I am using VSTS 2008 + C# + .Net 3.5 + IIS 6.0 + Windows Server 2003 Enterprise x64 SP2 + ASP.Net. I am using anynomous authentication + Windows authentication mode in IIS web site, and I map the user identity to mycorp\george in anynomous account and also use mycorp/george to run IIS worker process. I have also added mycorp\george to administrator group of the IIS web server machine. "mycorp" is the (Windows Active Directory) domain name my department is using.
I always got unauthorized error (401) when accessing the web site from another computer using account mycorp\george (but no error when accessing web site from local computer to access web site.) The web site is a share point web site using Share Point Service 3.0.
I have also used IIS authentication and authorization tool to do diagnoistics, here is the tool I am using http://www.microsoft.com/downloads/details.aspx?familyid=63AAF167-2138-4231-B6ED-56298044BD3B&displaylang=en
This tool reports similar authentication and authorization issue,
mycorp\george account does not have Access this computer from the network privilege Path:W3SVC/1670937635/ROOT
AuthType:Anonymous
Server's response: HTTP/1.1 401 Access denied
Learn about IIS status codes Path:W3SVC/1670937635/ROOT
AuthType:Anonymous
Any ideas what is wrong? I think for administrator account like mycorp\george, the account should have no privilege (authentication and authorization) limitation issues.
thanks in advance,
George
Best Answer
There are multiple possible issues:
1. How Is the Remote Access to a Local Account Configured.
Is the system in a domain or workgroup? If in a workgroup, unless you change it, all remote access by administrator accounts is disabled (they are treated as guests).
You can change this in local security policy:
secpol.mscfrom Start | Run(The explanation tab gives more details.)
While in
secpolalso check that you are auditting account logins.2. ISS Authentication Settings
What are the authentication settings for the virtual directory? Is anonymous access enabled? Is Windows Authentication enabled?
If you are auditting account login events, check the security event log to see the logins that should have happened if the user was authenticated.
3. What are the permissions on the file system
Does the remote user (for Windows Authentication) or the Worker Process identity (for anonymous) have read access to the file system objects?
Use Process Monitor to see if the files are being accessed (or attempts made to access them), this should help see if it is IIS generating the unauthorized error internally or use to an access denied from the file system.
4. Go back to the error
This seems to be saying that the client is not being authorised as their Windows account. This seems to be the area to focus on. Do you get the same if the client browser is running on the server box, how about a different box, how about a different browser? Is IE configured for the applicable zone to allow Windows authentication?