Anonymous and Basic Authentication Fail When You Connect to IIS 5.0 on a Domain Controller

Retired KB Content Disclaimer

View products that this article applies to.

This article was previously published under Q263140

Expand all | Collapse all

SYMPTOMS

When you try to connect to a Web page that is running under Internet Information Services (IIS) 5.0 on a Microsoft Windows 2000 Domain Controller by using Anonymous or Basic authentication, the following error message may appear in the Web browser, even when the proper permissions are set:

HTTP 401.1 - Unauthorized: Logon Failed

Back to the top

CAUSE

For security reasons, on Windows 2000 domain controllers, only the account operators, administrators, backup operators, print operators, server operators, Internet guest account, and Terminal Services user accounts have the Log on Locally user right, which is a requirement for both Anonymous and Basic authentication.

Back to the top

WORKAROUND

IMPORTANT: Microsoft does not recommend running Internet Information Services on a domain controller (or BDC/PDC if you are running Microsoft Windows NT Server 4.0), because IIS performance is severely degraded due to the networking and processor load imposed by authentication and other roles performed by domain controllers. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

197132 (http://support.microsoft.com/kb/197132/EN-US/ ) Windows 2000 Active Directory FSMO Roles

To work around this issue, perform the following steps:

Load the Domain Users and Computers snap-in.
Right-click the Users container, click New, and then select Group.
Configure this new group as follows:
- Group Name: WebUsers
- Group Scope: Domain Local
- Group Type: Security
Click Next until the wizard is finished and the WebUsers group is created.
Add any users or groups that require access to your Web site to the WebUsers group.
Load the Domain Controller Security Policy snap-in.
In the left pane, click to expand Windows Settings, click to expand Security Settings, click to expand Local Policies, and then select User Rights Assignments.
Double-click the Log on locally user right.
Add the WebUsers group that you created in step 4.
Force the policy to take affect by issuing the following command:
secedit /refreshpolicy machine_policy /enforce

At this point, any account or group that is a member of the WebUsers group should be able to log on to the IIS 5.0 server by using Basic authentication. With Basic/Clear Text authentication, it is recommended that the data be encrypted with SSL, as it is extremely easy to obtain credentials from a network trace. For additional information on installing SSL under IIS 5.0, click the article number below to view the article in the Microsoft Knowledge Base:

228836 (http://support.microsoft.com/kb/228836/EN-US/ ) Installing a New Certificate for Use in SSL/TLS

Back to the top

MORE INFORMATION

For additional information about this issue, click the article numbers below to view the articles in the Microsoft Knowledge Base:

220609 (http://support.microsoft.com/kb/220609/EN-US/ ) How to Assign "Log On Locally" User Rights in Windows 2000

234237 (http://support.microsoft.com/kb/234237/EN-US/ ) Assign "Log On locally" Rights to Windows 2000 Domain Controller

For additional information on verifying that permissions are configured properly, click the article number below to view the article in the Microsoft Knowledge Base:

187506 (http://support.microsoft.com/kb/187506/EN-US/ ) List of NTFS Permissions Required for IIS Site to Work

Back to the top

APPLIES TO

Microsoft Internet Information Services 5.0

Back to the top

kbpending kbprb KB263140

Back to the top

Retired KB Content Disclaimer

This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

Back to the top