Funky issue with IIS during one of my exercises
pogue
Member Posts: 213
I have a user that SHOULD have access to a web page, but cannot connect. The web page is configured for Integrated Windows Authentication..
Simple enough so far.
His UN/PW combo does not work, and after three tries, it kicks him to an error page, saying that the account cannot connect because of the IIS server configuration.
I check the the NTFS permissions on the folder and file the account is connecting to, and he is a member of a group that is explicitly denied full control. Cool.. I got this.
I take him out of the group. Still does not work.
I compare his group memberships to another user that can currently access the page. THis account has same memberships now.
I explicitly give him read access.. Still no workie.
I check the effective permissions..Says he has read/execute access on this file and folder..
I scratch my head a while.
I COPY his account. New account works fine.
HUH???
The way I see it, only an explicit deny on the folder or file will exhibit this symptom, but I already checked the effective permissions, and I checked to make sure there was no share permissions interfering.
I change the account password.. Works fine now. I change it back...Still works fine.
Am I missing something here? Or did the SID get jacked, and something in it got "fixed" when I reset the password?
I am so cornfused.
Russ
Simple enough so far.
His UN/PW combo does not work, and after three tries, it kicks him to an error page, saying that the account cannot connect because of the IIS server configuration.
I check the the NTFS permissions on the folder and file the account is connecting to, and he is a member of a group that is explicitly denied full control. Cool.. I got this.
I take him out of the group. Still does not work.
I compare his group memberships to another user that can currently access the page. THis account has same memberships now.
I explicitly give him read access.. Still no workie.
I check the effective permissions..Says he has read/execute access on this file and folder..
I scratch my head a while.
I COPY his account. New account works fine.
HUH???
The way I see it, only an explicit deny on the folder or file will exhibit this symptom, but I already checked the effective permissions, and I checked to make sure there was no share permissions interfering.
I change the account password.. Works fine now. I change it back...Still works fine.
Am I missing something here? Or did the SID get jacked, and something in it got "fixed" when I reset the password?
I am so cornfused.
Russ
Currently working on: CCNA:Security
Up next: CCNA:Voice
Up next: CCNA:Voice
Comments
-
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
Did his account get locked out by chance? I'm not sure if resetting his password would unlock it; maybe the lockout duration expired around the same time you did that. -
pogue
Member Posts: 213
Did his account get locked out by chance? I'm not sure if resetting his password would unlock it; maybe the lockout duration expired around the same time you did that.
Ayup..I think it was that..Thanks...
Uggghhh..I really am rusty.
RussCurrently working on: CCNA:Security
Up next: CCNA:Voice