Discussion:
WSUS on DC (IIS / IUSR problems)
(too old to reply)
Soren Schimkat
2006-01-27 11:40:08 UTC
Permalink
Hi Guys

I'm having a nasty problem - with actually just might be a IIS problem
rather than a WSUS problem, but I guess that some of you guys have seen
it to. Here's the setup:

Clean Win2003 SRV w/sp1
Promoted to domain controller
Installed WSUS

The problem is that I cannot reach http://server/. The error displayed
is this is "HTTP Error 401.1 - Unauthorized: Access is denied due to
invalid credentials" causing the following WSUS problem: SelfUpdate not
running.

It would seem that the problem has something to do with IUSR_SERVER not
beeing able to log on locally, even though this user should be allowed
to do so, acording to the default domain comtrollers policy.

I guess that the short version would be: How do I solve this problem. :-)

Regards Søren Schimkat
Lawrence Garvin (MVP)
2006-01-27 22:59:01 UTC
Permalink
Did you install IIS before, or after, you promoted the machine to a DC?

My guess is that you installed IIS /before/ promoting the machine, and
that's a no-no.

Uninstall WSUS, Uninstall IIS, Reinstall IIS, Reinstall WSUS. Voila! Problem
will be fixed.
Post by Soren Schimkat
Hi Guys
I'm having a nasty problem - with actually just might be a IIS problem
rather than a WSUS problem, but I guess that some of you guys have seen it
Clean Win2003 SRV w/sp1
Promoted to domain controller
Installed WSUS
The problem is that I cannot reach http://server/. The error displayed is
this is "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials" causing the following WSUS problem: SelfUpdate not running.
It would seem that the problem has something to do with IUSR_SERVER not
beeing able to log on locally, even though this user should be allowed to
do so, acording to the default domain comtrollers policy.
I guess that the short version would be: How do I solve this problem. :-)
Regards Søren Schimkat
Soren Schimkat
2006-01-30 08:43:21 UTC
Permalink
Post by Lawrence Garvin (MVP)
Did you install IIS before, or after, you promoted the machine to a DC?
My guess is that you installed IIS /before/ promoting the machine, and
that's a no-no.
I did promote the server before installing IIS / WSUS.
Post by Lawrence Garvin (MVP)
Uninstall WSUS, Uninstall IIS, Reinstall IIS, Reinstall WSUS. Voila! Problem
will be fixed.
I'm afraid not. I did as you proposed - but it didn't solve the problem,
as the only website that allows access is http://server/WSUSAdmin. The
default website is stil denying access. :-(

When trying to access the default website - this error occurs in the
eventviewer:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 533
Date: 30-01-2006
Time: 09:26:58
User: NT AUTHORITY\SYSTEM
Computer: UDGAARD
Description:
Logon Failure:
Reason: User not allowed to logon at this computer
User Name: IUSR_UDGAARD
Domain: HUM-FAK
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: UDGAARD
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3800
Transited Services: -
Source Network Address: -
Source Port: -


.. which tells me that the IUSR_SERVER user is not allowed to logon
locally, which seems like an error since the default domains controllers
policy allows this user to logon. :-(

Any hints?

Regards Søren
Post by Lawrence Garvin (MVP)
Post by Soren Schimkat
Hi Guys
I'm having a nasty problem - with actually just might be a IIS problem
rather than a WSUS problem, but I guess that some of you guys have seen it
Clean Win2003 SRV w/sp1
Promoted to domain controller
Installed WSUS
The problem is that I cannot reach http://server/. The error displayed is
this is "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials" causing the following WSUS problem: SelfUpdate not running.
It would seem that the problem has something to do with IUSR_SERVER not
beeing able to log on locally, even though this user should be allowed to
do so, acording to the default domain comtrollers policy.
I guess that the short version would be: How do I solve this problem. :-)
Regards Søren Schimkat
Soren Schimkat
2006-01-30 09:50:30 UTC
Permalink
Something is wrong with the web user:

--------------------------------------------------------------------

C:\Inetpub\wwwroot>runas /user:hum-fak\IUSR_UDGAARD cmd
Enter the password for hum-fak\IUSR_UDGAARD:
Attempting to start cmd as user "hum-fak\IUSR_UDGAARD" ...

RUNAS ERROR: Unable to run - cmd 1327: Logon failure: user account
restriction. Possible reasons are blank passw ords not allowed, logon
hour restrictions, or a policy restriction has been enforced.

--------------------------------------------------------------------


This simple test shows that the web user is not allowed to logon (just
like the eventlog message did). Any hints on where to locate this error?

Regards Søren
Post by Soren Schimkat
Post by Lawrence Garvin (MVP)
Did you install IIS before, or after, you promoted the machine to a DC?
My guess is that you installed IIS /before/ promoting the machine, and
that's a no-no.
I did promote the server before installing IIS / WSUS.
Post by Lawrence Garvin (MVP)
Uninstall WSUS, Uninstall IIS, Reinstall IIS, Reinstall WSUS. Voila!
Problem will be fixed.
I'm afraid not. I did as you proposed - but it didn't solve the problem,
as the only website that allows access is http://server/WSUSAdmin. The
default website is stil denying access. :-(
When trying to access the default website - this error occurs in the
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 533
Date: 30-01-2006
Time: 09:26:58
User: NT AUTHORITY\SYSTEM
Computer: UDGAARD
Reason: User not allowed to logon at this computer
User Name: IUSR_UDGAARD
Domain: HUM-FAK
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: UDGAARD
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3800
Transited Services: -
Source Network Address: -
Source Port: -
.. which tells me that the IUSR_SERVER user is not allowed to logon
locally, which seems like an error since the default domains controllers
policy allows this user to logon. :-(
Any hints?
Regards Søren
Post by Lawrence Garvin (MVP)
Post by Soren Schimkat
Hi Guys
I'm having a nasty problem - with actually just might be a IIS
problem rather than a WSUS problem, but I guess that some of you guys
Clean Win2003 SRV w/sp1
Promoted to domain controller
Installed WSUS
The problem is that I cannot reach http://server/. The error
displayed is this is "HTTP Error 401.1 - Unauthorized: Access is
denied due to invalid credentials" causing the following WSUS
problem: SelfUpdate not running.
It would seem that the problem has something to do with IUSR_SERVER
not beeing able to log on locally, even though this user should be
allowed to do so, acording to the default domain comtrollers policy.
I guess that the short version would be: How do I solve this problem. :-)
Regards Søren Schimkat
Soren Schimkat
2006-01-30 11:12:00 UTC
Permalink
The problem was that the IUSR user were not allowed to log on to any
computers. After adding the webserver in the acountsettings everything
works just fine.

Regards Søren
Post by Soren Schimkat
--------------------------------------------------------------------
C:\Inetpub\wwwroot>runas /user:hum-fak\IUSR_UDGAARD cmd
Attempting to start cmd as user "hum-fak\IUSR_UDGAARD" ...
RUNAS ERROR: Unable to run - cmd 1327: Logon failure: user account
restriction. Possible reasons are blank passw ords not allowed, logon
hour restrictions, or a policy restriction has been enforced.
--------------------------------------------------------------------
This simple test shows that the web user is not allowed to logon (just
like the eventlog message did). Any hints on where to locate this error?
Regards Søren
Post by Soren Schimkat
Post by Lawrence Garvin (MVP)
Did you install IIS before, or after, you promoted the machine to a DC?
My guess is that you installed IIS /before/ promoting the machine,
and that's a no-no.
I did promote the server before installing IIS / WSUS.
Post by Lawrence Garvin (MVP)
Uninstall WSUS, Uninstall IIS, Reinstall IIS, Reinstall WSUS. Voila!
Problem will be fixed.
I'm afraid not. I did as you proposed - but it didn't solve the
problem, as the only website that allows access is
http://server/WSUSAdmin. The default website is stil denying access. :-(
When trying to access the default website - this error occurs in the
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 533
Date: 30-01-2006
Time: 09:26:58
User: NT AUTHORITY\SYSTEM
Computer: UDGAARD
Reason: User not allowed to logon at this computer
User Name: IUSR_UDGAARD
Domain: HUM-FAK
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: UDGAARD
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3800
Transited Services: -
Source Network Address: -
Source Port: -
.. which tells me that the IUSR_SERVER user is not allowed to logon
locally, which seems like an error since the default domains
controllers policy allows this user to logon. :-(
Any hints?
Regards Søren
Post by Lawrence Garvin (MVP)
Post by Soren Schimkat
Hi Guys
I'm having a nasty problem - with actually just might be a IIS
problem rather than a WSUS problem, but I guess that some of you
Clean Win2003 SRV w/sp1
Promoted to domain controller
Installed WSUS
The problem is that I cannot reach http://server/. The error
displayed is this is "HTTP Error 401.1 - Unauthorized: Access is
denied due to invalid credentials" causing the following WSUS
problem: SelfUpdate not running.
It would seem that the problem has something to do with IUSR_SERVER
not beeing able to log on locally, even though this user should be
allowed to do so, acording to the default domain comtrollers policy.
I guess that the short version would be: How do I solve this problem. :-)
Regards Søren Schimkat
Lawrence Garvin
2006-01-31 02:56:44 UTC
Permalink
Specifically which URLs are you attempting to access from Internet Explorer.

~/WSUSAdmin is the -only- WSUS content available from a browser.

btw.... http://server -is- the "Default Web Site"

DOMAIN\IUSR_SERVER should be a member of the Domain Users group when IIS is
running on a DC. Domain Users should have 'log on locally' as a right. If
you took the right away from the group, you'll need to restore it to the
account.

But, of course, this may also be a direct reflection of the URL you are
attempting to access.
Post by Soren Schimkat
Post by Lawrence Garvin (MVP)
Did you install IIS before, or after, you promoted the machine to a DC?
My guess is that you installed IIS /before/ promoting the machine, and
that's a no-no.
I did promote the server before installing IIS / WSUS.
Post by Lawrence Garvin (MVP)
Uninstall WSUS, Uninstall IIS, Reinstall IIS, Reinstall WSUS. Voila!
Problem will be fixed.
I'm afraid not. I did as you proposed - but it didn't solve the problem,
as the only website that allows access is http://server/WSUSAdmin. The
default website is stil denying access. :-(
When trying to access the default website - this error occurs in the
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 533
Date: 30-01-2006
Time: 09:26:58
User: NT AUTHORITY\SYSTEM
Computer: UDGAARD
Reason: User not allowed to logon at this computer
User Name: IUSR_UDGAARD
Domain: HUM-FAK
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: UDGAARD
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3800
Transited Services: -
Source Network Address: -
Source Port: -
.. which tells me that the IUSR_SERVER user is not allowed to logon
locally, which seems like an error since the default domains controllers
policy allows this user to logon. :-(
Any hints?
Regards Søren
Post by Lawrence Garvin (MVP)
Post by Soren Schimkat
Hi Guys
I'm having a nasty problem - with actually just might be a IIS problem
rather than a WSUS problem, but I guess that some of you guys have seen
Clean Win2003 SRV w/sp1
Promoted to domain controller
Installed WSUS
The problem is that I cannot reach http://server/. The error displayed is
this is "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials" causing the following WSUS problem: SelfUpdate not running.
It would seem that the problem has something to do with IUSR_SERVER not
beeing able to log on locally, even though this user should be allowed to
do so, acording to the default domain comtrollers policy.
I guess that the short version would be: How do I solve this problem. :-)
Regards Søren Schimkat
shijobaby
2009-12-16 13:06:40 UTC
Permalink
If you have problems in iis \\

refer my article


http://sysisundefined.blogspot.com/2009/12/http-error-4011-unauthorized-access-is.htm

--
shijobab
-----------------------------------------------------------------------
shijobaby's Profile: http://forums.techarena.in/members/128429.ht
View this thread: http://forums.techarena.in/server-update-service/449129.ht

http://forums.techarena.i

Loading...