Microsoft KB Archive/941723

= Error message after you run the Validation Wizard on a computer that is running Web Components Server and Office Communications Server 2007: &quot;HTTP Response: 401 Unauthorized&quot; =

Article ID: 941723

Article Last Modified on 9/21/2007

-

APPLIES TO


 * Microsoft Office Communications Server 2007 Standard Edition
 * Microsoft Office Communications Server 2007 Enterprise Edition

-



SYMPTOMS
On a computer that is running Web Components Server and Microsoft Office Communications Server 2007, you run the Validation Wizard in the Communications Server 2007 Microsoft Management Console (MMC) snap-in. You run the Validation Wizard to check the connectivity on the server. After you run the Validation Wizard, the log shows that the Check Web Conferencing Server Virtual Directory Setting action fails. Additionally, the following error message is logged:

URL: https:// /Etc/place/null/slidefiles/blank.png

Received a failure HTTP response.: HTTP Response: 401 Unauthorized

Content-Length:1539

Content-Type:text/html

Server:Microsoft-IIS/6.0

WWW-Authenticate:Negotiate,NTLM

X-Powered-By:ASP.NET

Date:



CAUSE
This problem occurs because the Deny access to this computer from the network policy setting is applied to the Guests group.

Web Conferencing Server uses the Etc virtual directory that is configured in Internet Information Services (IIS). Web Conferencing Server requires that the Etc virtual directory has the anonymous access setting enabled. Additionally, the IUSR_ account is used for anonymous access. The IUSR_ account is a local Internet guest access account. By default, the IUSR_ account is a member of the Guests group. If the Deny access to this computer from the network policy setting is applied to the Guests group, remote Web requests to access the Etc virtual directory cannot use the IUSR_ account for anonymous access.



WORKAROUND
To work around this problem, use one of the following methods.

Note Use Method 2 if you do not want to change the Deny access to this computer from the network Group Policy for security reasons.

Method 1: Remove the Guests group and the Anonymous Logon account from the &quot;Deny access to this computer from the network&quot; policy setting
Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.
 * 1) Click Start, click Run, type gpedit.msc, and then click OK.
 * 2) In Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, click User Rights Assignment, and then double-click Deny access to this computer from the network.
 * 3) In the Deny access to this computer from the network Properties dialog box, click Guests, and then click Remove.
 * 4) Click Anonymous Logon, and then click Remove.
 * 5) Click OK to close Group Policy Object Editor.
 * 6) Restart the server.

Method 2: Remove the IUSR_ account from the Guests group and add the IUSR_ account to the local Users group

 * 1) Click Start, click Run, type lusrmgr.msc, and then click OK.
 * 2) In the Local Users and Groups window, click Users, and then double-click IUSR_ .
 * 3) In the IUSR_  Properties dialog box, click the Member Of tab.
 * 4) Under Member of, click Guests, and then click Remove.
 * 5) Click Add.
 * 6) In the Select Groups dialog box, type Users under Enter the object names to select, click Check Names, and then click OK.
 * 7) In the IUSR_  Properties dialog box, click OK.
 * 8) Close the Local Users and Groups window.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
Based on the &quot;Member Server Baseline Policy&quot; chapter of the Windows Server 2003 Security Guide, the Deny access to this computer from the network policy setting can be applied to the Anonymous Logon account and to the Guests group. The IUSR_ account is a member of the local Guests group. When the Deny access to this computer from the network policy setting is applied only to the Anonymous Logon account, the validation process for the Web Conferencing Server virtual directories does not fail. However, other issues may result from remote Web requests that access Web Conferencing Server virtual directories.

