The account that is used for anonymous access may be unexpectedly locked out in IIS 6.0 or in IIS 5.0 (922730)

SYMPTOMS

In Microsoft Internet Information Services (IIS) 6.0 or in Microsoft Internet Information Services (IIS) 5.0, the account that is used for anonymous access may be unexpectedly locked out. Additionally, one or more events that resemble the following may be logged in the Security log:

Event 1

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Description:
Logon Failure:
Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Event 2

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Description:
The logon to account: username by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: computername failed. The error code was: 3221226036

Event 3

Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 100
Description:
The server was unable to logon the Windows NT account 'useraccount' due to the following error: The referenced account is currently locked out and may not be logged on to Notes

Username is a placeholder for the user name.
Domain is a placeholder for the domain name.
Computername is a placeholder for the computer name.
Useraccount is a placeholder for the user account in the Active Directory directory service or in Local Users and Groups.

RESOLUTION

To resolve this issue, use one of the following methods.

Method 1: Verify the registry settings

Verify that the Security log is not full. Additionally, verify that the following registry key is set to the correct value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

832981 Users cannot access Web sites when the security event log is full

Method 2: Verify the permissions

Verify that the account that is used for anonymous access has the permissions that are required to access the Web site. To do this, use version 1.0 of the Authentication and Access Control Diagnostics (AuthDiag) tool. For more information about the AuthDiag tool, visit the following Microsoft Web site:

http://www.microsoft.com/WindowsServer2003/iis/support/authdiag.mspx

Method 3: Synchronize the passwords

Synchronize the password for the account that is used for anonymous access in IIS with the password for the account in Active Directory or in Local Users and Groups. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

909887 Error message when you try to view a Web site that is hosted on Internet Information Server 6.0 by using anonymous access: "401.1 Unauthorized: Logon failed"

Method 4: Verify that the password for the account is consistent in the IIS metabase

Verify that the account that is used for anonymous access does not exist with a different password in the IIS metabase. For example, the account that is used for anonymous access may be unexpectedly locked out if the following conditions are true:

The UNCUserName property uses the account that is used for anonymous access.
This account is configured to use a different password.

To verify that the password for the account is consistent in the IIS metabase, search the IIS metabase for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.

To search the IIS metabase, follow these steps:

Click Start, click Run, type cmd, and then click OK.
At the command prompt, use the CD command to change to the Inetpub\Adminscripts directory.
At the command prompt, type Cscript Adsutil.vbs Enum_all > Metabase.txt, and then press ENTER.
At the command prompt, type Exit, and then press ENTER.
Open the Metabase.txt file, and then search for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.

Notes

You can open the IIS 6.0 Metabase.xml file in Notepad.
In IIS 6.0, you can use Metabase Explorer to view and to edit the IIS metabase. Metabase Explorer is available in the IIS 6.0 Resource Kit.
In IIS 5.0, you can use the MetaEdit tool to view and to edit the IIS metabase. However, the MetaEdit tool is not a supported tool.

Method 5: Create a new user account

Create a new user account. Then, configure IIS to use the new user account for anonymous access.

Note You must grant the new user account the required NTFS permissions and user rights.

MORE INFORMATION

For more information about how to troubleshoot account lockouts, visit the following Microsoft TechNet Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

For more information about how to grant the required NTFS permissions and user rights for an IIS 5.0 Web server, click the following article number to view the article in the Microsoft Knowledge Base:

271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server

For more information about the IIS Resource Kit, click the following article number to view the article in the Microsoft Knowledge Base:

840671 The IIS 6.0 Resource Kit Tools

For more information about the MetaEdit tool, click the following article number to view the article in the Microsoft Knowledge Base:

232068 How to download, install, and remove the IIS MetaEdit 2.2 utility