Microsoft KB Archive/909887

= Error message when you try to view a Web site that is hosted on Internet Information Server 6.0 by using anonymous access: &quot;401.1 Unauthorized: Logon failed&quot; =

Article ID: 909887

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
When you try to view a Web site that is hosted on Microsoft Internet Information Server (IIS) 6.0 by using anonymous access, you may receive an error message that is similar to the following:

401.1 Unauthorized: Logon failed



CAUSE
This problem may occur if one or more of the following conditions are true:
 * The user account does not have the required user rights to access the Web server.
 * The user account is disabled, locked out, or expired.
 * The wrong user name or password is specified in the IIS Metabase.
 * Subauthentication is not working correctly. This condition may occur if the Web site was upgraded from IIS 5.0 to IIS 6.0.



RESOLUTION
To resolve this problem, make sure that the following conditions are true:
 * The IUSR account has the Access this computer from the network user right.
 * The IUSR account is not listed in the Deny access to this computer from the network user right.
 * The IUSR account does not have time-based restrictions for accessing the Web server.
 * The IUSR account has not expired or has not been locked out.
 * The IUSR account password is correct in the metabase and in the Local User database. (If the account is a domain account, make sure that the password is correct in the Active Directory directory service.)
 * The AnonymousPasswordSync metabase property is set to false.



MORE INFORMATION
To troubleshoot the issue effectively, make sure that “only” anonymous access is allowed on the Web site or on a single page.

How to enable security logging on the Web server
If you configure logon failure auditing, the Security event log may contain information to identify the cause of the error message. Logon failure auditing lets you view the errors in the Security event log. To enable security logging on the Web server, follow these steps:
 * 1) Click Start, click Run, type Secpol.msc, and then click OK.

Notes
 * 1) * If the Web server is also a domain controller, type Dcpol.msc to open the Default Domain Controller Security Settings console. For more information about how to use the Dcpol.msc command, see the &quot;References&quot; section.
 * 2) * This issue can also occur if domain policy does not enable the user account that is used for anonymous access to access the required policy settings.
 * 3) Under Security Settings, expand Local Policies, and then click Audit Policy.
 * 4) In the right pane, double-click Audit logon events.
 * 5) On the Audit logon events Properties screen, click to select the Success and Failure check boxes, and then click OK.
 * 6) Click Start, click Run, type cmd, and then click OK.
 * 7) At the command prompt, type Gpupdate, and then press ENTER.
 * 8) At the command prompt, type Iisreset /restart, and then press ENTER.

Error examples
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The following are examples of errors that may be logged in the Security event log. In these examples,  is the user account that is used for anonymous access.

Error 1

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 534

Description: Logon Failure:

Reason: The user has not been granted the requested logon type at this machine

User Name:

Logon Type: 8

Logon Process: Advapi Authentication

Package: Negotiate

This error may occur if the user account that is used for anonymous access is denied access to the Web Server from the network. To verify that this user account is not denied access to the Web server from the network, follow these steps:
 * 1) Click Start, click Run, type Secpol.msc, and then click OK.

Note If the Web server is also a domain controller, use the Dcpol.msc command to open the Default Domain Controller Security Settings console.
 * 1) Under Security Settings, expand Local Policies, and then click User Rights Assignment.
 * 2) In the right pane, double-click Deny access to this computer from the network.
 * 3) If the user account that is used for anonymous access is denied access to the Web server from the network, click the user account that is used for anonymous access, click Remove, and then click OK.

Note This error may occur if the following conditions are true:
 * The Guests group is assigned the Deny access to this computer from the network user right.
 * The account that is used for anonymous access is a member of the Guests group. (This account is typically the IUSR_ account.)

Error 2

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 530

User: NT AUTHORITY\SYSTEM

Description: Logon Failure:

Reason: Account logon time restriction violation

User Name:

Logon Process: Advapi

Authentication Package: Negotiate

This error may occur if the user account that is used for anonymous access is denied access to the Web Server during a specific time period. To verify that this user account is not denied access during a specific time period, follow these steps:
 * 1) Click Start, click Run, type Dsa.msc, and then click OK.
 * 2) Expand the domain that you want, and then click Users.
 * 3) In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
 * 4) On the Account tab, click Logon Hours.
 * 5) Configure the logon hours that you want, and then click OK.

Error 3

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 532

User: NT AUTHORITY\SYSTEM

Description: Logon Failure: Reason: The specified user account has expired User Name:  Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate

This error may occur if the user account has expired. To resolve this issue, follow these steps:
 * 1) Click Start, click Run, type Dsa.msc, and then click OK.
 * 2) Expand the domain you want, and then click Users.
 * 3) In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
 * 4) On the Account tab under Account Expires, click Never, and then click OK. Or, click End of, click a new account expiration date, and then click OK.

Error 4

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

User: NT AUTHORITY\SYSTEM

Description: Logon Failure: Reason: Unknown user name or bad password User Name:  Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate

This error can occur if the password for the user account that is used for anonymous access in IIS is not synchronized with one of the following passwords:
 * The password for the user account in Active Directory
 * The password for the user account in Local Users and Groups

To synchronize the IIS password with the password that is used in Active Directory or in Local Users and Groups, follow these steps:  Click Start, click Run, type cmd, and then click OK. Use the cd command to connect to the folder where the Adsutil.vbs file is located. By default, the Adsutil.vbs file is located in the following folder:



Note  is the folder where Windows is installed. At the command prompt, type Cscript adsutil.vbs get w3svc/anonymoususerpass, and then press ENTER. Note the password that is generated.

Note You may have to set the Issecure property in the Adsutil.vbs file to False before you generate a password. To do this, follow these steps:  In Notepad, open the Adsutil.vbs file. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next. Change &quot;IsSecureProperty = True&quot; to &quot;IsSecureProperty = False&quot;.</li> Save the changes, and then close Notepad.</li></ol> </li> Click Start, click Run, type Dsa.msc, and then click OK.

Note If the Web server is a stand-alone server, type Lusrmgr.msc .</li> Expand the domain that you want, and then click Users. If the Web server is a stand-alone server, click Users.</li> Right-click the user account that you want, and then click Reset Password or Set Password.</li> Type the password that you obtained in step 3 two times, and then click OK.</li></ol>

Note Subauthentication is the feature that enables IIS to control the password for the anonymous user. By default, after you upgrade from IIS 5.0 to IIS 6.0, IIS subauthentication is enabled. By default, subauthentication is not enabled on a clean installation of IIS 6.0.

Subauthentication enables IIS to authenticate the anonymous user without actually verifying the anonymous user password. Because anonymous access is provided to the content without authentication, the password is not required. Subauthentication enables IIS to use anonymous accounts without actually keeping valid user credentials in the metabase. When this setting is enabled, anonymous authentication works in IIS 5.0 compatibility mode. However, when the server is switched to IIS 6.0 Worker Process Isolation Mode, subauthentication is disabled because it requires a privileged process identity such as the Local System account. In this scenario, IIS 6.0 tries to log on by using the anonymous user credentials that are stored in the metabase. This behavior may cause a &quot;401&quot; error for the anonymous request if the user credentials that are stored in the metabase are not synchronized

It may appear that switching into IIS 6.O Worker Process Isolation Mode breaks anonymous authentication. This condition may occur when subauthentication is configured in IIS. To verify whether subauthentication is enabled in IIS, open the Metabase.xml file in Notepad, and then search for the AnonymousPasswordSync property. If the AnonymousPasswordSync property is in the Metabase.xml file, delete the property, or set the value to False.

Error 5

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 533

Description: Logon Failure: Reason: User not allowed to logon at this computer User Name:  Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate

This error may occur if the domain user account that is used for anonymous access in IIS cannot log on to the IIS Web server. To verify that the user account that is used for anonymous access in IIS can log on to the IIS Web server, follow these steps:
 * 1) Click Start, click Run, type Dsa.msc, and then click OK.
 * 2) Expand the domain that you want, and then click Users.
 * 3) In the right pane, right-click the user account that is used for anonymous access, and then click Properties.
 * 4) On the Account tab, click Log On To.
 * 5) In the Logon Workstations window, click All Computers, and then click OK.

If the user account that is used for anonymous access is not a domain user account, follow these steps: <ol> Click Start, click Run, type Regedit, and then click OK.</li> Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

</li> In the right pane, verify that the value for the crashonauditfail entry is 0 or 1. If the value for the crashonauditfail entry is 2, follow these steps: <ol style="list-style-type: lower-alpha;"> In the right pane, click crashonauditfail.</li> On the Edit menu, click Modify.</li></ol> </li> In the Value data box, type 0, and then click OK.</li> Exit Registry Editor, and then restart the computer.</li></ol>

<div class="references_section">