (i.e. W3SVC/1/root or so) then we should delete these entries,

Output Example Non-ideal output :
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
*Property anonymoususerpass found at:
W3SVC
W3SVC/1/ROOT
W3SVC/5/ROOT

2. Removing additional anonymoususerpass value if listed. To delete additional entries use the following syntax:

cscript adsutil.vbs delete “node/location”/anonymoususerpass

For Example : If the response is as mentioned above * following commands are to be executed.
cscript adsutil.vbs delete W3SVC/1/root/anonymoususerpass
cscript adsutil.vbs delete W3SVC/5/root/anonymoususerpass

Output Example:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
deleted property "anonymoususerpass"

Once it is ensured that the password is set only for a single location, next step is to “sync” the password with the one in the SAM database or AD database.

3. Retrieving password for Anonymous user principle (IUSR) stored in IIS metabase:

a. In Notepad, open Adsutil.vbs located in c:\Inetpub\adminscripts.
b. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next.
c. Change "IsSecureProperty = True" to "IsSecureProperty = False".
d. Save the changes to Adsutil.vbs, and then close Notepad.
e. Open command prompt (Click Start > Run > Type : cmd)
f. Navigate to the C:\inetpub\adminscripts directory. (Type CD c:\Inetpub\adminscripts and press enter)
h. Enter the following command: cscript adsutil.vbs get W3SVC/anonymoususerpass .

Output Example:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
deleted property "anonymoususerpass"

4. Changing the IUSR passwords to the one retrieved in above steps using Active Directory Users and Computers or Computer Management.

Fixing: Account locked

This video demonstrates how to unlock a locked windows user account and how to configure the lockout policies.
Credit: Robert Walden
Copyright: Robert Walden

Reference: http://www.associatedcontent.com/video/10648/how_to_unlock_a_locked_out_windows.html?cat=15

Fixing: User not allowed to logon at this computer

Using the Active Directory Users and Computers Snap-in
  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click the container that contains the user account that you want.
  3. In the right pane, right-click the user account, and then click Properties.
  4. Click the Account tab, and then click Log On to.
  5. Provide the appropriate Computer names.

Fixing: The user has not been granted the requested logon type at this machine

Verify permissions as per the following KB from Microsoft.

http://support.microsoft.com/kb/812614

Only caveat to this is that this article didn’t ask you to look into the following parties and doesn’t say that User principle referred should not be part of the following policies;

  1. Deny Logon as a Batch Job
  2. Deny Logon Locally
  3. Deny Access to this computer from Network

So please be careful and check the same.

Fixing: Account logon time restriction violation

Method 1: Using the Active Directory Users and Computers Snap-in
  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click the container that contains the user account that you want.
  3. In the right pane, right-click the user account, and then click Properties.
  4. Click the Account tab, and then click Logon Hours.
  5. Click All to select all available times, and then click Logon Permitted.
Method 2: Using the Net User Command-line Statement
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type net user username /time:logon_times (where username is the name of the user account, and where logon_times are the days and times that you want to allow access to the domain), and then press ENTER.

Use the following information to help you use the /time switch:

  • Days can be spelled out (for example, Monday) or abbreviated (for example, M,T,W,Th,F,Sa,Su).
  • Hours can be in 12-hour notation (1PM or 1P.M.) or 24-hour notation (13:00).
  • A value of blank means that the user can never log on.
  • A value of all means that a user can always log on.
  • Use a hyphen (-) to mark a range of days or times. For example, to create a range from Monday through Friday, type either M-F, or monday-friday. To create a range of time from 8:00 P.M. to 5:00 P.M., type 8:00am-5:00pm, 8am-5pm, or 8:00-17:00.
  • Separate the day and time items with commas (for example, monday,8am-5pm).
  • Separate day and time units with semicolons (for example, monday,8am-5pm;tuesday,8am-4pm;wednesday,8am-3pm).
  • Do not use spaces between days or times.

Reference: http://support.microsoft.com/kb/816666

Posted by at
Labels: , , , ,

1 comment:

Anonymous said...

this worked for me. thanks

August 11, 2010 at 11:15 PM

Post a Comment

Subscribe to: Post Comments (Atom)