2

I am running SharePoint Server 2007 with SP1 on our test server. It's a single-server installation. It has a single SharePoint application running on port 80. It's using Windows authentication. It's using both Windows (with NTLM) and basic authentication for IIS auth settings. There is one site collection running on this application.

Ordinarily, we log in with our Windows domain accounts to interact with the system, but we have a couple local machine user accounts that we created in order to test some things and run little utility scripts. The problem is that now we can't log into this site with those local machine users unless we're running the browser on the server itself. On the server, I can log in with those users. From any other box, I am rejected with a 401.1 error. With domain-based accounts, I can successfully log in from any of these machines. I am certain that this used to work, but because other people have unfettered access to the server, I can't promise that no settings have changed since then.

What could be happening? Is this a SharePoint problem or an IIS problem? And how can I re-enable login access to these local machine users?

EDIT:

I don't see how this is necessarily related to the impersonation settings suggested by TheCleaner. Our production server uses the same type of local machine users, and there is no problem logging into that SharePoint site with those local machine users (same IIS configuration and same web.config as is used in the problematic test server). Also, the articles suggested by TheCleaner are intended for audiences who are trying to access other resources as a specific identity after that identity is already logged into SharePoint. I can't even get logged into SharePoint. Am I just confused?

Chris Farmer
  • 194
  • 5
  • 13

2 Answers2

1

I have seen very similar things happen when the ASP .NET impersonation settings are incorrect or have changed. The same scenario of "unless we run it on the server itself" points me to believe this may be the issue. Have you check the impersonation settings?

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • Thanks for the response, but I am not sure exactly what you mean. The web.config for the IIS virtual root has . The timestamp on this file is 4 months ago, though, and I am sure it behaved differently at that time. What exactly should I be looking for with respect to the impersonation settings? – Chris Farmer Oct 02 '09 at 22:10
  • Look here: http://www.15seconds.com/Issue/040511.htm and here: http://platinumdogs.wordpress.com/2008/10/31/sharepoint-single-sign-on-impersonation-and-the-double-hop-problem/ and here: http://snahta.blogspot.com/2009/08/aspnet-impersonation.html – TheCleaner Oct 03 '09 at 15:03
  • I don't see how those are necessarily relevant. They seem to be trying to address either the double-hop problem or simple elevation of privileges to accomplish an action that the logged-in user would not otherwise be able to perform. In my case, on my test server, I can't even get to the point where those tools would be useful. Am I misunderstanding your suggestion? – Chris Farmer Oct 05 '09 at 16:06
  • I'm not certain that it does, I'm not a Sharepoint expert. However, we found that the Impersonation Settings "options" in the web.config file for Sharepoint had a lot to do with scenarios when you could login just fine through the server's browser, but not another system. – TheCleaner Oct 05 '09 at 16:19
  • For instance, we changed "impersonate" to actually use a specific userID and password in the web.config. When we did this, remote access worked, but then it broke things like search and Mysites. We had to change it back to the defaults and recode the webapp we were working on. See here: http://msdn.microsoft.com/en-us/library/aa292118%28VS.71%29.aspx That explains "In this instance, ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account (IUSR_machinename)." A local account might not be an "authenticated user". – TheCleaner Oct 05 '09 at 16:24
0

It's interesting - what it looks like is that you're not logging in via Basic from remote machines, but rather NTLM that's failing (since the accounts are local only to the server, not to the client). What's the Win32 code for the 401.1 error? What does Fiddler say the authentication is?

Can you log in via NTLM on the servers (Automatic NTLM login is typically disabled due to ESC - Enhanced Server Configuration)?

What exactly where the "scripts" that you ran and what did they do?

Finally, what internet zone does the site appear on the server and the clients that are failing?

Christopher_G_Lewis
  • 3,685
  • 22
  • 27