I'm a newbie at securing IIS 6.0 and I need some assistance securing a folder on my web server.
I have our default website that is accessible by anyone (IUSER). I've created a folder outside our default website that will house a website that is accessible only to a group of users from my domain. I've made this folder a virtual directory so that these
users can access is via our website. What I would like to do is password protect this site to only the users of this group. This webserver is on our domain and the group of users are members of domain users.
I've tried many ways but am not able to figure it out. What I've tried so far is:
1. Gave the group read, write, and execute. Then disables "Enable Anonymous Access", enabled Basic Authentication, selected the default domain and realm check boxes and selected our domain. We will use SSL to encrypt the data.
2. Same as scenario 1 but tried this on a folder within the default website.
A domain admin can log into the site using "domainname\username" but this group cannot access. We are getting "401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource." error for both scenarios.".
I've tried giving this group local admin privileges (just to see if that was the issue or not) and that wasn't it. I've also gave full access to the folder for the group and that wasn't it.
The users of the AD group that I've given specific access to are getting the error message. I'm not sure where the log request is but I'll start hunting for it. I've downloadrd Procmon and will see if I can understand what it says. What specifically am I
looking for using Procmon, (the Detail section and Result)?
Log files are store at %windir%/system32/logfiles/w3svcX - X is the site id.
you would look at the entry of 401.3 to see what user is trying to read and got rejected.
For procmon, you run it, simulate the error in browser, go back to procmon, filter the view to the worker process id or so, then look for access denied, etc error msgs.
8 Posts
Password protect site for a specific AD group
Mar 03, 2008 10:40 AM|thatsgame1|LINK
Hello,
I'm a newbie at securing IIS 6.0 and I need some assistance securing a folder on my web server.
I have our default website that is accessible by anyone (IUSER). I've created a folder outside our default website that will house a website that is accessible only to a group of users from my domain. I've made this folder a virtual directory so that these users can access is via our website. What I would like to do is password protect this site to only the users of this group. This webserver is on our domain and the group of users are members of domain users.
I've tried many ways but am not able to figure it out. What I've tried so far is:
1. Gave the group read, write, and execute. Then disables "Enable Anonymous Access", enabled Basic Authentication, selected the default domain and realm check boxes and selected our domain. We will use SSL to encrypt the data.
2. Same as scenario 1 but tried this on a folder within the default website.
A domain admin can log into the site using "domainname\username" but this group cannot access. We are getting "401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource." error for both scenarios.".
I've tried giving this group local admin privileges (just to see if that was the issue or not) and that wasn't it. I've also gave full access to the folder for the group and that wasn't it.
Thank you for any help you can provide
9754 Posts
MVP
Re: Password protect site for a specific AD group
Mar 03, 2008 03:53 PM|tomkmvp|LINK
Have you given the group NTFS permissions to the file folder?
http://mvp.support.microsoft.com/
8 Posts
Re: Password protect site for a specific AD group
Mar 03, 2008 04:01 PM|thatsgame1|LINK
Yes, sorry to mention that. The permissions I specified above are NTFS permissions.
7019 Posts
MVP
Re: Password protect site for a specific AD group
Mar 04, 2008 11:08 PM|qbernard|LINK
Look at the log request.. which user is experincing the 401.3 also get Procmon to helps you trace the access issue.
Bernard Cheah
8 Posts
Re: Password protect site for a specific AD group
Mar 05, 2008 08:03 AM|thatsgame1|LINK
Hello.
The users of the AD group that I've given specific access to are getting the error message. I'm not sure where the log request is but I'll start hunting for it. I've downloadrd Procmon and will see if I can understand what it says. What specifically am I looking for using Procmon, (the Detail section and Result)?
Thank you
7019 Posts
MVP
Re: Password protect site for a specific AD group
Mar 06, 2008 02:36 AM|qbernard|LINK
Log files are store at %windir%/system32/logfiles/w3svcX - X is the site id.
you would look at the entry of 401.3 to see what user is trying to read and got rejected.
For procmon, you run it, simulate the error in browser, go back to procmon, filter the view to the worker process id or so, then look for access denied, etc error msgs.
Bernard Cheah