Security

Troubleshooting the Web Server

After all these steps have been performed, try to access the resource from a browser. If you refresh the security log in the Event Viewer, a series of audited events will be listed. Examine the security log entries and answer these questions:

Are there any access-denied errors in the audit log?
What account is being logged on? Is it what you expected?
Does this account have access to the file in question? You can check this by looking at the file access entries in the audit log.
Does this account have the correct privilege to log on (Log on locally or network logon)?
Does this account have a deny-logon privilege (for example deny logon locally or deny network logon)?
Are there any 401s or 403s in the W3C log? If so, why are they there?

The following are some tips regarding permissions and IIS 5.0:

If Anonymous authentication is turned on, this will usually be used before other authentication schemes.
If Anonymous authentication is turned on and the IUSR_computername account is not allowed access to the resource in question, you might see a user name/password dialog box appear in the browser.
If you are using Anonymous authentication, check whether the anonymous account is valid (correct password and logon times) and enabled. Right-click the virtual server in question, and select Properties, Directory Security, Anonymous Access and Authentication Control, Edit, and Edit.
If you are accessing data from within an ASP file, the account being used must have access to the Microsoft® ActiveX® Date Objects (ADO) and ODBC directories.
If you are using a page count component or a component that accesses files or the registry, the account logging on must have write and possibly delete access to the file or registry entry that it uses to persist its count.
Any account used for Anonymous authentication when Allow IIS to control password is disabled must have the Log on locally privilege.
Any account used for Anonymous authentication when Allow IIS to control password is enabled must have the Network logon privilege.
Any account used for Basic authentication must have the Log on locally privilege.
Any account used for integrated Windows authentication or Digest authentication must have the Network logon privilege.

You can change the privilege type in the items just mentioned to Batch or Network, by using the LogonMethod ADSI property. The following ADSI code snippet shows how to do this:

Dim oIIS
Const LOGON_LOCAL = 0x0
Const LOGON_BATCH = 0x1
Const LOGON_NETWORK = 0x2
Set oIIS = GetObject("IIS://Baggins/W3SVC/1")
oIIS. LogonMethod = LOGON_BATCH
oIIS.SetInfo
Set oIIS=Nothing

Accessing a network computer from an IIS 5.0 computer might fail, because Windows 2000 Server might not be configured to pass the user’s security information to the other computer. To verify the configuration, perform the auditing steps (listed earlier) on the network computer in question, as well as on the IIS 5.0 computer.
Microsoft® Internet Explorer 4.0 or later can be configured to support only certain authentication protocols. You can set these protocols by going to the Edit (Internet Explorer 4.0) or Tools (Internet Explorer 5) menu and selecting Internet Properties, Security, Custom, Settings, and User Authentication. If you select Anonymous Logon, the browser will not support any authentication schemes other than Anonymous.
Check the IP and Domain Restrictions. Right-click the virtual server in question, and select Properties, Directory Security, IP Address and Domain Name Restrictions, and Edit.
If you are using <!-- #include --!> statements, errors might be caused, since access is denied on the included file, but not on the main file. For example, if Default.asp includes Tools.asp, but Tools.asp has a restrictive DACL, an error may be reported on Default.asp, even though the logged-on account has access to it. To check for this, you might wish to temporarily comment out #include statements until you have successfully resolved the situation.