Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Strange OWA FBA issue
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
RE: Strange OWA FBA issue - 17.Jan.2006 5:13:32 PM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
In regedit, does SYSTEM have at least Read permissions on the HKEY_CLASSES_ROOT\Scripting.Dictionary key ?
|
|
|
|
|
RE: Strange OWA FBA issue - 17.Jan.2006 5:32:24 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
Yup sure does... I also checked asp.dll and that also has read/execute permissions for SYSTEM.
Guess what now that basic auth thing isnt working, with test ASP page I get that same script error. I havent changed anything else since you suggested that. Man this is really starting to piss me off...
EDIT: I reread your last post and you mentioned a different reg key, I didnt catch that the first time. I doubled checked HKEY_CLASSES_ROOT\Scripting.Dictionary and SYSTEM only has "special permissions" set. I checked those and "Full control" is the current permission. I placed and check box in READ anyways.
Do you think I should reboot to test that new permission? I dont think it'll do anything different because the special permission has full control set.
< Message edited by ksoliz -- 17.Jan.2006 5:40:27 PM >
|
|
|
|
|
RE: Strange OWA FBA issue - 17.Jan.2006 5:40:26 PM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
I think it would help if you got hold of regmon and filemon from sysinternals, and looked for any access denied on registry and file reads.
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 12:45:35 AM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
Well I have spent most of the day roaming the Internet for more info/answers to my issue with little success. I went ahead and tried both those programs you suggested and didnt come up with anything concrete. I never see any access denys or strange file reads.
At this point Im at a complete loss, I have absolutly no idea what else to do so I'll probably rebuild the server sometime this week. I did find very similar posts on various sites that closly resemballed my issue but always seemed to have an obvious answer in the end. I also tried syncing the IUSR account (IIS metabase and SAM database) but it didnt help.
I know for sure now the issue has to do with the anonymous access permissions in IIS and ASP. Basically when ANY ASP script or script variable is called, the anonymous access user account (IUSR_machinename) doesnt have access.
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 10:31:25 AM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
Does the Authenticated Users group have Read permissions on the registry key , and Execute permissions on the DLL ?
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 12:10:02 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
Yes that group has read/execute permissions on asp.dll, the Scripting.Dictionary reg key, and scrrun.dll
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 12:17:22 PM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
Have you read this:
http://www.aspfaq.com/show.asp?id=2134
We've already tried some of it, but the corrupted MDAC is something we've not looked at.
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 1:09:41 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
I think we are on the money with it being a permissions issue... it just has to be. With that simple test you suggested eariler, I just know its a permissions issue...
If I simply remove anonymous access from any website and check basic auth and reset IIS, I can run just about any ASP that includes a Scripting.FileSystemObject. I just dont get where the hell the IUSR_SERVERNAME account is missing to allow it to run and execute those scripts.
As far as that link you referenced... I ran across that yesterday. I looked at the possibilities and I'm not sure any of them apply. All DLLs are registered, I'm not fat-fingering the ProgID, (i.e. Scripting.FileSystemObject) I'm not missing any DLLs, the MDAC is the latest verision and dosent seem to be directly involved in anything Im doing (no ODBC connections) I actually on a newer version not even listed on the MS download page for MDAC (MDAC 2.8SP2) I downloaded the component checker to verify my version.
The one thing that is still buggin me is I changed the IUSR password a while back early in the process. I think but cant remember if its the first thing I did to try and fix the issue. I've read a lot about issues with the IIS Metabase and SAM database not being synced on the IUSR account. I the documention simply says to change the password in ADUC and then in the IIS snapin to resync, Ive done this countly times :) What Im afraid has happened is we might have fixed the orignal problem and by me changing that password early on there is now some lingering permission issue
< Message edited by ksoliz -- 18.Jan.2006 1:22:49 PM >
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 1:34:46 PM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
You could try specifying a different account for Anonymous Access. I don't think you're meant to manually change the IUSR_machine account password. There used to be a setting in IIS to keep it synchronized, but I can't find it anywhere in IIS6.
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 7:44:52 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
Yeah I think your right, its not a good idea to mess with the IUSR_machine account password.
So more stuff I figured out... I was able to successfully sync the IUSR and WAM machine accounts. You basically have to set the actual password in two places, UI IIS snap-in under the properties for "Web sites" folder (directory security tab). Then in the ADUC snap-in, right click each IUSR and WAM then reset password setting it to the exact same thing you set in the IIS snap-in. After all this anonymous access to run scripts still isnt working but at least your IIS Metabase and SAM passwords for IUSR are sync'ed
So like you suggested I thought as a test just to prove to myself once and for all this is acutally a authentication problem with the IUSR account lets see what happens if I put in my account (domain admin) for the anonymous access in IIS. I figured if any account will work it will be this one, it has read/write/execute to just about everything on the server. So I set it up on the websites and sure enough, all ASP scripts work even FBA for OWA. I quickly remove the account and revert back to the IUSR account and we're back to my problem.
So the question now is... if I create another account similar to the IUSR account and use that as my new anonymous account how can I assign it and make sure it has the exact same permissions (SYSTEM and NTFS) a default working IUSR account has?
< Message edited by ksoliz -- 18.Jan.2006 7:46:10 PM >
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 8:17:18 PM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
The IUSR account is created by the IIS setup, so it's hard to say what permissions it is given. Do you have another IIS server available? You could compare the two. Groups, rights, etc.
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 8:26:07 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
Yeah thats what I was doing... :-)
Im not sure I'll be able to get all the details I need... so far my new account on my exchange server looks exactly the same to me as another IUSR account on another working web server I have.
Basically the account belongs to the same groups (Domain Users and Guests). There isn't much more I can check via the snap-ins. You know of any utilities/scripts to dump all permissions for a user so I can better compair the two?
< Message edited by ksoliz -- 18.Jan.2006 8:38:21 PM >
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 8:29:59 PM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
Fraid not. Might be worth just creating an ordinary user, though, and see if that works. IUSR can't be much different to that.
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 9:15:29 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
No go on the ordinary user... I created a normal user with default permissions and groups assigned (Domain users) and added that to one of the websites did an iisreset and still no ASP script access.
I think we both know exactly where the issue is, just a matter of finding whatever minimal permission are required for those scripts to be executed. I'll eventually get it :)
Thanks again for all your help with this, I really appreciate it.
|
|
|
|
|
RE: Strange OWA FBA issue - 18.Jan.2006 9:17:04 PM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
Okay. Please come back and let us know if you fix it.
|
|
|
|
|
RE: Strange OWA FBA issue - 19.Jan.2006 10:55:40 PM
|
|
|
tcaud
Posts: 120
Joined: 17.Sep.2004
From: Alabama
Status: offline
|
If you haven't already rebuilt the server, you may need to take a closer look a the Security policy that is applied on the server - don't forget that the Domain security policy overrides the local and one of these settings may be blocking the IUSR_machinename from accessing the site as needed.
Default secpol assignments are here: http://technet2.microsoft.com/WindowsServer/en/Library/f1727156-e480-4e05-b168-b764a6e13f881033.mspx?pf=true
Good luck!
_____________________________
Tony Caudill
MCSE, MCSA
|
|
|
|
|
RE: Strange OWA FBA issue - 19.Jan.2006 11:19:01 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
Hey thanks for replying, no I havent rebuilt the server yet :) I really really dont want to, I'm gonna do my best to figure this out, I'll only rebuild as an absolute last resort. I have so much stuff on there that would just be a pain to reinstall, setup, and configure.
I'll take a look at the article, I skimmed over it and it looks very promising. In all my searching for solutions I haven't come across this one yet. The only other KB/support article that came close was this one: http://support.microsoft.com/?id=812614
I'll keep you guys posted...
|
|
|
|
|
RE: Strange OWA FBA issue - 20.Jan.2006 8:07:32 PM
|
|
|
ksoliz
Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline
|
Well guess what, I got it working!!! :) Woo hoo no server rebuild!!! Can you tell Im excited?
Turns out we were right all along, it definately was a permissions issue. I dont even know how and cant remember how I screwed up the security template for IIS6 in the first place! After searching and searching the Internet for days in addition posting here, google groups, and tech net I came across a forum about 5 pages deep on google talking about a similar issue. The solution ended being resetting the security template (to defaults) on the server (default the security policy/Group policy).
Long story short here is the command that fixed the problem...
Use the Secedit.exe utility to reset the default template, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type...
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
3. Verify your syntax and hit Enter. You'll see the script start up and give you status on the % of completion. After that you will see the script finish and reference a place to check for errors some errors (secedit.log), ignore these for now.
4. Now at the command prompt type...
gpupdate /force
5. Verify syntax hit enter, when the prompt comes back saying setting successfully applied, reboot your server. If your server comes back error/trouble free ignore those errors referenced in step 3.
Basically what this does is reset the security template for entire server. While this KB doent reference my exact issue the info provide in the article was obviously very helpful.
http://support.microsoft.com/default.aspx?scid=kb;en-us;903071
Drawn out details....
So last night before I found the secedit solution, using the last two KB articles in the thread (before the one referenced here) I went through resetting all the permissions for the IUSR/WAM machine accounts as well as Local system and Network Service account. I attempted to edit the Domain controller security policy, a bunch of registry keys, and finally all the NTFS permission assisatted with the accounts just mentioned. Well I must have really screwed something up because when I rebooted the server all hell broke loose. Half the services wouldnt start, the server couldn't see AD, exchange, IIS, COM+, nothing would start. I kept seeing this event ID 10016 in the event viewer, event details...
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 1/19/2006
Time: 10:12:49 PM
User: NT AUTHORITY\SYSTEM
Computer: DABRAIN
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{9DA0E103-86CE-11D1-8699-00C04FB98036}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
This event eventually lead to the solution in this post. As you can see I obviously messed some permission up even further with my tinkering on the orignally problem.
Hopefully this long thread will prove useful to anyone else with similar issues. Thanks again esp. to leederbyshire for the help along the way and sticking with me :) I'll tell you, its great to have folks and a communtity around like msexchange.org to help with issues like this.
Regards,
Kevin
< Message edited by ksoliz -- 21.Jan.2006 12:58:38 AM >
_____________________________
Kevin Soliz
|
|
|
|
|
RE: Strange OWA FBA issue - 21.Jan.2006 12:48:39 AM
|
|
|
leederbyshire
Posts: 974
Joined: 4.Jan.2006
Status: offline
|
Glad you got it fixed. But 'king hell! that must be the most useful cmd line I've seen in a long time. Reset the security template across the whole server? I'll be playing with that, I can tell you!
_____________________________
Lee.
___________________________________
Outlook Web Access for PDA and WAP:
www.leederbyshire.com
___________________________________
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
