ASP and IIS6

[IIS 6 Admin]

Well, let's see.

I have a complex ASP application running smoothly on W2k
and even on XP Pro, with a data model on SQL2k.

I have a brand new box, with server2k3, and IIS6.

I've made the same configuration as in IIS5 in this new
IIS6 and I received a complete set of error messages just
in 1st ASP page!!!

From access denied, to internal server error.

If I make it a new WebSite, I have the access denied, so I
think it has to be with the new security concept on
IIS6... If I make it a virtual dir of the default web
site, I get the internal server error, and this I think
has to be with the ASP execution permission.

So, can anyone give me a brief howto to make this running?
Any additional conf is needed beside the common one an old
IIS5 need to run an ASP app?

Thx in advance!

 

[Jeff Cochran]

Well, let's see.

I have a complex ASP application running smoothly on W2k
and even on XP Pro, with a data model on SQL2k.

I have a brand new box, with server2k3, and IIS6.

I've made the same configuration as in IIS5 in this new
IIS6 and I received a complete set of error messages just
in 1st ASP page!!!

From access denied, to internal server error.

If I make it a new WebSite, I have the access denied, so I
think it has to be with the new security concept on
IIS6... If I make it a virtual dir of the default web
site, I get the internal server error, and this I think
has to be with the ASP execution permission.

So, can anyone give me a brief howto to make this running?
Any additional conf is needed beside the common one an old
IIS5 need to run an ASP app?

See:

How To: Enable ASP on IIS6:
http://www.visualwin.com/ASP/
http://support.microsoft.com/default.aspx?scid=kb;en-us;315122

Jeff

 

[Guest]

Hi Jeff

Thx, but I've already done it. The symptoms I described
here is with the ASP exts enabled.

I think it has to do with the application pool thing or
something. Im looking in that way. Of course any help is
still needed.

Regards.

 

[Rob Meade]

[snip]

Any of them pages use parent directories? ie, something like

<!--#Include File="../includes/mypage.asp"-->

You'll need to also enable parent directories if thats the case.

Can you not add a few response.writes into the .asp page and determine at
which stage the page is failing?

For example - a page sending an email may fail if using CDONTS instead of
CDO...

Regards

Rob

 

[Jeff Cochran]

Hi Jeff

Thx, but I've already done it. The symptoms I described
here is with the ASP exts enabled.

I think it has to do with the application pool thing or
something. Im looking in that way. Of course any help is
still needed.

Exact errors and what you did to generate them might help, code
snippets responsible for example. Response.Write the various stages
if you need to identify exactly where it's failing. Use filemon from
Sysinternals to find file permission errors.

Jeff

 

[Guest]

I was working to determine why this is happening.

I went back several steps in the config. Im now at this
stage:

I made a new website. IP 192.168.1.2, header
www.testsite.com (this box is behind an ADSL router with
fixed public IP).

I have a desktop conected to another ADSL line, from
another ISP. So, if I ping this box from my desktop, I go
throught internet. I made in this desktop a line into the
HOSTS files like "aaa.bbb.ccc.ddd www.testsite.com" for
my desktop to resolve that fake domain. If I use the
IExplorer, I get an error "PAGE CANT BE DISPLAYED". If
I "telnet www.testsite.com 80" and ask a "GET /index.htm
HTTP/1.0" it tells me that I am "not authorized so see the
site".

I made the website public, it has the "IUSR_BOX" user as
anonymous web access, and I gave this user access to the
website directory.

Well, all this new "lock down" concept of the Server2003
could be more secure, but it is certainly a "monkey in the
ranch"! ;-)

Was there so many IIS5.0 compromised in the past? I've ran
even WinNT's Option Pack boxes and hadn't any security
problem... anyway.

Thx in regards, oh btw I'm Mike!

 

[Armando]

Hi Mike,

I had a similar problem with IIS 5 and there were two reasons it could have
happened. First, the default document for the site was not set properly (ie;
default.asp). The second is that the IUSR account password (which is by
default controlled by IIS) is not synchronized with the password of the
actual system user.

Now don't ask me how because I'm not quite sure how it works like this, but
apparently the server keeps the password in 2 locations, one for the system,
one for IIS and if they get out of synchronization then you'll get failures
connecting. Check this MS knowledge base article and see if anything there
can help:

http://support.microsoft.com/default.aspx?scid=kb;en-us;332167&Product=iis60

Cheers.

Armando

I was working to determine why this is happening.

I went back several steps in the config. Im now at this
stage:

I made a new website. IP 192.168.1.2, header
www.testsite.com (this box is behind an ADSL router with
fixed public IP).

I have a desktop conected to another ADSL line, from
another ISP. So, if I ping this box from my desktop, I go
throught internet. I made in this desktop a line into the
HOSTS files like "aaa.bbb.ccc.ddd www.testsite.com" for
my desktop to resolve that fake domain. If I use the
IExplorer, I get an error "PAGE CANT BE DISPLAYED". If
I "telnet www.testsite.com 80" and ask a "GET /index.htm
HTTP/1.0" it tells me that I am "not authorized so see the
site".

I made the website public, it has the "IUSR_BOX" user as
anonymous web access, and I gave this user access to the
website directory.

Well, all this new "lock down" concept of the Server2003
could be more secure, but it is certainly a "monkey in the
ranch"! ;-)

Was there so many IIS5.0 compromised in the past? I've ran
even WinNT's Option Pack boxes and hadn't any security
problem... anyway.

Thx in regards, oh btw I'm Mike!

-----Original Message-----
[snip]

Any of them pages use parent directories? ie, something like

<!--#Include File="../includes/mypage.asp"-->

You'll need to also enable parent directories if thats the case.

Can you not add a few response.writes into the .asp page and determine at
which stage the page is failing?

For example - a page sending an email may fail if using CDONTS instead of
CDO...

Regards

Rob


.

 

[Mike]

Thx Armando for ur answer.

I was reading the article. I can't still believe what I
saw, if what I saw is what I understood it is.

Would that be the WAY to ALLOW the IIS6.0 to show WebSites
with ANONYMOUS access???

This article is not telling how to resolve a "bug" where
the metabase lost sync of the IUSR pwd. It is telling how
to allow IIS to control the anonymous pwd so it hasn't to
be given when impersonated internet users want to access
a site with anonymous access.

I'm not at the office atm, so I couldn't try it on, but I
will as soon as I get there monday.

Thx again.

Mike.

-----Original Message-----
Hi Mike,

I had a similar problem with IIS 5 and there were two reasons it could have
happened. First, the default document for the site was not set properly (ie;
default.asp). The second is that the IUSR account password (which is by
default controlled by IIS) is not synchronized with the password of the
actual system user.

Now don't ask me how because I'm not quite sure how it works like this, but
apparently the server keeps the password in 2 locations, one for the system,
one for IIS and if they get out of synchronization then you'll get failures
connecting. Check this MS knowledge base article and see if anything there
can help:

http://support.microsoft.com/default.aspx?scid=kb;en- us;332167&Product=iis60

Cheers.

Armando

I was working to determine why this is happening.

I went back several steps in the config. Im now at this
stage:

I made a new website. IP 192.168.1.2, header
www.testsite.com (this box is behind an ADSL router with
fixed public IP).

I have a desktop conected to another ADSL line, from
another ISP. So, if I ping this box from my desktop, I go
throught internet. I made in this desktop a line into the
HOSTS files like "aaa.bbb.ccc.ddd www.testsite.com" for
my desktop to resolve that fake domain. If I use the
IExplorer, I get an error "PAGE CANT BE DISPLAYED". If
I "telnet www.testsite.com 80" and ask a "GET /index.htm
HTTP/1.0" it tells me that I am "not authorized so see the
site".

I made the website public, it has the "IUSR_BOX" user as
anonymous web access, and I gave this user access to the
website directory.

Well, all this new "lock down" concept of the Server2003
could be more secure, but it is certainly a "monkey in the
ranch"! ;-)

Was there so many IIS5.0 compromised in the past? I've ran
even WinNT's Option Pack boxes and hadn't any security
problem... anyway.

Thx in regards, oh btw I'm Mike!

-----Original Message-----
[snip]

Any of them pages use parent directories? ie, something like

<!--#Include File="../includes/mypage.asp"-->

You'll need to also enable parent directories if thats the case.

Can you not add a few response.writes into the .asp

page
and determine at

which stage the page is failing?

For example - a page sending an email may fail if using CDONTS instead of
CDO...

Regards

Rob


.

.

 

[Armando]

Hi Mike,

Sorry I didn't post more information to clarify. This article discusses the
method in which IIS performs the password checking between IIS and WINNT:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;216828

This article discusses logon privilieges required for anonymous access:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;218756

Failing these things being OK, you could always just change the IUSR_BOX
user password manually then turn off the Allow IIS To Control Password
option. I'm sure there was a method to resynch the two but I'll have to
check into it later as I have to run. Cheers.

Armando

Thx Armando for ur answer.

I was reading the article. I can't still believe what I
saw, if what I saw is what I understood it is.

Would that be the WAY to ALLOW the IIS6.0 to show WebSites
with ANONYMOUS access???

This article is not telling how to resolve a "bug" where
the metabase lost sync of the IUSR pwd. It is telling how
to allow IIS to control the anonymous pwd so it hasn't to
be given when impersonated internet users want to access
a site with anonymous access.

I'm not at the office atm, so I couldn't try it on, but I
will as soon as I get there monday.

Thx again.

Mike.

-----Original Message-----
Hi Mike,

I had a similar problem with IIS 5 and there were two reasons it could have
happened. First, the default document for the site was not set properly (ie;
default.asp). The second is that the IUSR account password (which is by
default controlled by IIS) is not synchronized with the password of the
actual system user.

Now don't ask me how because I'm not quite sure how it works like this, but
apparently the server keeps the password in 2 locations, one for the system,
one for IIS and if they get out of synchronization then you'll get failures
connecting. Check this MS knowledge base article and see if anything there
can help:

http://support.microsoft.com/default.aspx?scid=kb;en- us;332167&Product=iis60

Cheers.

Armando

I was working to determine why this is happening.

I went back several steps in the config. Im now at this
stage:

I made a new website. IP 192.168.1.2, header
www.testsite.com (this box is behind an ADSL router with
fixed public IP).

I have a desktop conected to another ADSL line, from
another ISP. So, if I ping this box from my desktop, I go
throught internet. I made in this desktop a line into the
HOSTS files like "aaa.bbb.ccc.ddd www.testsite.com" for
my desktop to resolve that fake domain. If I use the
IExplorer, I get an error "PAGE CANT BE DISPLAYED". If
I "telnet www.testsite.com 80" and ask a "GET /index.htm
HTTP/1.0" it tells me that I am "not authorized so see the
site".

I made the website public, it has the "IUSR_BOX" user as
anonymous web access, and I gave this user access to the
website directory.

Well, all this new "lock down" concept of the Server2003
could be more secure, but it is certainly a "monkey in the
ranch"! ;-)

Was there so many IIS5.0 compromised in the past? I've ran
even WinNT's Option Pack boxes and hadn't any security
problem... anyway.

Thx in regards, oh btw I'm Mike!

-----Original Message-----
[snip]

Any of them pages use parent directories? ie, something
like

<!--#Include File="../includes/mypage.asp"-->

You'll need to also enable parent directories if thats
the case.

Can you not add a few response.writes into the .asp page
and determine at
which stage the page is failing?

For example - a page sending an email may fail if using
CDONTS instead of
CDO...

Regards

Rob


.

.