Microsoft KB Archive/922730

= The account that is used for anonymous access may be unexpectedly locked out in IIS 6.0 or in IIS 5.0 =

Article ID: 922730

Article Last Modified on 11/30/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0
 * Microsoft Internet Information Services 5.0

-





SYMPTOMS
In Microsoft Internet Information Services (IIS) 6.0 or in Microsoft Internet Information Services (IIS) 5.0, the account that is used for anonymous access may be unexpectedly locked out. Additionally, one or more events that resemble the following may be logged in the Security log:

Event 1

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 539

Description:

Logon Failure:

Reason: Account locked out

User Name:

Domain:

Logon Type: 2

Logon Process: IIS

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Event 2

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 681

Description:

The logon to account:  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation:   failed. The error code was: 3221226036

Event 3

Event Type: Warning

Event Source: W3SVC

Event Category: None

Event ID: 100

Description:

The server was unable to logon the Windows NT account ' ' due to the following error: The referenced account is currently locked out and may not be logged on to

Notes
 * is a placeholder for the user name.
 * is a placeholder for the domain name.
 * is a placeholder for the computer name.
 * is a placeholder for the user account in the Active Directory directory service or in Local Users and Groups.



CAUSE
This issue may occur if one or more of the following conditions are true:  The Security log is full, and the following registry key is set to an incorrect value:

 The account that is used for anonymous access does not have the permissions that are required to access the Web site. The password for the account that is used for anonymous access in IIS is not synchronized with the password for the account in Active Directory or in Local Users and Groups. The account that is used for anonymous access has a different password in another IIS metabase property.



RESOLUTION
To resolve this issue, use one of the following methods.

Method 1: Verify the registry settings
Verify that the Security log is not full. Additionally, verify that the following registry key is set to the correct value:

For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

832981 Users cannot access Web sites when the security event log is full

Method 2: Verify the permissions
Verify that the account that is used for anonymous access has the permissions that are required to access the Web site. To do this, use version 1.0 of the Authentication and Access Control Diagnostics (AuthDiag) tool. For more information about the AuthDiag tool, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/iis/support/default.mspx

Method 3: Synchronize the passwords
Synchronize the password for the account that is used for anonymous access in IIS with the password for the account in Active Directory or in Local Users and Groups. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

909887 Error message when you try to view a Web site that is hosted on Internet Information Server 6.0 by using anonymous access: &quot;401.1 Unauthorized: Logon failed&quot;

Method 4: Verify that the password for the account is consistent in the IIS metabase
Verify that the account that is used for anonymous access does not exist with a different password in the IIS metabase. For example, the account that is used for anonymous access may be unexpectedly locked out if the following conditions are true:
 * The UNCUserName property uses the account that is used for anonymous access.
 * This account is configured to use a different password.

To verify that the password for the account is consistent in the IIS metabase, search the IIS metabase for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.

To search the IIS metabase, follow these steps:
 * 1) Click Start, click Run, type cmd, and then click OK.
 * 2) At the command prompt, use the CD command to change to the Inetpub\Adminscripts directory.
 * 3) At the command prompt, type Cscript Adsutil.vbs Enum_all > Metabase.txt, and then press ENTER.
 * 4) At the command prompt, type Exit, and then press ENTER.
 * 5) Open the Metabase.txt file, and then search for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.

Notes
 * You can open the IIS 6.0 Metabase.xml file in Notepad.
 * In IIS 6.0, you can use Metabase Explorer to view and to edit the IIS metabase. Metabase Explorer is available in the IIS 6.0 Resource Kit.
 * In IIS 5.0, you can use the MetaEdit tool to view and to edit the IIS metabase. However, the MetaEdit tool is not a supported tool.

Method 5: Create a new user account
Create a new user account. Then, configure IIS to use the new user account for anonymous access.

Note You must grant the new user account the required NTFS permissions and user rights.



MORE INFORMATION
For more information about how to troubleshoot account lockouts, visit the following Microsoft TechNet Web site:

http://technet2.microsoft.com/windowsserver/en/library/d7e66b86-7b31-45a8-b11f-449fe7e7c62e1033.mspx

For more information about how to grant the required NTFS permissions and user rights for an IIS 5.0 Web server, click the following article number to view the article in the Microsoft Knowledge Base:

271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server

For more information about the IIS Resource Kit, click the following article number to view the article in the Microsoft Knowledge Base:

840671 The IIS 6.0 Resource Kit Tools

For more information about the MetaEdit tool, click the following article number to view the article in the Microsoft Knowledge Base:

232068 How to download, install, and remove the IIS MetaEdit 2.2 utility

Keywords: kbtshoot kbprb KB922730

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.