Article ID: 922730 - Last Review: November 30, 2007 - Revision: 1.6

The account that is used for anonymous access may be unexpectedly locked out in IIS 6.0 or in IIS 5.0

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

On This Page

Expand all | Collapse all

SYMPTOMS

In Microsoft Internet Information Services (IIS) 6.0 or in Microsoft Internet Information Services (IIS) 5.0, the account that is used for anonymous access may be unexpectedly locked out. Additionally, one or more events that resemble the following may be logged in the Security log:
Event 1

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Description:
Logon Failure:
Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Event 2

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Description:
The logon to account: username by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: computername failed. The error code was: 3221226036

Event 3

Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 100
Description:
The server was unable to logon the Windows NT account 'useraccount' due to the following error: The referenced account is currently locked out and may not be logged on to

Notes
  • Username is a placeholder for the user name.
  • Domain is a placeholder for the domain name.
  • Computername is a placeholder for the computer name.
  • Useraccount is a placeholder for the user account in the Active Directory directory service or in Local Users and Groups.
Back to the top

CAUSE

This issue may occur if one or more of the following conditions are true:
  • The Security log is full, and the following registry key is set to an incorrect value:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
  • The account that is used for anonymous access does not have the permissions that are required to access the Web site.
  • The password for the account that is used for anonymous access in IIS is not synchronized with the password for the account in Active Directory or in Local Users and Groups.
  • The account that is used for anonymous access has a different password in another IIS metabase property.
Back to the top

RESOLUTION

To resolve this issue, use one of the following methods.
Back to the top

Method 1: Verify the registry settings

Verify that the Security log is not full. Additionally, verify that the following registry key is set to the correct value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
832981  (http://support.microsoft.com/kb/832981/ ) Users cannot access Web sites when the security event log is full
Back to the top

Method 2: Verify the permissions

Verify that the account that is used for anonymous access has the permissions that are required to access the Web site. To do this, use version 1.0 of the Authentication and Access Control Diagnostics (AuthDiag) tool. For more information about the AuthDiag tool, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/iis/support/default.mspx (http://www.microsoft.com/windowsserver2003/iis/support/default.mspx)
Back to the top

Method 3: Synchronize the passwords

Synchronize the password for the account that is used for anonymous access in IIS with the password for the account in Active Directory or in Local Users and Groups. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
909887  (http://support.microsoft.com/kb/909887/ ) Error message when you try to view a Web site that is hosted on Internet Information Server 6.0 by using anonymous access: "401.1 Unauthorized: Logon failed"
Back to the top

Method 4: Verify that the password for the account is consistent in the IIS metabase

Verify that the account that is used for anonymous access does not exist with a different password in the IIS metabase. For example, the account that is used for anonymous access may be unexpectedly locked out if the following conditions are true:
  • The UNCUserName property uses the account that is used for anonymous access.
  • This account is configured to use a different password.
To verify that the password for the account is consistent in the IIS metabase, search the IIS metabase for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.

To search the IIS metabase, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, use the CD command to change to the Inetpub\Adminscripts directory.
  3. At the command prompt, type Cscript Adsutil.vbs Enum_all > Metabase.txt, and then press ENTER.
  4. At the command prompt, type Exit, and then press ENTER.
  5. Open the Metabase.txt file, and then search for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.
Notes
  • You can open the IIS 6.0 Metabase.xml file in Notepad.
  • In IIS 6.0, you can use Metabase Explorer to view and to edit the IIS metabase. Metabase Explorer is available in the IIS 6.0 Resource Kit.
  • In IIS 5.0, you can use the MetaEdit tool to view and to edit the IIS metabase. However, the MetaEdit tool is not a supported tool.
Back to the top

Method 5: Create a new user account

Create a new user account. Then, configure IIS to use the new user account for anonymous access.

Note You must grant the new user account the required NTFS permissions and user rights.
Back to the top

MORE INFORMATION

For more information about how to troubleshoot account lockouts, visit the following Microsoft TechNet Web site:
http://technet2.microsoft.com/windowsserver/en/library/d7e66b86-7b31-45a8-b11f-449fe7e7c62e1033.mspx (http://technet2.microsoft.com/windowsserver/en/library/d7e66b86-7b31-45a8-b11f-449fe7e7c62e1033.mspx)
For more information about how to grant the required NTFS permissions and user rights for an IIS 5.0 Web server, click the following article number to view the article in the Microsoft Knowledge Base:
271071  (http://support.microsoft.com/kb/271071/ ) How to set required NTFS permissions and user rights for an IIS 5.0 Web server
For more information about the IIS Resource Kit, click the following article number to view the article in the Microsoft Knowledge Base:
840671  (http://support.microsoft.com/kb/840671/ ) The IIS 6.0 Resource Kit Tools
Back to the top
APPLIES TO
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 5.0
Back to the top
Keywords: 
kbtshoot kbprb KB922730
Back to the top