Anonymous and Basic Authentication Fail When You Connect to IIS 5.0 on a Domain Controller (263140)
The information in this article applies to:
- Microsoft Internet Information Services 5.0
This article was previously published under Q263140 SYMPTOMS
When you try to connect to a Web page that is running under Internet Information Services (IIS) 5.0 on a Microsoft Windows 2000 Domain Controller by using Anonymous or Basic authentication, the following error message may appear in the Web browser, even when the proper permissions are set:
HTTP 401.1 - Unauthorized: Logon Failed
CAUSE
For security reasons, on Windows 2000 domain controllers, only the account operators, administrators, backup operators, print operators, server operators, Internet guest account, and Terminal Services user accounts have the Log on Locally user right, which is a requirement for both Anonymous and Basic authentication.
WORKAROUNDIMPORTANT: Microsoft does not recommend running Internet Information Services on a domain controller (or BDC/PDC if you are running Microsoft Windows NT Server 4.0), because IIS performance is severely degraded due to the networking and processor load imposed by authentication and other roles performed by domain controllers.
For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
197132 Windows 2000 Active Directory FSMO Roles
To work around this issue, perform the following steps:
- Load the Domain Users and Computers snap-in.
- Right-click the Users container, click New, and then select Group.
- Configure this new group as follows:
- Group Name: WebUsers
- Group Scope: Domain Local
- Group Type: Security
- Click Next until the wizard is finished and the WebUsers group is created.
- Add any users or groups that require access to your Web site to the WebUsers group.
- Load the Domain Controller Security Policy snap-in.
- In the left pane, click to expand Windows Settings, click to expand Security Settings, click to expand Local Policies, and then select User Rights Assignments.
- Double-click the Log on locally user right.
- Add the WebUsers group that you created in step 4.
- Force the policy to take affect by issuing the following command:
secedit /refreshpolicy machine_policy /enforce
At this point, any account or group that is a member of the WebUsers group should be able to log on to the IIS 5.0 server by using Basic authentication. With Basic/Clear Text authentication, it is recommended that the data be encrypted with SSL, as it is extremely easy to obtain credentials from a network trace. For additional information on installing SSL under IIS 5.0, click the article number below
to view the article in the Microsoft Knowledge Base:
228836 Installing a New Certificate for Use in SSL/TLS
Modification Type: | Major | Last Reviewed: | 6/28/2004 |
---|
Keywords: | kbpending kbprb KB263140 |
---|
|