Article ID: 922730
Article Last Modified on 11/30/2007
APPLIES TO
- Microsoft Internet Information Services 6.0
- Microsoft Internet Information Services 5.0
SYMPTOMS
In Microsoft Internet Information Services (IIS) 6.0 or in Microsoft Internet Information Services (IIS) 5.0, the account that is used for anonymous access may be unexpectedly locked out. Additionally, one or more events that resemble the following may be logged in the Security log:
Event 1
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Description:
Logon Failure:
Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Event 2
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Description:
The logon to account: username by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: computername failed. The error code was: 3221226036
Event 3
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 100
Description:
The server was unable to logon the Windows NT account 'useraccount' due to the following error: The referenced account is currently locked out and may not be logged on to
Notes
Usernameis a placeholder for the user name.Domainis a placeholder for the domain name.Computernameis a placeholder for the computer name.Useraccountis a placeholder for the user account in the Active Directory directory service or in Local Users and Groups.
CAUSE
This issue may occur if one or more of the following conditions are true:
- The Security log is full, and the following registry key is set to an incorrect value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail - The account that is used for anonymous access does not have the permissions that are required to access the Web site.
- The password for the account that is used for anonymous access in IIS is not synchronized with the password for the account in Active Directory or in Local Users and Groups.
- The account that is used for anonymous access has a different password in another IIS metabase property.
RESOLUTION
To resolve this issue, use one of the following methods.
Method 1: Verify the registry settings
Verify that the Security log is not full. Additionally, verify that the following registry key is set to the correct value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
832981 Users cannot access Web sites when the security event log is full
Method 2: Verify the permissions
Verify that the account that is used for anonymous access has the permissions that are required to access the Web site. To do this, use version 1.0 of the Authentication and Access Control Diagnostics (AuthDiag) tool. For more information about the AuthDiag tool, visit the following Microsoft Web site:
Method 3: Synchronize the passwords
Synchronize the password for the account that is used for anonymous access in IIS with the password for the account in Active Directory or in Local Users and Groups. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
909887 Error message when you try to view a Web site that is hosted on Internet Information Server 6.0 by using anonymous access: "401.1 Unauthorized: Logon failed"
Method 4: Verify that the password for the account is consistent in the IIS metabase
Verify that the account that is used for anonymous access does not exist with a different password in the IIS metabase. For example, the account that is used for anonymous access may be unexpectedly locked out if the following conditions are true:
- The UNCUserName property uses the account that is used for anonymous access.
- This account is configured to use a different password.
To verify that the password for the account is consistent in the IIS metabase, search the IIS metabase for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.
To search the IIS metabase, follow these steps:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, use the CD command to change to the Inetpub\Adminscripts directory.
- At the command prompt, type Cscript Adsutil.vbs Enum_all > Metabase.txt, and then press ENTER.
- At the command prompt, type Exit, and then press ENTER.
- Open the Metabase.txt file, and then search for all instances of the account that is used for anonymous access. Verify that all instances of this account have the same password as the password that is configured in IIS.
Notes
- You can open the IIS 6.0 Metabase.xml file in Notepad.
- In IIS 6.0, you can use Metabase Explorer to view and to edit the IIS metabase. Metabase Explorer is available in the IIS 6.0 Resource Kit.
- In IIS 5.0, you can use the MetaEdit tool to view and to edit the IIS metabase. However, the MetaEdit tool is not a supported tool.
Method 5: Create a new user account
Create a new user account. Then, configure IIS to use the new user account for anonymous access.
Note You must grant the new user account the required NTFS permissions and user rights.
MORE INFORMATION
For more information about how to troubleshoot account lockouts, visit the following Microsoft TechNet Web site:
http://technet2.microsoft.com/windowsserver/en/library/d7e66b86-7b31-45a8-b11f-449fe7e7c62e1033.mspx
For more information about how to grant the required NTFS permissions and user rights for an IIS 5.0 Web server, click the following article number to view the article in the Microsoft Knowledge Base:
271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server
For more information about the IIS Resource Kit, click the following article number to view the article in the Microsoft Knowledge Base:
840671 The IIS 6.0 Resource Kit Tools
For more information about the MetaEdit tool, click the following article number to view the article in the Microsoft Knowledge Base:
232068 How to download, install, and remove the IIS MetaEdit 2.2 utility
Keywords: kbtshoot kbprb KB922730
