Error message when you try to view a Web site that is hosted on Internet Information Server 6.0 by using anonymous access: "401.1 Unauthorized: Logon failed" (909887)



The information in this article applies to:

  • Microsoft Internet Information Services version 6.0

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

When you try to view a Web site that is hosted on Microsoft Internet Information Server (IIS) 6.0 by using anonymous access, you may receive an error message that is similar to the following:
401.1 Unauthorized: Logon failed

CAUSE

This problem may occur if one or more of the following conditions are true:
  • The user account does not have the required user rights to access the Web server.
  • The user account is disabled, locked out, or expired.
  • The wrong user name or password is specified in the IIS Metabase.
  • Subauthentication is not working correctly. This condition may occur if the Web site was upgraded from IIS 5.0 to IIS 6.0.

RESOLUTION

To resolve this problem, make sure that the following conditions are true:
  • The IUSR account has the Access this computer from the network user right.
  • The IUSR account is not listed in the Deny access to this computer from the network user right.
  • The IUSR account does not have time-based restrictions for accessing the Web server.
  • The IUSR account has not expired or has not been locked out.
  • The IUSR account password is correct in the metabase and in the Local User database. (If the account is a domain account, make sure that the password is correct in the Active Directory directory service.)
  • The AnonymousPasswordSync metabase property is set to false.

MORE INFORMATION

To troubleshoot the issue effectively, make sure that "only" anonymous access is allowed on the Web site or on a single page.

How to enable security logging on the Web server

If you configure logon failure auditing, the Security event log may contain information to identify the cause of the error message. Logon failure auditing lets you view the errors in the Security event log. To enable security logging on the Web server, follow these steps:
  1. Click Start, click Run, type Secpol.msc, and then click OK.

    Notes
    • If the Web server is also a domain controller, type Dcpol.msc to open the Default Domain Controller Security Settings console. For more information about how to use the Dcpol.msc command, see the "References" section.
    • This issue can also occur if domain policy does not enable the user account that is used for anonymous access to access the required policy settings.
  2. Under Security Settings, expand Local Policies, and then click Audit Policy.
  3. In the right pane, double-click Audit logon events.
  4. On the Audit logon events Properties screen, click to select the Success and Failure check boxes, and then click OK.
  5. Click Start, click Run, type cmd, and then click OK.
  6. At the command prompt, type Gpupdate, and then press ENTER.
  7. At the command prompt, type Iisreset /restart, and then press ENTER.

Error examples

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The following are examples of errors that may be logged in the Security event log. In these examples, username is the user account that is used for anonymous access.

Error 1
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Description: Logon Failure:
Reason: The user has not been granted the requested logon type at this machine
User Name: username
Logon Type: 8
Logon Process: Advapi Authentication
Package: Negotiate
This error may occur if the user account that is used for anonymous access is denied access to the Web Server from the network. To verify that this user account is not denied access to the Web server from the network, follow these steps:
  1. Click Start, click Run, type Secpol.msc, and then click OK.

    Note If the Web server is also a domain controller, use the Dcpol.msc command to open the Default Domain Controller Security Settings console.
  2. Under Security Settings, expand Local Policies, and then click User Rights Assignment.
  3. In the right pane, double-click Deny access to this computer from the network.
  4. If the user account that is used for anonymous access is denied access to the Web server from the network, click the user account that is used for anonymous access, click Remove, and then click OK.
Note This error may occur if the following conditions are true:
  • The Guests group is assigned the Deny access to this computer from the network user right.
  • The account that is used for anonymous access is a member of the Guests group. (This account is typically the IUSR_computername account.)
Error 2
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 530
User: NT AUTHORITY\SYSTEM
Description: Logon Failure:
Reason: Account logon time restriction violation
User Name: username
Logon Process: Advapi
Authentication Package: Negotiate
This error may occur if the user account that is used for anonymous access is denied access to the Web Server during a specific time period. To verify that this user account is not denied access during a specific time period, follow these steps:
  1. Click Start, click Run, type Dsa.msc, and then click OK.
  2. Expand the domain that you want, and then click Users.
  3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
  4. On the Account tab, click Logon Hours.
  5. Configure the logon hours that you want, and then click OK.
Error 3
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 532
User: NT AUTHORITY\SYSTEM
Description: Logon Failure: Reason: The specified user account has expired User Name: username Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate
This error may occur if the user account has expired. To resolve this issue, follow these steps:
  1. Click Start, click Run, type Dsa.msc, and then click OK.
  2. Expand the domain you want, and then click Users.
  3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
  4. On the Account tab under Account Expires, click Never, and then click OK. Or, click End of, click a new account expiration date, and then click OK.
Error 4
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Description: Logon Failure: Reason: Unknown user name or bad password User Name: username Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate
This error can occur if the password for the user account that is used for anonymous access in IIS is not synchronized with one of the following passwords:
  • The password for the user account in Active Directory
  • The password for the user account in Local Users and Groups
To synchronize the IIS password with the password that is used in Active Directory or in Local Users and Groups, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. Use the cd command to connect to the folder where the Adsutil.vbs file is located. By default, the Adsutil.vbs file is located in the following folder:

    drive:\Inetpub\Adminscripts

    Note drive is the folder where Windows is installed.
  3. At the command prompt, type Cscript adsutil.vbs get w3svc/anonymoususerpass, and then press ENTER. Note the password that is generated.

    Note You may have to set the Issecure property in the Adsutil.vbs file to False before you generate a password. To do this, follow these steps:
    1. In Notepad, open the Adsutil.vbs file.
    2. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next.
    3. Change "IsSecureProperty = True" to "IsSecureProperty = False".
    4. Save the changes, and then close Notepad.
  4. Click Start, click Run, type Dsa.msc, and then click OK.

    Note If the Web server is a stand-alone server, type Lusrmgr.msc.
  5. Expand the domain that you want, and then click Users. If the Web server is a stand-alone server, click Users.
  6. Right-click the user account that you want, and then click Reset Password or Set Password.
  7. Type the password that you obtained in step 3 two times, and then click OK.
Note Subauthentication is the feature that enables IIS to control the password for the anonymous user. By default, after you upgrade from IIS 5.0 to IIS 6.0, IIS subauthentication is enabled. By default, subauthentication is not enabled on a clean installation of IIS 6.0.

Subauthentication enables IIS to authenticate the anonymous user without actually verifying the anonymous user password. Because anonymous access is provided to the content without authentication, the password is not required. Subauthentication enables IIS to use anonymous accounts without actually keeping valid user credentials in the metabase. When this setting is enabled, anonymous authentication works in IIS 5.0 compatibility mode. However, when the server is switched to IIS 6.0 Worker Process Isolation Mode, subauthentication is disabled because it requires a privileged process identity such as the Local System account. In this scenario, IIS 6.0 tries to log on by using the anonymous user credentials that are stored in the metabase. This behavior may cause a "401" error for the anonymous request if the user credentials that are stored in the metabase are not synchronized

It may appear that switching into IIS 6.O Worker Process Isolation Mode breaks anonymous authentication. This condition may occur when subauthentication is configured in IIS. To verify whether subauthentication is enabled in IIS, open the Metabase.xml file in Notepad, and then search for the AnonymousPasswordSync property. If the AnonymousPasswordSync property is in the Metabase.xml file, delete the property, or set the value to False.

Error 5
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 533
Description: Logon Failure: Reason: User not allowed to logon at this computer User Name: username Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate
This error may occur if the domain user account that is used for anonymous access in IIS cannot log on to the IIS Web server. To verify that the user account that is used for anonymous access in IIS can log on to the IIS Web server, follow these steps:
  1. Click Start, click Run, type Dsa.msc, and then click OK.
  2. Expand the domain that you want, and then click Users.
  3. In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
  4. On the Account tab, click Log On To.
  5. In the Logon Workstations window, click All Computers, and then click OK.
If the user account that is used for anonymous access is not a domain user account, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

  3. In the right pane, verify that the value for the crashonauditfail entry is 0 or 1. If the value for the crashonauditfail entry is 2, follow these steps:
    1. In the right pane, click crashonauditfail.
    2. On the Edit menu, click Modify.
  4. In the Value data box, type 0, and then click OK.
  5. Exit Registry Editor, and then restart the computer.

REFERENCES

For more information about default permissions and user rights in IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:

812614 Default permissions and user rights for IIS 6.0


For more information about issues that may occur when you configure the AnonymousPasswordSync property in the IIS metabase, visit the following Microsoft Web site:For more information about how to configure subauthentication in IIS 6.0, visit the following Microsoft Web site:For information about how to use the Internet Information Services Authentication and Access Control Diagnostics (AuthDiag) Version 1.0 to troubleshoot authentication and authorization issues, visit the following Microsoft Web site: For more information about issues that may occur when the Security event log is full, click the following article number to view the article in the Microsoft Knowledge Base:

832981 Users cannot access Web sites when the security event log is full


For more information about how to open the Domain Security Policy console or the Domain Controller Security Policy console at the command prompt, click the following article number to view the article in the Microsoft Knowledge Base:

832214 "You may not have appropriate rights" error message when you try to open the Domain Security Policy console or the Domain Controller Security Policy console from the command prompt


For more information about issues that may occur when you modify the "Access This Computer from the Network" user right, click the following article number to view the article in the Microsoft Knowledge Base:

257346 "Access This Computer from the Network" user right causes tools not to work


For more information about issues that may occur when you use anonymous access after you join an IIS Microsoft Windows 2000 domain, click the following article number to view the article in the Microsoft Knowledge Base:

275167 PRB: Anonymous access fails with an HTTP 401.1 error after you join an IIS Windows 2000 domain


Modification Type:MajorLast Reviewed:4/18/2006
Keywords:kbtshoot kbinfo KB909887 kbAudITPRO