Log on Locally Permission Not Required for Client Access

ID: Q153953


The information in this article applies to:
  • Microsoft Internet Information Server versions 1.0, 2.0, 3.0


SYMPTOMS

When you configure a Microsoft Windows NT user account to be used by clients using HTTP basic authentication, Internet Information Server (IIS) requires that the account is granted the Log on Locally right.

If this right is not granted to users who will be accessing IIS services, then the following symptoms may be experienced.

When a client tries to access an HTML page on IIS, you will get the following error message:

Error: Access is denied.

When a client tries to access the FTP server on IIS, you will get the following error message:
Login failed.

However, for reasons of security, it may be undesirable for the IIS Administrator to grant users the Log on Locally right.


RESOLUTION

Microsoft has created a patch that enables IIS administrators to choose which right needs to be granted to users in order that clients using Basic Authentication may access IIS services.

After you apply the patch, the required rights are configurable by the IIS administrator by setting the following registry value (where ServiceName is either W3SVC for the WWW service, or MSFTPSVC for the FTP service).

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.


HKEY_LOCAL_MACHINE\SYSTEM
 \CurrentControlSet
  \Services
   \ServiceName
    \Parameters

Value Name: LogonMethod
Value Type: REG_DWORD
Value Range:   0 or 1
Default: 0 

A value of 0 means users must have the right to Log on Locally to be given access to the server. A value of 1 means that users must have the right to Log On as a Batch Job.

The Log On as a Batch Job privilege is an advanced user right that may be granted in User Manager.


STATUS

Microsoft has confirmed this to be a problem in Microsoft Internet Information Server version 1.0. This problem was corrected in the latest Windows NT 3.51 U.S. Service Pack. For information on obtaining the Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):


   S E R V P A C K 

Additional query words:

Keywords : kbenv NTSrv iisftp iissecurity iiswww
Version : winnt:1.0,2.0,3.0
Platform : winnt
Issue type :


Last Reviewed: April 27, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.