Windows Authentication - I'm at a loss here...

Giganews Newsgroups
Subject: Windows Authentication - I'm at a loss here...
Posted by:  Matt Schultz (reply.…@group.please)
Date: Tue, 7 Nov 2006

I'm trying to set up a folder on my web server to be accessible only to
certain users.  This is a Windows 2003 server running IIS 6.  (Note - All PC
and account names are changed)

The site is set to allow anonymous access through the local IUSR account.
For the folder I want protected, I've removed the "Enable anonymous access"
check box in IIS.  The only other authentication method checked is
"Integrated Windows authentication" -- which I believe is the only thing I
want.

Then on the actual folder's NTFS permissions, I've removed the IUSR account
and added my domain user account (we'll call it MYLAN\mschultz) with the
typical read rights.

When I try to browse to the protected folder, I get the authentication
challenge dialog as expected.  I enter MYLAN\mschultz for the user name and
my domain password, and the box pops right back up.  I get it three times,
then get error 401.3 - Unauthorized: Access is denied due to an ACL set on
the requested resource.

I've used the Auth Diagnostics tool from MS to check that permissions are
correct.  When I use the "check permissions" options, enter the path to the
folder plus my domain account, it comes back successfully.

I've seen some references to problems if the DNS name used to access the
server doesn't match the NETBIOS name, and that is the case with this
server.  The server name is MYOFFICE_WEB, but we access it through
intranet.mydomain.com.  I've tried every combination I can think of:
myoffice_web.mydomain.com (which resolves correctly), myoffice_web, the IP
address of the box, myoffice_web.midwest.mydomain.com (the FQDN in AD).
Nothing seems to make any difference

I'd seen reference to the user needing either the "Allow log on locally"
right or "Access this computer from the network right".  Both of those
rights are assigned to the computer's Users group, which contains the
MYLAN\Domain Users group.  So, my domain account should be inheriting those
rights.

The IIS log doesn't reveal anything too interesting.  Here's a sample line:
2006-11-07 15:29:27 (server IP removed) GET / - 6963 MYLAN\mschultz (client
IP removed)
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2)
401 3 5

I'm at a total loss here... there has to be something simple that I'm
missing.  Any help you can provide would be GREATLY appreciated!  If I can
help clarify the configuration at all, let me know what you need to know.

Thanks,
Matt Schultz

Replies