Export (0) Print
Expand All

Guidelines for Resolving IIS Permissions Problems

BizTalk Server 2006 makes extensive use of Microsoft Internet Information Services (IIS) for Web services support and for use with the HTTP, SOAP, and Windows Sharepoint Services adapters.

It is helpful to understand how IIS implements application isolation before troubleshooting IIS permissions problems.

IIS provides functionality for creating IIS applications as distinct host processes that are run in their own memory space. Once you create an IIS application host, then you must define two sets of permissions, the IIS application host process identity and the IIS application host user access rights. You should examine each of these permissions sets when troubleshooting IIS permissions problems.

Aa954062.note(en-us,BTS.20).gifNote
The process identity and user access rights are also referred to as the security context of the IIS application host process.

This topic describes how to set process identity and user access rights for an IIS application host process and gives some general guidelines for resolving IIS permissions problems.

Configuration of an IIS application host process can vary depending on the level of functionality being served by the host process. For example an IIS application host process that only serves static HTML pages is typically configured differently than an IIS application host process that serves ASP pages or ASP.NET applications.

Configuration of an IIS application host process also varies depending on the version of IIS that is hosting the application. IIS 6.0 with Windows Server 2003 introduces the concept of IIS Application Pools to simplify setting process identity. Setting a unique process identity in IIS 5.x requires that the Application Protection level for the associated virtual directory is set to High(Isolated) and that the Identity for the corresponding COM+ application is adjusted.

Setting IIS Process Identity for IIS 5.x on Windows 2000 Server or Windows XP

To set the IIS application host process identity in IIS 5.x, first determine the application protection level that is set for the associated IIS virtual directory.

To determine the application protection level for an IIS virtual directory on a computer running Windows 2000 Server or Windows XP
  1. Click Start, then Settings, and then click Control Panel.

  2. In Control Panel, double-click Administrative Tools.

  3. In Administrative Tools, double-click Internet Information Services.

  4. In Internet Information Services, expand <computer name> (local computer), and Web Sites.

  5. Right-click the virtual directory, and then click Properties.

  6. Click the Directory tab of the virtual directory Properties dialog box.

  7. The Application Protection setting is available in the Application Setting section of this page.

    • Low (IIS Process) runs in the inetinfo.exe process.

    • Medium (Pooled) runs in the IIS Out-Of-Process Pooled Applications COM+ application process (dllhost.exe).

    • High (Isolated) runs in a separate COM+ application process (dllhost.exe).

After determining the application protection level for the IIS virtual directory, set the corresponding IIS application host process identity according to the values in the following table. This table summarizes the processes that can host applications on IIS 5.x running on Windows 2000 Server or Windows XP:

Process Used as Host for Default process identity Security context configuration

inetinfo.exe (IIS service)

HTML pages, ASP pages

<machineName>\SYSTEM

Changing the security context for the inetinfo.exe process is not supported.

dllhost.exe

HTML pages, ASP pages

<machineName>\IWAM_<machineName>

Configurable by changing the identity of the corresponding COM+ application in the Component Services MMC interface. Open the Component Services MMC interface by clicking Start, Settings, Control Panel, Administrative Tools, Component Services.

aspnet_wp.exe

ASP.NET processes

<machineName>\ASPNET

Create an account with the correct permissions, and then configure the <processModel> section of the Machine.config file to use that account. For more information see the Resolution section of FIX: ASP.NET does not work with the default ASPNET account on a domain controller

Setting IIS Process Identity for IIS 6.0 on Windows Server 2003

To set the IIS application host process identity in IIS 6.0, first determine the application pool that is set for the associated IIS virtual directory.

To determine the application pool for an IIS virtual directory on a Windows Server 2003 based computer
  1. Click Start, then Settings, and then click Control Panel.

  2. In Control Panel, double-click Administrative Tools.

  3. In Administrative Tools, double-click Internet Information Services (IIS) Manager.

  4. In Internet Information Services Manager, expand <computer name> (local computer), and then click Web Sites.

  5. Right-click the virtual directory and then click Properties.

  6. Click the Virtual Directory tab of the virtual directory Properties dialog box.

  7. The Application Pool setting is available in the Application Setting section of this page.

To set the identity associated with an application pool
  1. In Internet Information Services Manager, expand <computer name> (local computer), and then click Application Pools.

  2. Right-click the application pool that is associated with the virtual directory, and then click Properties.

  3. Click the Identity tab of the application pool Properties dialog box to set the user account used as the identity of the application pool.

This table summarizes the processes that can host applications on IIS 6.0 running on Windows Server 2003:

Process Used as host for Default process identity Security context configuration

inetinfo.exe (IIS service)

HTML pages, ASP pages

<machineName>\SYSTEM

Changing the security context for the inetinfo.exe process is not supported

w3wp.exe

HTML pages, ASP pages, and ASP.NET processes

<machineName>NETWORK SERVICE

  1. Set the application pool for the virtual directory in the Internet Information Services Manager.

  2. Configure the identity of the application pool in the Internet Information Services Manager.

    Aa954062.note(en-us,BTS.20).gifNote
    The account used for the identity of the application pool must be a member of the <machineName>\IIS_WPG group

While process identity governs the security context available to the running IIS application host process, user access permissions govern the security context for the account that is actually accessing the Web page(s) being served. Permissions must be set appropriately for both security contexts to avoid permissions errors. Both IIS 5.x and IIS 6.0 support the following user authentication methods:

  • Anonymous access: Allows users to establish an anonymous connection. The IIS server logs on the user with the specified guest account.

  • Windows Integrated authentication: Uses a cryptographic exchange with the user's Web browser to confirm the identity of the user.

  • Digest authentication: Works only with Active Directory accounts, sending a hash value over the network, rather than a plaintext password. Digest authentication works across proxy servers and other firewalls and is available on Web Distributed Authoring and Versioning (WebDAV) directories.

  • Basic authentication: Transmits passwords across the network in plaintext, an unencrypted form.

IIS 6.0 also supports the following user authentication method:

  • .NET Passport authentication: A Web authentication service.

To set user access rights for a virtual directory in IIS 5.x or IIS 6.0
  1. In the Internet Information Services Manager, expand <computer name> (local computer), and Web Sites.

  2. Right-click the virtual directory and click Properties.

  3. Click the Directory Security tab of the virtual directory Properties dialog box.

  4. Click the Edit button under Anonymous access and authentication control (IIS 5.x) or Authentication and access control (IIS 6.0).

  5. Enable one or more authentication methods.

    Aa954062.note(en-us,BTS.20).gifNote
    If Anonymous access (IIS 5.x) or Enable anonymous access (IIS 6.0) is enabled, IIS will set user access rights as the specified user account first before setting user access rights with any other enabled authentication methods.

Follow these steps to troubleshoot IIS permissions:

  1. Check the application log of the IIS Server computer for errors.

  2. Install the Internet Information Services Authentication and Access Control Diagnostics Version 1.0 tool (Authdiag) on the IIS Server computer and use Authdiag to analyze IIS permissions.

  3. Check the IIS log files of the IIS server for HTTP 401 errors.

    By default the IIS log files on a computer running Windows Server or Windows XP computer are located in the following directory:

    %WinDir%\system32\LogFiles\W3SVC1\

    Aa954062.note(en-us,BTS.20).gifNote
    %WinDir% is a placeholder for the location of the Windows directory on the IIS server.

    • If the IIS log file contains HTTP 401 errors, follow the steps in Troubleshooting HTTP 401 errors in IIS to determine the substatus code and to troubleshoot the permissions problem based on the status code.

      Aa954062.note(en-us,BTS.20).gifNote
      See W3C Extended Log File Examples (IIS 6.0) for an explanation of the fields contained in an IIS 6.0 log file. See Logging Properties Reference for an explanation of the fields contained in an IIS 5.x log file.

    • Check the value of the c-username (IIS 5.x) or the cs-username (IIS 6.0) field associated with the HTTP 401 error. This field contains the name of the authenticated user who accessed the IIS server. The anonymous user account is represented by a hyphen (-) in this field. Ensure that this account has permissions on the appropriate resources.

  4. Verify that the process identity credentials used by the IIS application host process are set correctly and that the account has the appropriate permissions. If the account used for the process identity has insufficient permissions then either change the account or grant the account the appropriate permissions.

  5. Use the RegMon and FileMon utilities described in Tools and Utilities to Use for Troubleshooting to diagnose file or registry access permissions problems.

    Aa954062.note(en-us,BTS.20).gifNote
    RegMon and FileMon are not supported by Microsoft, and Microsoft makes no guarantees about the suitability of these programs. Use of these programs is entirely at your own risk.

Community Additions

ADD
Show:
© 2014 Microsoft