IIS Intermittent access forbidden

Discussion in 'ASP .Net' started by =?Utf-8?B?dHJpbml0eXBldGU=?=, May 12, 2004.

  1. Hi all

    I have a strange problem with IIS windows pass through authentication. Heres the setup

    IIS running with Windows Authentication for our intranet site. ACL has been set to everyone for all web directories. This is all on a windows 2003 server. We add the intranet site to the intranet zone so the windows credentials will automatically get passed to IIS

    90% of the time it works fine, but Intermittently we get access forbidden - usually having a WINXP PRO client. Remove the intranet web site from zone, reboot client, add intranet back to intranet zone and pass through credentials works fine. Anyone else come across this behaviour

    Pete.
    =?Utf-8?B?dHJpbml0eXBldGU=?=, May 12, 2004
    #1
    1. Advertising

  2. Hi Pete,

    When the "unable to auto perform windows integrated authenticaiton"
    behavior occurs on the XP client again, please test local access to
    the site from your IIS6 server with the same sitename(is it
    machinename or FQDN or a registered DNS name?) and localhost. If
    either of them doesn't prompt for username/password, the integrated
    authentication should work OK and the issue is most likely on why
    XP's IE no longer sends credential to finish auth with IIS
    automantically.

    Then please open the XP box's registry and check the zone setting
    under following key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings\ZoneMap\Domains
    See if the site is at there and its http attribute is still set to 1
    (Local Intranet Zone). I noticed we can use a domain group policy to
    overwrite local IE's security zone setting but not sure if it applies
    to your situation. Here is the detailed reference on IE zone registry:

    Description of Internet Explorer security zones registry entries
    http://support.microsoft.com/?id=182569

    The following article lists some general reasons of IE prompts with
    integrated auth:
    Internet Explorer May Prompt You for a Password
    http://support.microsoft.com/?id=258063

    Looking forward to your findings.
    Best regards,

    WenJun Zhang
    Microsoft Online Support
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    Get Secure! - www.microsoft.com/security
    WenJun Zhang[msft], May 13, 2004
    #2
    1. Advertising

  3. WenJun

    Thanks for your reply. The server hosting the intranet has the following IIS setup

    This might be a little odd, but its due to the .Net installer routines only installing to the default site.....

    Default Site - Stopped - has a virtual directory (physical in Inetpub) that hosts our intranet
    Intranet Web Site - Running - has virtual directory that points to same physical (physical in Inetpub) as abov

    To access the intranet we have an internal DNS for www.intranet.info, this points the IIS servers IP Address and the intranet web site (above) has a host header of www.intranet.inf

    When the forbidden problem is apparent, it does seem to be passing some form of credentials automatically to IIS, ie. It doesn't prompt for login information. But my guess is that the problem is client side and not IIS related as when the problem is apparent it seems to only effect one or two users, but everyone else is OK. Restart the clients that have the problem etc. and authentication works fine - this is the basis for me believing this is a client issue and not IIS

    The next time the problem is apparent, I will check the registry setting etc. as per your reply, but I would appreciate it if you could clarify the following from your reply

    Let me see if I understand your last mail. If we get the 'forbidden' problem, you want me to access the intranet site directly from the hosting machine that is running IIS via Internet Explorer or browse directly from IIS (right click browse) or am I missing the point completely

    Thanks in advance, Pete
    =?Utf-8?B?dHJpbml0eXBldGU=?=, May 13, 2004
    #3
  4. "Let me see if I understand your last mail. If we get the 'forbidden'
    problem, you want me to access the intranet site directly from the
    hosting machine that is running IIS via Internet Explorer or browse
    directly from IIS (right click browse) or am I missing the point
    completely?"

    [WenJun]
    Yes, this is in order to verify if IIS Integrated auth doesn't work
    at that time. According to your new statement - "everyone else is OK.
    ", I believe this is no longer necessary.

    A important point in your new thread is you are using host header
    like: www.intranet.info. Integrated auth acutally includes two logon
    methods - Kerberos and NTLM. When authorization section in request
    header is Negotiate (by default), IE and IIS may either choose NTLM
    or Kerberos in the end and the one can be affected by host header is
    Kerberos. The following KB article contains some related information
    of this topic:

    Authentication may fail with "401.3" Error if Web site's "Host
    Header" differs from server's NetBIOS name
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;294382

    I wonder what the detailed error message is in the XP user's browser?
    Is it just a 401.x error or 403.x forbidden? it can be helpful if
    you can paste the error for me to take a look. If the error is just
    401.x, per the KB states, you can set the NTAuthenticationProviders
    metabase attribute to enforce IIS using NTLM. Please note using
    iisreset command to restart IIS is necessary after this change.

    cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

    Let me know if the problem persists.
    Best regards,

    WenJun Zhang
    Microsoft Online Support
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    Get Secure! - www.microsoft.com/security
    WenJun Zhang[msft], May 14, 2004
    #4
  5. Hi Pete,

    Just want to know if you have got any progress on this issue?

    Best regards,

    WenJun Zhang
    Microsoft Online Support
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    Get Secure! - www.microsoft.com/security
    WenJun Zhang[msft], May 18, 2004
    #5
  6. You are welcome. : )

    Best regards,

    WenJun Zhang
    Microsoft Online Support
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    Get Secure! - www.microsoft.com/security
    WenJun Zhang[msft], May 19, 2004
    #6
  7. Hi WenJun

    Well finally I got the access forbidden error on my XP machine (only XP clients seem to have this intermittent issue)
    Shows how intermittent the problem is

    First of all the error is a 403 and here is the error message
    Forbidde
    You don't have permission to access / on this server
    -------------------------------------------------------------------------------
    Apache/2.0.47 (Unix) Server at www.intranet.info Port 8

    I did as you asked and tried to browse to the default page from the hosting machine with my credentials and all seemed OK.
    On my client that is experiencing the problem, if I then remove www.intranet.info from trusted intranet sites, close the browser, reopen another instance of IE, navigate to the site and I get the 403 without asking for credentials. Reboot the client and access to the site is OK

    Any ideas

    Pete
    =?Utf-8?B?dHJpbml0eXBldGU=?=, May 26, 2004
    #7
  8. Carcked it. Although not quite sure why? It just dawned on me that the access forbidden is comming back from a Unix Apache server not IIS

    For some reason our internal DNS lookup for www.intranet.info times out and then hits the internet to resolve the address. Then it hits a valid site address with unix servers. Ping showed the external IP addresses. Why the internal DNS lookkup should time out intermittently I dont know, I need to investigate more. Come to think of it why would rebooting the client resolve the issue sometimes. Very odd

    Thanks for your involvement. Off to do some digging
    Pete.
    =?Utf-8?B?dHJpbml0eXBldGU=?=, May 26, 2004
    #8
  9. Forbidden
    You don't have permission to access / on this server.
    ----------------------------------------------------------------------
    ----------
    Apache/2.0.47 (Unix) Server at www.intranet.info Port 80

    Unbelievable the error is from an Apache server and the root cause is
    on DNS resolution..
    glad to see 'www.intranet.info' is also an Internet site.. :)

    You are always welcome.

    Best regards,

    WenJun Zhang
    Microsoft Online Support
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    Get Secure! - www.microsoft.com/security
    WenJun Zhang[msft], May 27, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jerry

    403 Access Forbidden, ASP IIS

    Jerry, Feb 19, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    4,814
    Steven Cheng[MSFT]
    Feb 24, 2004
  2. David Hunt
    Replies:
    4
    Views:
    11,304
    gullsinn
    Oct 4, 2009
  3. Brano
    Replies:
    0
    Views:
    755
    Brano
    Jan 6, 2006
  4. jthg
    Replies:
    0
    Views:
    430
  5. Mark J. McGinty

    IIS HTTP 403.1 Forbidden: Execute Access Forbidden

    Mark J. McGinty, Dec 9, 2005, in forum: ASP General
    Replies:
    2
    Views:
    354
    Kyle Peterson
    Dec 9, 2005
Loading...

Share This Page