|
| |
|
|
checkltan
Posts: 3
Joined: 12/20/2005
Status: offline
 |
Frontpage 2003 permission - 12/21/2005 5:51:20
Hi,
I am having this problem with my setup and I wish someone out there can provide help.
I have a server hosting a webpage. This server is running on Windows 2003. The IIS settings for this default website is as following:
- Enable anonymous login
- Anonymous login user name: IIS_USER
- Authenticated access: Integrated Windows Authentication
IIS_USER is the member of Administrator.
I am using another machine installed with FP2003 to manage the user permission. When I open the site from this machine, FP2003 didn't challenge me for username and password. I can still modify the content of the website. When i save the file, it shows it was update by IIS_USER.
If i remove the "enable anonymous login" from the IIS settings, everyone who browse the website will be challenge for login name and password.
I found out that by default when i installed the IIS, the anonymous user should be IIS_<computer_name>. Due to some reason, I have to recreate a new IIS_USER id.
Does anyone have any idea what is the problem?
|
|
|
|
yogaboy
Posts: 377
Joined: 5/22/2004
Status: offline
|
RE: Frontpage 2003 permission - 12/22/2005 22:54:45
Hi CheckItan,
the default anonymous user is IUSR_computername.
Are you using this as a public site or for an intranet (non-public)?
If it's a public site then remove Intergrated Windows Authentication. If it's an intranet then remove anonymous logins because anyone wishing to use the network will have to logon, and that will then enable them to access the site without being challenged for a password.
| |
|
|
|
checkltan
Posts: 3
Joined: 12/20/2005
Status: offline
|
RE: Frontpage 2003 permission - 12/27/2005 5:52:02
Hi,
Thanks for the information. However, here's my findings.
1) The current anonymous ID (IIS_USER) for my website is actually an Admin ID. Wen i switch the anonymous accoount to an IUSR account, i was prompt for ID and password when i browse the website.
2) I tried to remain the current anonymous ID but removed it from the Administrator group. It was running fine until some new user browse the webpage, triggered it to prompt for user name and password
My assumption for the above case:
1) the IUSR account password does not sync with the password in the IIS metabase file
2) The Anonymous ID and password was cached in the user browser, causing the server unable to authenticate the user with the new set of credentials.
I would like to know if anyone have any idea how to solve the above problem. I would like to change the settings according to case 1 so that when i open the site from Frontpage, it will prompt for user name and password before i can modify the web content.
Thanks
| |
|
|
|
yogaboy
Posts: 377
Joined: 5/22/2004
Status: offline
|
RE: Frontpage 2003 permission - 12/27/2005 5:57:57
Is this an internet or intranet site?
| |
|
|
|
checkltan
Posts: 3
Joined: 12/20/2005
Status: offline
|
RE: Frontpage 2003 permission - 12/27/2005 20:21:17
This is an intranet site. However, user machine and server are joining into different domain.
| |
|
|
|
yogaboy
Posts: 377
Joined: 5/22/2004
Status: offline
|
RE: Frontpage 2003 permission - 12/28/2005 7:00:28
if it's an intranet site then Anonymous Login is an absolute no no. If you want to be hacked or for someone to screw up your resources then choose Anonymous Login. It may be nazi but it's right. Also - never ever ever make the Anonymous user a member of the administrators group!
Always guide yourself with the aim to make everything as secure as possible, which means only giving the minimum possible permissions to the fewest possible people in order to get the job done. Never rely on giving administrative rights in order to get something working. Also, once inside your network, everyone should need to authenticate (at least once) to be able to access a resource.
Sorry to be so blunt, but this is basically the key to good network management and to tell you any different would be wrong.
Windows 2003 domains are set to default to a 2 way transitive trust, so there should be no problem for those outside the IIS server's domain accessing it if users inside the domain can access it.
If users outside the domain can't access it then it's either
1) a permissions problem and that needs to be sorted out using Active Directory - try assigning users in your existing Global groups into a Universal group and give access to the intranet site through that Universal group. Tip - don't put individual users into a Universal group! Only ever put global groups in a universal group.
2) the trust relationship does not allow users outside of the domain to access resources - this is a network-design problem that can also be sorted using Active Directory tools.
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
