Microsoft KB Archive/153953

= Log on Locally Permission Not Required for Client Access =

Article ID: 153953

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 1.0
 * Microsoft Internet Information Server 2.0
 * Microsoft Internet Information Server 3.0

-



This article was previously published under Q153953



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx





SYMPTOMS
When you configure a Microsoft Windows NT user account to be used by clients using HTTP basic authentication, Internet Information Server (IIS) requires that the account is granted the Log on Locally right.

If this right is not granted to users who will be accessing IIS services, then the following symptoms may be experienced.

When a client tries to access an HTML page on IIS, you will get the following error message:

Error: Access is denied.

When a client tries to access the FTP server on IIS, you will get the following error message:

Login failed.

However, for reasons of security, it may be undesirable for the IIS Administrator to grant users the Log on Locally right.



RESOLUTION
Microsoft has created a patch that enables IIS administrators to choose which right needs to be granted to users in order that clients using Basic Authentication may access IIS services.

After you apply the patch, the required rights are configurable by the IIS administrator by setting the following registry value (where ServiceName is either W3SVC for the WWW service, or MSFTPSVC for the FTP service).

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet \Services \ServiceName \Parameters

Value Name: LogonMethod Value Type: REG_DWORD Value Range:  0 or 1 Default: 0

A value of 0 means users must have the right to Log on Locally to be given access to the server. A value of 1 means that users must have the right to Log On as a Batch Job.

The Log On as a Batch Job privilege is an advanced user right that may be granted in User Manager.



STATUS
Microsoft has confirmed this to be a problem in Microsoft Internet Information Server version 1.0. This problem was corrected in the latest Windows NT 3.51 U.S. Service Pack. For information on obtaining the Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

  S E R V P A C K

Keywords: kbenv KB153953

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.