I'm running IIS 7.0 on a Windows 2008 R1 Server and want to setup IIS Manager Users. Due to some fact, every last try to access the site is rejected (HTTP Unauthorized).
The following additional IIS components are installed:
Security\Basic Authentification
Security\URL Authorisation
Management Tools\IIS Management Console
Management Tools\Management Service
Then I configured the Management Service to use Windows or IIS-Manager-User Credentials.
I also added some IIS-Manager-Users and activated them on my Website.
On the Authentification Settings Pane, I disabled anonymous access and enabled basic authentification.
As a result, when browsing the website, a password is now required. The thing is, I can access the page with Windows Credentials, but not with the IIS Manager User Credentials. In this case the result is always HTTP 401 - Unauthorized.
What am I missing?
IIS Manager Users are meant for administration of IIS (aka management of the sites/apps) and not for access the server at runtime (normal browsing of content).
Having said that, you can make that work if your scenario is to use the same users for potentially administration (like using WMSVC) and runtime and I wrote a blog about it on 2008 on how to set it up:
http://blogs.msdn.com/b/carlosag/archive/2008/09/26/using-iis-manager-users-in-your-application.aspx
Related
I am currently running:
Windows Server 2016
SQL Server 2016
IIS
Cognos Analytics 11.1.7
SSO
SSL
MS Active Directory
This is a single-server install, so the content manager, dispatcher, and gateway are all on one Windows machine. On the ibmcognos application in IIS, Windows Authentication is enabled and Anonymous Authentication is disabled. In Cognos Configuration, "Allow anonymous access?" is set to False.
I want to make my Cognos offering available on the Internet. So I'm thinking I need "Allow anonymous access?" set to True and Anonymous Authentication is enabled. But I'm sure it's more complicated than that.
Here's what I'm thinking:
Add a Windows Server with IIS to my environment.
Install Cognos gateway on the new server.
Configure IIS for Cognos and allow anonymous authentication.
Configure Cognos (gateway) to point to my existing system.
Change "Allow anonymous access?" (on my existing system) to True.
For testing, can this all live on one server?
Install Cognos gateway into a separate folder.
Add a web site to the IIS web server.
Configure the new web site to use the new gateway and anonymous authentication.
Is that it? Is it that simple?
I know I'll need to adjust folder permissions in Team Content as appropriate to accommodate Everyone and still provide security.
I know there are risks concerning potential workloads on the Cognos server when I allow the entire planet access to it.
This turned out to be simpler. No additional install is needed. All that is needed is to change "Allow anonymous access?" to True on my initial configuration and allow Anonymous Authentication in IIS. Then all users get access to the objects that Everyone can see. To get access to internal-only content, they must click on the Personal menu and select Sign in. Not tested, but anyone not already authenticated in the Active Directory domain should get challenged for credentials.
Here is the full error
Server Error in '/' Application.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
Please help!
This error can occur when the authentication method that is configured in the web.config file for the Microsoft Dynamics NAV Web client is not enabled in Internet Information Services (IIS). The Microsoft Dynamics NAV Web client can be configured to use either Windows authentication or forms authentication. By default, the Microsoft Dynamics NAV Web client uses Windows authentication.
When you use Windows authentication, the Windows authentication
feature must be turned on in IIS and enabled on the website for the
Microsoft Dynamics NAV Web client.
When you use forms authentication, both forms authentication and
anonymous authentication must be enabled on the website for Microsoft
Dynamics NAV Web client.
1.To turn on the Windows Authentication feature in IIS
Use Internet Information Services (IIS) Manager to turn on Windows
authentication on IIS. For more information, see How to: Install and
Configure Internet Information Services for Microsoft Dynamics NAV
Web Client
2.To enable an authentication method on the Microsoft Dynamics NAV Web client website
On the computer that is running Microsoft Dynamics NAV Web Server
components, to open Internet Information Services (IIS) Manager and
do one of the following:
a. In Windows 7, on the Start menu, in the Search Programs and Files box, type inetmgr,
and then press Enter.
b. In Windows Server 2008 R2, on the Start menu, choose All Programs, choose Administrative Tools, and then choose Internet Information Service (IIS) Manager.
In the Connections pane, under Sites, choose Microsoft Dynamics NAV 2018 Web Client.
Under IIS, double-click Authentication.
To enable an authentication method, in the Authentication pane, choose the authentication, and then choose Enable in the Actions pane.
Restart the web server.
3.To restart IIS
In the Connections pane of Internet Information Services (IIS)
Manager, choose the root node for your computer, and then in the
Actions pane, choose Restart.
For more information you can refer to this link: Troubleshooting: Server Error in '-' Application. Access Denied
I am having an same issue when trying to run SharePoint Foundation 2010, and I am using the NTLM Windows Authentication Provider. We are running IIS 7.5, and we have a dev SharePoint site set up on another server, using the exact same authentication, but for some reason, the site on our prod server throws the error "No credentials are available in the security package." This fails using all browsers, and it fails when I run the site from the server directly as well as from any client machine. We have Windows Server 2008 R2 Standard on both machines.
I've checked that all the security settings for the SharePoint app pool as well as the SharePoint Web Services pool matches our dev server's settings, and they all do.
Any ideas? Thanks.
It looks like Kerberos is failing on the server. I understand you are using NTLM but the message seems to be Kerberos. Could you please check Authentication provider on on the IIS? If Negotiate is at the top of the list move down and make ntlm as top provider
IIS - UnderAuthentication - > Providers
When windows Authentication is used , this error can come if Kerberos is not available or failing, upon checking Providers under Windows Authentication setting in IIS, i changed preference of Negotiate and moved it down , NTLM remained up and it fixed my issue
I have an application running on IIS 6.1 with .NET framework 2.
At IIS's Authentication, I had disabled Anonymous Authentication and enabled Windows Authentication (with NTLM on top). Because this application is for internal use only and the authentication will be based on user's NT account from AD.
When I tried to launch the application, everything is ok. But when I wanted to view other pages that are in the different folder with the default page, IIS keep asking the users to login. And when I tried to login with my NT account, it failed.
So I looked for the event log and found out the event ID is 5011, which is 'Web sites and Web applications depend on the availability of Internet Information Services (IIS) application pools. IIS application pools in turn depend on the Windows Process Activation Service (WAS). If WAS is not running or errors occur during the startup or shutdown of an application pool, Web sites and Web applications may not be available.'
I would like to let the user to browse the application without having the login window keep showing.
Please help.
Check that the user's domain accounts have file level permissions (Read only is sufficient) to the website files.
I've got a little server plugging along, with IIS and some other stuff. Is it possible to allow a second user access to the IIS Manager, with the ability to create and edit sites, but keep the two accounts' sites separate?
I'm not worried about security between the two accounts, just separating the two account's sites for neatness and so that one user doesn't accidentally change something tied to the other account. At the moment I have two users part of the administrators group, and if I open IIS Manager with either one they both show all the sites.
A similar question has already been asked: how to create hidden web site on IIS
Can you please expand the answer of that thread?
Update 1
Connecting to sites remotely would allow the other sites to appear hidden as you would only see the connecting site. See: How to use Internet Information Services (IIS) 7 Manager to connect remotely to your website.
Update 0
As for hiding sites and other features, check out: What is administration.config for IIS?
One little known feature of IIS7 is that it's UI is entirely extensible! This means that anyone can write a C# assembly and get it displayed through the IIS Manager UI. The possibilities here are endless, anything from someone writing a new certificate management system, a website provisioning system, etc.
I haven't found documentation stating that the actual sites can be hidden but it sounds like it should be possible.
An Overview of Feature Delegation in IIS 7.0 may also provide the ability to hide sites.
Other links:
How do I hide 'non-delegated' features in IIS 7?
Based on your description, Microsoft's documentation on Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) might prove helpful. For instance:
Allow an IIS Manager User Account to Connect to a Site or an Application (IIS 7)
Note: For IIS Manager users to connect to sites and applications for which you grant permission, you must configure the management service to accept connections from users who have IIS Manager credentials. For more information about how to configure the management service, see Configuring the Management Service in IIS 7.
Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) - Emphasis added.
Use the IIS Manager Permissions feature to allow users to connect to sites and applications in IIS Manager. Remove a user account when you no longer want the user to configure delegated features in a site or an application.
Permitted users can configure delegated features in any sites or applications for which you grant them permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs.