Friday, June 27, 2008

Further into IIS issues

Recently we faced an issue with the webapplications hosted on IIS. Something interesting to solve.
The webapplications were working perfectly fine but only in the LAN environment. When logged in from VPN they didnt work. Access denied messages were displayed. All the settings on IIS were perfectly fine with Anonymous user login, security settings for folders, etc. After a brief analysis the reasons for the issue was found out.
This issue occurs where there is a non-sync between the IUSR password in IIS and the IUSR password at the system level.

To fix this we can either change the password to make it same at system level and in IIS setting or simply restart the IIS Admin service which will recreate the IUSR account.

To sychronise the system level password and password in the IIS setting follow the steps given below:

The password can be change in the IIS settings by changing the entries in the adsutil.vbs

To know if the password entries are available in the adsutil.vbs use the following command:
cscript adsutil.vbs find anonymoususerpass
This will return a listing of all the nodes where the anonymoususerpass appears in the metabase. Ideally you should see this in only the W3SVC node (it may also appear in the MSFTPSVC node if you are running FTP). If you see any locations “under” W3SVC (i.e. W3SVC/1/root) then we should delete these entries.

To delete an entry use the following syntax:
cscript adsutil.vbs delete W3SVC/1/root/anonymoususerpass

Once we have made sure that we only have the password set at a single location, we need to “sync” the password with the one in the SAM database. The easiest way to do this is to simply open Computer Management if you are on a member server or Active Directory Users and Computers on a domain server and do a change password on the IUSR account. Then back at our command prompt, we simply set the password to match the one we just set by using the following command:

cscript adsutil.vbs set W3SVC/anonymoususerpass "passwordgoeshere"

The passwords should now be in sync and the site should now be accessible.
Posted by at No comments:
Subscribe to: Posts (Atom)