M100336: Basic Authentication Fails with IIS as Added Component

When IIS is added as a component to the OS rather than being included in the initial build you are likely to experience problems with basic authentication failing to give users access.

There have been a series of problems with installations of IIS that have been added to the OS build after the initial OS installation.

The issues are as follows:

Do not accept any server (that is intended to be a Web server), if it was not built with IIS as part of the initial OS installation. It will most likely cause a variety of security errors related to authentication when using Basic Authentication. Typically, if a user was not a domain administrator or a local administrator on the Web server but *was* a member of the MGS Reports Users Sec group they could not be authenticated to access reports.

Administrators were given access which often meant that the problem was not detected until the final testing stages. This issue is not related to the problem of domain servers refusing access to Authenticated Users. This issue will also occur on Member Servers. The problem appears to be related to the files and registry entry permissions that are set up for different types of users that IIS requires. When the component is added later, it is not always able to read the appropriate files and registry keys to authenticate users. The solution is to rebuild the entire server with IIS included from the start. This solution has a high impact rating and is not taken lightly by the customers. In addition, problem is usually not detected until the latter stages of the implementation so that a large amount of work must be repeated.

How to validate this issue:

Create a new 'Virtual Directory' in IIS pointing to c:\InetPub\WWWRoot\ View the properties for this virtual directory, and go to security and set the authentication to Basic.

Note: When you log onto the Web page as a user with ordinary privileges you will not be able to log on. The logon window will be displayed 3 times before an authentication failed message is shown. This issue regularly occurs on customer sites, as most of them have server build instructions that do not include IIS and specifically describe turning the installation of IIS off. The issue seems to be just with Basic Authentication. Anonymous appears to be fine (though it has not been extensively tested) and Windows Authentication also appears to be fine. However, you cannot use Windows Authentication when the Web and database servers are on separate machines as Microsoft cannot pass the authentication from one server to the other. Therefore, if you are going to provide any security you must use Basic.

Comments

Powered by Zendesk