Tuesday, August 12, 2008

Fixing 401.x problems with IIS 6.0

Some users on our network were not able to access a web application that we administered. What was weird was that for 98% of the users - the web app worked correctly. They were able to open the web-page and interact with the application.

But for the other 2%, they would be shown a log on window and after trying to log on 3 times - IIS would kick them to a 401.1 error page, with the following information

You are not authorized to view this page

You do not have permission to view this directory or page using the credentials that you supplied.

Please try the following:

  • Contact the Web site administrator if you believe you should be able to view this directory or page.
  • Click the Refresh button to try again with different credentials.

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)

The error message was definitely not helpful, other than pointing me in the general direction that it was due to invalid credentials.

David Wang has an excellent post on how to troubleshoot 401.x error issues. (link). Check it out.

Unfortunately, our problem was not covered by any of those listed by David.

After a ton of testing I determined that the problem was because the account that was being used for anonymous login did not have the domain information with it. (eg: domain\anonymous_user). Adding the domain information fixed the problem for the other 2% that were facing the 401.1 error page instead of the web-app's start up page.

At this point I am not sure why this fixed the problem for the 2% who weren't able to access the web-app. It looks like IIS did not know where to go to determine what the anonymous_user credentials were to give access to these "special" users. But these "special" had machines that were configured exactly as the rest of the users. If I find out more information - I will be sure to post it here.

BTW, the anonymous_user account that IIS was using for anonymous logon was a domain account and not a local account.

Update 1:

I found the following commands useful for determining different settings regarding anonymous logon settings with IIS.

1. cscript adsutil.vbs FIND AnonymousUserName

Returns a list of all those websites that have anonymous logon information.

2. cscript adsutil.vbs GET xxxxxxxxxx

Where xxxxxxxxx is one of the values (represents a website) got from running (1), returns the user name that is being used for that website.

3. cscript adsutil.vbs SET xxxxxxxxxxx/AnonymousUserPass NewPass

Where xxxxxxxxxx is one of the values got from running (1). This command changes the password associated with the user id used for Anonymous logon.

And more information regarding how to use the above commands to synchronize anonymous login credentials on IIS read David's post on the topic (link).

No comments: