Microsoft KB Archive/318932

= PRB: Cannot Use the Local IUSR Account for Content Permissions =

Article ID: 318932

Article Last Modified on 2/12/2007

-

APPLIES TO


 * Microsoft Application Center 2000 Standard Edition

-



This article was previously published under Q318932



SYMPTOMS
When users try to use anonymous access on your Web site, these users may receive the following error message on cluster members only:

&quot;HTTP 401.1 - Unauthorized: Logon Failed&quot;



CAUSE
Application Center 2000 creates a new IUSR account on each server that is added to the cluster. The name of this account is IUSR_ (where   is the computer name of the cluster controller). By default, the IUSR_ account is the anonymous user account on the cluster controller. Application Center replicates this metabase setting to all servers in the cluster; therefore, each cluster member must have this same named account to handle anonymous connections.

If you grant the IUSR_ account explicit permissions to your content, and then replicate your Web content with permissions, the cluster members cannot resolve the account security identifier (SID).

When Application Center 2000 replicates with permissions, it replicates the object (including files and folders) that contains the Access Control List (ACL). The ACL contains the SID of the IUSR_ account on the cluster controller. The IUSR_ accounts on the member servers have a different SID; therefore, the cluster members cannot resolve the SID to a local account. Because the SID cannot be resolved on the cluster members, the anonymous account does not have access to the content on cluster members.



RESOLUTION
To resolve this issue, do one of the following:  Best Practice: Use domain level accounts.  Add all affected servers to the same Windows domain. Grant permissions to your Web content to a domain level account (such as \IUSR_ ). Set the domain level account to be the anonymous access account of the Web site or Web sites. Synchronize the cluster with permissions.

NOTE: Application Center replicates permissions only when the file or folder is actually replicated. To replicate the file or folder, there must be a significant change to the object (such as size, modification date, or attributes). Change of permissions alone does not constitute a significant enough change for replication to take place. </li> Default Configuration (work group environment): Application Center 2000 assumes that the servers are not members of a Windows domain (work group environment). This is the default configuration. To maintain consistent permissions in this environment, replicate with permissions and use well known built-in SIDs such as the Everyone group on content permissions. The Everyone group SID is recognized by all Windows NT servers, and the local IUSR_ can gain access to the content through the Everyone group.</li> Replicate without permissions: This is similar to a typical file copy. You must set permissions manually on the content and on each server.</li></ul>

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

MORE INFORMATION
Application Center is designed to have full functionality with or without a Windows domain. Therefore, the same named account (IUSR_ ) is created on each server to permit anonymous access. Otherwise, the Web site on the cluster members would be set to a nonexistent account.

Steps to Reproduce Behavior
To reproduce the behavior, follow these steps:
 * 1) In the Internet Services Manager (MMC) on the cluster controller (Server1, in this example), set the anonymous user account to be the local IUSR_  account.

Note: This is the default setting in Internet Information Service (IIS).
 * 1) Remove all permissions from the Web content of the Web site, and then grant the local IUSR_  account (Server1\IUSR_Server1) Read access to the content.
 * 2) In Properties for the folder that contains the Web content, click to select the Archive setting, and then click to clear the Archive setting, so that Application Center recognizes a significant change to the content.
 * 3) Synchronize the cluster.

<div class="references_section">