locked
Why IIS denied all asp.net requests? RRS feed

  • Question

  • User1292358045 posted

    I have a website, which is intended for logon windows user only, so I set IIS anonymous access = false, windows authenication = true.

    and assign all users to a group that have access to the wwwroot website folder.

    It works for a long time, suddenly today, no users can access website.

    I did some tests find that:

    1. all static files works fine, require a windows logon, and if you have a logon, you can access it.

    2. all asp.net file, like .aspx or access through controller/view are denied

    3. one particular user can login, only if I specify domain-name in front of it (previously, no doman name required), other users still can't even I have domain name specified.

    4. that user are owner of the website folder, have full permission, however, if I assign full permission to another user, the other user still can't logon, so I don't know what makes first user can logon.

    Please help

    Friday, March 13, 2015 1:09 PM

Answers

  • User1292358045 posted

    Update: problem solved after I restart PDC.

    It seems PDC auto updates on the day before yesterday, and didn't restart since updates installed. Normal workstation/remote server logon not affected, however, something is wrong when IIS ask PDC to verify logons.

    That particular account that works occasionally can be explained, because I use that account to logon IIS server itself. So when I attempted to logon through browser, if I already logon on server, it won't need to call PDC again. After I restart, I couldn't logon through browsers until I logon IIS server.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 13, 2015 6:27 PM

All replies

  • User1508394307 posted

    If nothing was changed in the application (including web.config) then try to reboot the server. Sometimes it helps ;-)

    In general, try to follow all steps of configuration again to see if you have nothing changed

    https://msdn.microsoft.com/en-us/library/ff647405.aspx 
    http://support.microsoft.com/en-us/kb/323176 

    What is not clear, in #2 - does it prompt for a login? If not, then how do you able to enter login in #3?

    Friday, March 13, 2015 1:41 PM
  • User1292358045 posted

    Rebooting server is the first thing I did

    and for the confusion, it did prompt to logon, however for whatever I input, it jump back to ask me credential again.

    Friday, March 13, 2015 1:43 PM
  • User1508394307 posted

    ok, so what about other question?

    The problem is too broad to have one meaningful solution. It is not clear if you use impersonation and what is your web.config settings. In general, WA does not need to have special access to the wwwroot, it is enough to set 

    <allow roles="domainname\Managers" />
    <deny users="*" />

    Friday, March 13, 2015 1:49 PM
  • User1292358045 posted

    I didn't use impersonation, every users use its own identity, so in program, I can distinguish them.

    I didn't use web.config and set in IIS manager GUI instead. My previous working approach is not set users/roles in IIS manager, but set folder permission for allowed users/groups.

    and the restricted website is actually only a part of public site, which is not configured as standalone application, so I can't set web.config to make it <authenication mode="windows" />

    Friday, March 13, 2015 2:03 PM
  • User1292358045 posted

    After restart again w/o any changes, the sole account that was be able to logon can't logon.

    I checked event log, find all failed logon has account audit fail message:

    An account failed to log on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        dev01
        Account Domain:        

    Failure Information:
        Failure Reason:        An Error occured during Logon.
        Status:            0xC000006D
        Sub Status:        0x0

    Process Information:
        Caller Process ID:    0x0
        Caller Process Name:    -

    Network Information:
        Workstation Name:    workstation-001
        Source Network Address:    -
        Source Port:        -

    Detailed Authentication Information:
        Logon Process:        NtLmSsp
        Authentication Package:    NTLM
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Friday, March 13, 2015 3:14 PM
  • User1508394307 posted

    and the restricted website is actually only a part of public site, which is not configured as standalone application, so I can't set web.config to make it <authenication mode="windows" />

    Originally you told that

    "I have a website, which is intended for logon windows user only, so I set IIS anonymous access = false, windows authenication = true."

    Do you set the windows authenication for the entire site? Or not?

    Anyway, I think you need to try to change web.config (even just to test)

    <authenication mode="windows" />
    <deny users="?" />

    or something like this

    Friday, March 13, 2015 3:41 PM
  • User1292358045 posted

    When I changed that , I got error message that this is beyond application level setting, I have to convert folder to application to use it.

    Also, my event log indicate this is a system level logon fail, not iis level I think.

    So, I am trying to remove all security updates that automatically installed today.

    Friday, March 13, 2015 3:53 PM
  • User1292358045 posted

    it seems remove all updates doesn't work

    Friday, March 13, 2015 4:14 PM
  • User1292358045 posted

    update: after I uninstall all updates (some updates installed today I can see them in windows update=>view install history, but not listed in programs and features=>installed updates, thus I can't uninstall them) and restart

    1. that particular account that can logon some time previously now can logon, but only through IE

    2. other accounts still not accessible

    and then, I reinstall all non optional updates back and restart, no users can logon again.

    Friday, March 13, 2015 4:40 PM
  • User1292358045 posted

    Update: problem solved after I restart PDC.

    It seems PDC auto updates on the day before yesterday, and didn't restart since updates installed. Normal workstation/remote server logon not affected, however, something is wrong when IIS ask PDC to verify logons.

    That particular account that works occasionally can be explained, because I use that account to logon IIS server itself. So when I attempted to logon through browser, if I already logon on server, it won't need to call PDC again. After I restart, I couldn't logon through browsers until I logon IIS server.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 13, 2015 6:27 PM
  • User1292358045 posted

    a small update, today, exact same thing happened, the difference is neither PDC nor IIS server has updated since last reboot, and reboot IIS server, then PDC doesn't helped either.

    after awhile checking solutions, I just restart both servers in same time, after that, it works again

    Monday, March 23, 2015 12:30 PM