Article ID: 263140 - View products that this article applies to.
This article was previously published under Q263140
When you try to connect to a Web page that is running under Internet Information Services (IIS) 5.0 on a Microsoft Windows 2000 Domain Controller by using Anonymous or Basic authentication, the following error message may appear in the Web browser, even when the proper permissions are set:
HTTP 401.1 - Unauthorized: Logon Failed
For security reasons, on Windows 2000 domain controllers, only the account operators, administrators, backup operators, print operators, server operators, Internet guest account, and Terminal Services user accounts have the Log on Locally user right, which is a requirement for both Anonymous and Basic authentication.
IMPORTANT: Microsoft does not recommend running Internet Information Services on a domain controller (or BDC/PDC if you are running Microsoft Windows NT Server 4.0), because IIS performance is severely degraded due to the networking and processor load imposed by authentication and other roles performed by domain controllers. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
197132To work around this issue, perform the following steps:
(http://support.microsoft.com/kb/197132/EN-US/ )Windows 2000 Active Directory FSMO Roles
At this point, any account or group that is a member of the WebUsers group should be able to log on to the IIS 5.0 server by using Basic authentication. With Basic/Clear Text authentication, it is recommended that the data be encrypted with SSL, as it is extremely easy to obtain credentials from a network trace. For additional information on installing SSL under IIS 5.0, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/228836/EN-US/ )Installing a New Certificate for Use in SSL/TLS
For additional information about this issue, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/220609/EN-US/ )How to Assign "Log On Locally" User Rights in Windows 2000
234237For additional information on verifying that permissions are configured properly, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/234237/EN-US/ )Assign "Log On locally" Rights to Windows 2000 Domain Controller
(http://support.microsoft.com/kb/187506/EN-US/ )List of NTFS Permissions Required for IIS Site to Work
Article ID: 263140 - Last Review: November 21, 2006 - Revision: 2.1