Bursar 0 Posted October 30, 2001 We've got a machine running Win2K server and IIS 5 and it's been running quite happily for a while, but it has recently developed an annoying problem. The web services are no longer working properly. When you try and view a page on the server, you get HTTP 500: Internal Server error. This happens on all pages on the server, regardless of how you try and address the server (hostname, IP address, 127.0.0.1). According to the Event Log, the IUSR_machinename account can not log on to the local machine. The properties of the IUSR user account seem fine, and if I look in the Directory Security section of the website, and select the IUSR account as the anoymous one, it says that "password synchronisation is not supported with non-local accounts" when I tick the "allow IIS to control password" box. The account is local to the machine, so I have no idea what IIS is talking about. We run a Novell network, and there are no AD/PDC/BDC servers on our network. The FTP part of the site is still running fine. The MS Knowledgebase isn't much help, and the server is fully patched. The full System Event Log message is as follows: Quote: Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 30/10/2001 Time: 12:22:47 User: N/A Computer: name Description: The server was unable to logon the Windows NT account 'name\IUSR_name' due to the following error: Logon failure: user not allowed to log on to this computer. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. Data: 0000: 31 05 00 00 1... Unfortunately the URL given above does not work. The Security Event Log shows the following: Quote: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 533 Date: 30/10/2001 Time: 12:22:47 User: NT AUTHORITY\SYSTEM Computer: name Description: Logon Failure: Reason: User not allowed to logon at this computer User Name: IUSR_name Domain: name Logon Type: 3 Logon Process: IIS Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: name Where I have typed name in the above log messages, it reads the machine name in the event log. I'm slightly confused with the Domain section in the security log, as the machine is actually part of a workgroup (as we don't use domains). If anyone can shed some light on this, it would be greatly appreciated. Share this post Link to post
Bursar 0 Posted October 30, 2001 Right, after some investigation, it seems as if the Log On Locally ppolicy isn't in place properly. If I look at the settings for the IUSR account, the Log on Locally box is ticked for Local Policy, but it is unticked in the Effective Policy Setting column. I think this is the cause of my problem. I just don't know how to fix it though. Share this post Link to post
clutch 1 Posted October 30, 2001 Has anybody been fiddling with policies on that system? How about testing policies in general? Here is some information on Group Policy settings and deployment: http://www.microsoft.com/technet/treevie...rt4/dsgch22.asp Share this post Link to post
Bursar 0 Posted October 30, 2001 Thanks, but most of our users are monkeys that don't know what they're doing, so I doubt they would fiddle with stuff. I have tried to instill the fear of God into them if they do, so I doubt a user has changed the settings. Most of this Policy stuff is gibberish to me. Because we only use Win2K servers for running IIS and nothing else, everything should be done on a local basis rather than using Group Policy objects which (from what I can make out) you set on the server and propogate out to users and machines. After some fiddling and rebooting, I now have a tick in both boxes of "log on locally" for the IUSR account. It still doesn't work, and the Event Log is still showing 'the user is not able to log onto the machine'. To say I'm confused is an understatement Share this post Link to post
clutch 1 Posted October 30, 2001 Did you recently run any of IIS securing utilities (hisec template, URLScan, IISLockdown)? Share this post Link to post
Bursar 0 Posted October 30, 2001 Nope. Aha, one thing has come to light. Access 2000 was kind of installed on the machine on Friday. I say kind of because apparnetly the machine crashed part way through the install. It's possible that it overwrote some files during the install, but because it didn't finish properly, the machine is a bit confused. I'm going to try uninstalling IIS, deleting the IUSR account, and then reinstalling IIS. Hopefully it will reacreate the IUSR account with the required permissions. Share this post Link to post
