Article ID: 889830
Article Last Modified on 11/16/2007
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Web Edition
Important This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).
SYMPTOMS
You have a Microsoft Windows Server 2003-based computer that uses an application proxy to create a Microsoft COM+ object on a remote server. When you try to access a Web page that is hosted on this server, you may receive one of the following error messages:
Note This behavior does not occur when the Web page is hosted on a Microsoft Windows 2000-based computer.
CAUSE
This issue occurs when the following conditions are true:
- The anonymous access feature is enabled on the Windows Server 2003-based computer.
- The anonymous access feature is configured to use the IUSR_
ServerNameuser account.
Note ServerName is the name of the Windows Server 2003-based computer.
RESOLUTION
To resolve this issue, use one of the following methods.
Important We recommend that you use method 1.
Method 1: Configure the anonymous account as a local user account with matching passwords or as a domain account
Follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- Expand Web Sites, right-click the Web site that you want, and then click Properties.
- Click the Directory Security tab, and then click Edit under Authentication and access control.
- Click to select the Enable anonymous access check box, click Browse, and then type the local user account name or the domain user account name and the user account password that you want.
Note The local user account name and the user account password must be the same on the Web server and on the COM+ server.
- Click OK three times, and then quit Internet Information Services (IIS) Manager.
Method 2: Change the LogonMethod IIS metabase setting
Change the LogonMethod IIS metabase setting so the Windows Server 2003 IIS service will behave the same as the Windows 2000-based IIS service.
Change the LogonMethod property for a specific Web site on the Windows Server 2003-based computer
To change the LogonMethod property for a specific Web site, follow these steps.
Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.
Note Always back up the metabase before you edit it.
- Determine the Web site ID. To do this, follow these steps:
- Click Start, click Run, type notepad, and then click OK.
- On the File menu, click Open.
- In the Files of type list, click All Files.
- Locate the following folder:
%windir%\System32\Inetsrv
- Click MetaBase.xml, and then click Open.
- On the Edit menu, click Find.
- Type iiswebserver, and then click Find Next.
- In the IISWebServer element, locate the ServerComment attribute. The value of the ServerComment attribute is the name of your Web site, For example, the name of your Web site may be Default Web Site.
Note To find additional Web sites, click Find Next until you find the Web site that you want. - In the IISWebServer element, locate the Location attribute. For example, the Location attribute may appear as the following:
In this example, the Web site ID is 1.
/LM/W3SVC/1
- At a command prompt, open the
Drive:\Inetpub\AdminScripts folder, type the following command, and then press ENTER:cscript adsutil.vbs set w3svc/
WebSiteID/logonmethod 2Note
WebSiteIDis the Web site ID that you found in step 1.i.
The following response appears, indicating the new LogonMethod property value.logonmethod : (INTEGER) 2
- Close the command prompt, and then close Notepad.
Change the LogonMethod property for all Web sites on the Windows Server 2003-based computer
Follow these steps.
Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.
Note Always back up the metabase before you edit it.
- At a command prompt, open the
Drive:\Inetpub\AdminScripts folder, type the following command, and then press ENTER:cscript.exe adsutil.vbs set w3svc/logonmethod 2
The following response appears, indicating the new LogonMethod property value.
logonmethod : (INTEGER) 2
- Close the command prompt.
MORE INFORMATION
This issue occurs because of a change in the value for the Windows Server 2003 (IIS 6.0) LogonMethod metabase property. The LogonMethod property determines how IIS will pass the anonymous user account to a remote server. By default, Windows 2000 (IIS 5.0) uses an MD_LOGON_INTERACTIVE value for the type of the LogonMethod property. Conversely, Windows Server 2003 uses a default value of MD_LOGON_NETWORK_CLEARTEXT for the type of the LogonMethod method.
Windows Server 2003-based Web servers that enable anonymous access with the IUSR_ServerName account and then create a COM+ object on a remote server exhibit the following behavior:
- An active server page (.asp file) makes a request by using COM+ to an application proxy.
- The application proxy contacts the remote server for authentication.
- The identity that is used by the application proxy remains as
ServerName\IUSR_ServerName. - The
ServerName\IUSR_ServerNamecannot be used and the remote server denies access.
Windows 2000-based Web servers that enable anonymous access with the IUSR_ServerName account and then create a COM+ object on a remote server exhibit the following behavior:
- An .asp file makes a request by using COM+ to an application proxy.
- The application proxy contacts the remote server for authentication.
- The identity that is used by the application proxy is NT AUTHORITY\ANONYMOUS.
- The NT AUTHORITY\ANONYMOUS account maps to a local guest account. The local guest account can create the COM+ object on the remote server.
The following table illustrates the behavior for the LogonMethod property in Windows Server 2003:
| Logon type | LogonMethod property value | Logon right that is required | Security ID (SID) | Access token outgoing credentials |
|---|---|---|---|---|
| Network with clear text | 3 -MD_LOGON_NETWORK_CLEARTEXT | Network | NT AUTHORITY\NETWORK_CLEARTEXT | Yes |
| Network | 2 -MD_LOGON_NETWORK | Network | NT AUTHORITY\NETWORK | No |
| Batch | 1 - MD_LOGON_BATCH | Batch | NT AUTHORITY\BATCH | Yes |
| Interactive | 0 -MD_LOGON_INTERACTIVE | Interactive | NT AUTHORITY\INTERACTIVE | Yes |
REFERENCES
For more information about the LogonMethod property, search for "LogonMethod" in Internet Information Services (IIS) Manager Help.
For more information, visit the following Microsoft Web sites:
Chapter 5 Managing a Secure IIS 6.0 Solution
http://download.microsoft.com/download/7/4/f/74fe970d-4a7d-4034-9f5d-02572567e7f7/18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc
LogonMethod (Windows Server 2003)
http://msdn2.microsoft.com/en-us/library/ms525650.aspx IIS5
LogonMethod (Windows 2000)
http://www.microsoft.com/windows/windows2000/en/datacenter/iis/htm/asp/apro1zms.htm
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
207671 How to access network files from IIS applications
Keywords: kbtshoot kbprb KB889830
