1

Well, sometimes things come along that give you humility. Gahh!

I had an old Windows 2000 server running in a closet on a DSL line. It was doing a small amount of web and mail and ftp for a couple of users. It was there for almost 10 years.

It started to blue screen and I determined it was probably too much trouble to try to fix it, it had been running so long and though I had set it up originally I was having a hard time remembering the darned thing.

So anyway, nothing fancy, it had a few websites with just static pages, a couple that had browsable directories and one user who dropped off FTP files. No big deal and it ran mostly unattended all that time.

So when it failed I had a small PC with server 2003 on it and running, not in use. I took the old server HDD out and put it in the newer one with server 2003.

I copied the inetpub directories over to the new server just as they were with no changes. I changed the name of the original inetpub from the windows server 2003 and they are still there but replaced.

I went through and set up the hosting same as before.
Name based hosting with host headers. Mailenable for mail and a third party FTP server.

I expected this to work like before. Heck no. Nothing worked.

Admittedly this was not a fresh clean install of the OS and it was someone's print server sometime in the past. That all has unknown permissions and other settings that despite my efforts I have not been able to reset.

Here's what I have:

For one thing there were some under construction pages that I put on there just so there would be something in front of the browsable subdirectories. They had a jpg and a gif image on them.

The jpg loaded fine when you browsed the site but the gif didn't, it was a placeholder, when you right clicked the placeholder and picked view image you got

You are not authorized to view this page

You do not have permission to view this directory or page using the credentials that you supplied.

Please try the following:

  • Contact the Web site administrator if you believe you should be able to view this directory or page.
  • Click the Refresh button to try again with different credentials.

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials. Internet Information Services (IIS)

So permissions problem, I think.

Before I worked on it I got something like "bad hostname". I finally figured all that out (as far as it went) and now I have a pure permissions error.

Anyway, the sites that are hosted on this box are not working, when I type the domain name I get a permissions error page. I have done the security reset utility from Microsoft and that didn't change anything.

I need this stuff to work with anonymous internet users. I created a user internet_guest and gave it guest and user membership. But I am not sure that is the user that is used by anonymous internet users. And that might be part of the problem.

I think the problem is the anonymous internet user is not correctly applied to all the hosting stuff.

For the life of me I have been unable to reset the permissions to allow the gif images to work, so I replaced them with jpg versions and they now work. But clearly this server has a problem serving up gifs and that's something I need to solve.

The other problem is I have a directory that I want browsable and that is not, though on the old server it was. Another directory on the same domain is browsable. And darned if I know what the difference is. The permissions look the same to me. Both have browsing checked in the box.

One of the forum posts I read that mentioned this mentioned Front Page Server Extensions as resetting those permissions and not allowing them to be reset, but as far as I can tell FPSE is not installed though the directory (which I copied from the disk in the old computer) has some directories labeled VTI, and I don't know what those are for. I buried them in another directory just to get rid of but my research indicates those might have been part of Front page server extensions which in remove/install windows components is not installed.

Any troubleshooting steps anyone can recommend?

Rex
  • 7,895
  • 3
  • 29
  • 45
Steve
  • 11
  • 3
  • "though I had set it up originally I was having a hard time remembering the darned thing." That's why we document these things. – John Gardeniers Jan 10 '13 at 02:32
  • This is hard to follow in such long narrative form. – Jeff Ferland Jan 10 '13 at 04:47
  • John, that's not important, I scrapped out the old server. Jeff, sorry for the complex post but this users and permissions stuff is ridiculously granular and was likely written by the same guy who wrote the stuff in MS Word that confounds users who cannot change formatting by selecting all and applying changes. They don't change, and mine didn't here. – Steve Jan 10 '13 at 05:16
  • I ran authdiag.exe on the server, and that didn't change anything. Well, it changed my rdc port back to default so I had to visit the server afterwards. I didn't notice where authdiag said it was working on rdc but maybe it told me. If it didn't that is a bug in authdiag.exe. – Steve Jan 10 '13 at 17:27
  • Well, I recreated one of the sites on the server. I renamed the old directory that had the static files in it, ssed iismgr and did it all from scratch. copied only files from the old directory to the new and started the site. Anon access is checked but there was the IUSR_machinename user in the box, blank pw. I browsed to the site and it popped up a username/pw box. I entered my admin name and the site loaded fine. I went back in the iismgr again and directory security and integrated window authentication is also checked as well as anon internet users, so I un checked it. – Steve Jan 10 '13 at 17:32
  • Went back and reloaded the site and it didn't load, "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials. Internet Information Services (IIS)". So the problem is I have no anonymous internet user access. That's the first problem to fix. – Steve Jan 10 '13 at 17:36

1 Answers1

1

There are two permissions to confirm. One is the anonymous user and the other is the app pool user.

You can determine your anonymous user in IIS Manager by going to the site | Directory Security | Edit. Reset that if you want, but make sure to update it in Computer Manager (the actual user) and for all of your websites.

The other user is the app pool user. In IIS Manager that's in the Application Pools section. Go to the properties of the app pool and select the Identity tab. That defaults to Network Service in IIS6. For a simple configuration you can leave it like that and make sure that Network Service has read access on disk. A more secure option is to create a custom user (add to the IIS_WPG group if you do) and set it in IIS and apply to disk.

Now that you know the two users, right-click on the site in IIS Manager and click "Permissions". Now make sure that both users are applied with at least read access. If you click Advanced and "Replace permission entries on all child objects with entries shown here that apply to child objects" then it will reset all files and folders on disk.

My guess is that your gif images were copied a different way and didn't inherit permissions from the folder.

Turning off windows auth is also a good idea if you're only intending to serve up anonymous traffic. Then domain permissions won't be a problem.

A great tool for finding permission issues is process monitor. Check out week 20 here for a quick video tutorial on how to do that.

Scott Forsyth
  • 16,449
  • 3
  • 37
  • 56