Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / IIS / IIS Security / July 2008

Tip: Looking for answers? Try searching our database.

401.3 when logging in as user on the same system

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Chris - 27 Jun 2008 15:43 GMT
Hi all.

I have a website. I have directory security (Directory Security from the
website properties tab) for the whole site turned off for the IUSR account,
so you need a windows login for access to this site.

Now, the user for the site that has modify permissions has full access and
no issues. When you keep pressing OK / or cancel at the login for the website
without putting a username in or you put a random one in you get the correct
401.3 page that is setup for the website, and each page thereafter.

Now, if I use a username that is on the same system to try and login, the
401.3 is NOT the page that I've setup in the custom errors. Instead I get:

Server Error in '/' Application.
--------------------------------------------------------------------------------

Access is denied.
Description: An error occurred while accessing the resources required to
serve this request. You might not have permission to view the requested
resources.

Error message 401.3: You do not have permission to view this directory or
page using the credentials you supplied (access denied due to Access Control
Lists). Ask the Web server's administrator to give you access.

...which is the default IIS / .NET error page.

Why do I see this instead of the correct custom error I setup in the site
properties  and also the actual page properties?

Thanks

chris
Reply to this Message
Bernard Cheah [MVP] - 30 Jun 2008 08:52 GMT
401.3 is permission related. check the log file and see what user is
accessing the resource.

.net error msgs and IIS custom error msgs are different.
iis -
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/80cb8
d8d-8fd8-4af5-bb3b-4d11fff3ab9c.mspx?mfr=true

.net - http://support.microsoft.com/kb/910434

Signature

Regards,
Bernard Cheah
http://www.iis.net/
http://msmvps.com/blogs/bernard/

> Hi all.
>
[quoted text clipped - 34 lines]
>
> chris
Reply to this Message
Chris - 30 Jun 2008 12:11 GMT
Thanks for the reply.

The log is showing a user that is on the same server I tested with. This
user should not have access, and it does get denied, but it's showing the
wrong custom error page.

what I think it is, because the user account doesnt have access to the 404
page we designed via permissions. It has the IUSR_servername but as we're
trying to log in with an account that exists on the server already, the
permissions aren't the same as if the IUSR_servername is being used. Can you
shed any light on this?

Thanks

Chris

> 401.3 is permission related. check the log file and see what user is
> accessing the resource.
[quoted text clipped - 43 lines]
> >
> > chris
Reply to this Message
Bernard Cheah [MVP] - 01 Jul 2008 08:10 GMT
Can you post the iis log for those error request?
if you have custom error pages, make sure you configure the correct model
(IIS or .NET),
then ensure the user has at least READ access to those pages.

Signature

Regards,
Bernard Cheah
http://www.iis.net/
http://msmvps.com/blogs/bernard/

> Thanks for the reply.
>
[quoted text clipped - 67 lines]
>> >
>> > chris
Reply to this Message
Chris - 08 Jul 2008 15:10 GMT
Thanks Bernard,

The user that has access to the site has modify access to the whole
directory along with the IIS_WPG. What we need to do is find out why we're
getting different error pages when a user (that doesn't have permission to
the site) tries to access the site 3 times.

Does that make sense?

Thanks

Chris

> Can you post the iis log for those error request?
> if you have custom error pages, make sure you configure the correct model
[quoted text clipped - 72 lines]
> >> >
> >> > chris
Reply to this Message
David Wang - 19 Jul 2008 23:54 GMT
This is because the Custom Error you configure in IIS is not applied
nor accepted by all applications running on IIS. This hybrid approach
gives a great deal of power/control to the applications, but it can
also frustrate system administrators who want to have consistent
Custom Errors returned by all the applications running on the web
server.

This represents a constant struggle between the System Administrator
and the Application Developer with IIS stuck in the middle, and IIS
makes various tradeoffs favoring one side or the other. What is clear
is that you often cannot make both parties happy at the same time with
any configuration.

When you don't provide the correct username/password to even login,
IIS Custom Errors take effect, partly because the Application isn't
even invoked yet (IIS has to first authenticate correctly, THEN
execute Application using that logon identity). System Administrators
get their day at the expense of Application control. Now, some
Application Developers want to control those error cases as well and
handle it programmatically, and it possible to configure IIS to do so.
Thus, Application Developers can also get their way at the expense of
System Administrator. The battle continues... and who gets the last
technical word? System Administrators, who may not allow such
configuration by the Developer.

When you provide a correct username/password to login, the Application
and its configuration takes over, so when the user fails to
subsequently access resources as the application, you get the
application-defined Custom Errors -- IIS knows nothing about access
issues at this point since it has transferred control to the
application. Thus, Application Developers get full control, and there
is no way for System Administrator to insert their desired Custom
Errors. Now, it is also possible for System Administrators to force
Application Developers to use a standardized Custom Error output
module, which the System Administrator can control with Custom Error
configuration, but there is no assurances that the developer follows
such rules unless there is friendship or external political pressure.

As you can see, this is really a cat-and-mouse game between the System
Administrator and Application Developer, and there is no definitive
"winner" by default.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

> Thanks Bernard,
>
[quoted text clipped - 99 lines]
>
> - Show quoted text -
Reply to this Message
Chris - 30 Jul 2008 10:17 GMT
Great response David.

The odd thing is, though, we get the correct application / developed error
page if a random username is tried. But if we use a username that's on the
server (yet doesnt have access to the site, yet we try to login anyway) we
get the IIS custom error. So, does work, but if a system username is used it
doesn't. Does that make sense?

Thanks

Chris

> This is because the Custom Error you configure in IIS is not applied
> nor accepted by all applications running on IIS. This hybrid approach
[quoted text clipped - 146 lines]
> >
> > - Show quoted text -
Reply to this Message
David Wang - 30 Jul 2008 12:37 GMT
There is nothing odd with the behavior. Only not-yet-understood
behavior and not-yet-understood server configuration.

Now, your claim of oddity is exactly OPPOSITE of what you originally
claimed. Which claim is true?

In either case, it's all explainable.

Suppose the opposite of your original claim is true --

If you use a random username and get an application error page, then
either a non-IIS authentication method is happening, or the browser is
auto-logging-in with another identity. The only other explanation is
if IIS ignores the random username/password and executed the
application code anyways, and that would be a major security flaw in
IIS of the magnitude that no one else in the world has reported...

If you use a system username and get an IIS error page, then IIS
successfully authenticated using  that user, and the handler may be
integrated to read and show IIS custom errors (the integration is
possible with the HSE_REQ_SEND_CUSTOM_ERRORS ISAPI
ServerSupportFunction)

In short, the behavior that you really want is not possible.
Applications will never be able to control and customize all possible
HTTP Errors returned from IIS -- there is a well-known list of non-
customizable HTTP.SYS and IIS custom HTTP error codes. And if the
error happens in request execution prior to Application execution, the
error response is also non-customizable.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

> Great response David.
>
[quoted text clipped - 160 lines]
>
> - Show quoted text -
Reply to this Message
Chris - 30 Jul 2008 14:03 GMT
David,

You're right...my original query was correct. It was about a month ago when
we tried playing with the errors. Thanks for your help. Great info!!

Chris

> There is nothing odd with the behavior. Only not-yet-understood
> behavior and not-yet-understood server configuration.
[quoted text clipped - 195 lines]
> >
> > - Show quoted text -
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.