PRB: Cannot Use the Local IUSR Account for Content Permissions (318932)

CAUSE

Application Center 2000 creates a new IUSR account on each server that is added to the cluster. The name of this account is IUSR_ClusterController (where ClusterController is the computer name of the cluster controller). By default, the IUSR_ClusterController account is the anonymous user account on the cluster controller. Application Center replicates this metabase setting to all servers in the cluster; therefore, each cluster member must have this same named account to handle anonymous connections.

If you grant the IUSR_ClusterController account explicit permissions to your content, and then replicate your Web content with permissions, the cluster members cannot resolve the account security identifier (SID).

When Application Center 2000 replicates with permissions, it replicates the object (including files and folders) that contains the Access Control List (ACL). The ACL contains the SID of the IUSR_ClusterController account on the cluster controller. The IUSR_ClusterController accounts on the member servers have a different SID; therefore, the cluster members cannot resolve the SID to a local account. Because the SID cannot be resolved on the cluster members, the anonymous account does not have access to the content on cluster members.

RESOLUTION

To resolve this issue, do one of the following:

Best Practice: Use domain level accounts.
1. Add all affected servers to the same Windows domain.
2. Grant permissions to your Web content to a domain level account (such as MyDomain\IUSR_WebCluster).
3. Set the domain level account to be the anonymous access account of the Web site or Web sites.
4. Synchronize the cluster with permissions.
  
  NOTE: Application Center replicates permissions only when the file or folder is actually replicated. To replicate the file or folder, there must be a significant change to the object (such as size, modification date, or attributes). Change of permissions alone does not constitute a significant enough change for replication to take place.
Default Configuration (work group environment): Application Center 2000 assumes that the servers are not members of a Windows domain (work group environment). This is the default configuration. To maintain consistent permissions in this environment, replicate with permissions and use well known built-in SIDs such as the Everyone group on content permissions. The Everyone group SID is recognized by all Windows NT servers, and the local IUSR_ClusterController can gain access to the content through the Everyone group.
Replicate without permissions: This is similar to a typical file copy. You must set permissions manually on the content and on each server.

MORE INFORMATION

Application Center is designed to have full functionality with or without a Windows domain. Therefore, the same named account (IUSR_ClusterController) is created on each server to permit anonymous access. Otherwise, the Web site on the cluster members would be set to a nonexistent account.

Steps to Reproduce Behavior

To reproduce the behavior, follow these steps:

In the Internet Services Manager (MMC) on the cluster controller (Server1, in this example), set the anonymous user account to be the local IUSR_ClusterController account.

Note: This is the default setting in Internet Information Service (IIS).
Remove all permissions from the Web content of the Web site, and then grant the local IUSR_ClusterController account (Server1\IUSR_Server1) Read access to the content.
In Properties for the folder that contains the Web content, click to select the Archive setting, and then click to clear the Archive setting, so that Application Center recognizes a significant change to the content.
Synchronize the cluster.

PRB: Cannot Use the Local IUSR Account for Content Permissions (318932)

SYMPTOMS

CAUSE

RESOLUTION

STATUS

MORE INFORMATION

Steps to Reproduce Behavior

REFERENCES