XCCC: You Receive an Access Denied Error Message When You Join a Conference on a Failover Conferencing Server (330346)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange 2000 Conferencing Server
This article was previously published under Q330346

SYMPTOMS

When you try to join a conference by using the Web access pages on the now-active Exchange 2000 Conferencing Server, you may receive the following error message:
Access Denied The Conference Management Service denied your request due to a lack of permissions. Please try the following: Verify that you are using the correct password if the conference requires one. Verify that you are not trying to join a private conference that you have not been invited to. Contact your system administrator. Microsoft VBScript runtime error / [Obtaining MCU] Error #46: Permission denied / [Unable to attach to the T.120 MCU while using the conference technology provider extension] Microsoft Exchange 2000 Conferencing Server.
When a failover occurs and the backup Exchange 2000 Conferencing Server becomes active, your active conferences may not appear on the failed Exchange 2000 Conferencing Server Web access pages. If you try to join a conference from the Exchange 2000 Conferencing Server Web access pages that failed, you may receive an error message that access is denied. If you view the Exchange 2000 Conferencing Server Web access pages on the now-active Exchange 2000 Conferencing Server, the conferences may not appear correctly.

CAUSE

This behavior occurs because of a change in the way Microsoft Windows Server 2003 handles the Microsoft Internet Information Server (IIS) anonymous user SubAuthentication.

In Microsoft Windows 2000, IIS uses a SubAuthentication process that permits IIS to control the password of the anonymous user account. With SubAuthentication, IIS can replace typical Windows logon procedures with a validation scheme that is contained in a dynamic link library (Iissuba.dll) and log any Internet connection to the system directly. Therefore, SubAuthentication can permit the anonymous IIS user to access some network resources, such as Distributed Communication (DCOM) calls. Because the IIS anonymous user is not a domain user, the user does not have domain user rights, and therefore is not officially authorized to make DCOM calls to another domain computer. SubAuthentication makes these calls possible in Windows 2000.

Windows Server 2003 does not provide SubAuthentication support for IIS, and therefore the DCOM calls that are initiated by the IIS anonymous user fail.

WORKAROUND

To work around this behavior, create a user name and password pair that are the same for the IIS anonymous user on both computers.

STATUS

This behavior is by design.

MORE INFORMATION

Your two Exchange 2000 Conferencing Servers are installed on Windows Server 2003-based computers. One of the Exchange 2000 Conferencing Servers is configured as a failover backup.

Note IIS is running on the failed Exchange 2000 Conferencing Server.

For more information about Windows SubAuthentication, see the Microsoft Platform SDK and Microsoft Visual Studio 6.0 on-line product documentation. As of December 2002, Visual Studio 6.0 includes a SubAuthentication sample that is named SubAuth. For additional information about SubAuthentication, click the following article number to view the article in the Microsoft Knowledge Base:

216828 Password Synchronization/Allow IIS to Control Password May Cause Problems

Modification Type:MinorLast Reviewed:6/13/2003
Keywords:kberrmsg kbprb kbRTC kbbug KB330346 kbAudITPRO
©2002 Microsoft Corporation. All rights reserved.