Why you get Access Denied despite being an Administrator or enabled Anonymous Access in IIS

Artikel
05/27/2005

A couple of common misconception by users concerning IIS configuration and user privileges are that:

If I am logged in as Administrator, everything should work and I should never see "Access Denied"
If I enabled anonymous access in IIS, everything should work and I should never see "Access Denied"

Why are the above statements not true? They sure sound logical - after all, administrator should have full access to the system, right? And anonymous access is supposed to allow anyone access to the server, so it should never fail.

Administrator can be denied access

The fact of the matter is that while yes, Administrators have "full access" to the system and can change anything, Windows also treats Administrators just like any other user. This includes the ability to deny an user access to any ACL-protected resource explicitly or implicitly through lack of ACL.

So, it is perfectly possible to set a deny ACL or remove an allow ACL on a resource and prevent Administrators from initially accessing the resource. However, Administrators have a special power - the ability to CHANGE any ACL, including give themselves access to something previously denied access. Thus, while it is possible to have an Administrator see "Access Denied", it is not likely to last for long.

Regarding the identity of the user accessing the resource - when an Administrator makes a client-server connection like HTTP, the identity with which server-side code runs is completely unrelated from the identity that runs the browser making the HTTP request. It all depends on the authentication methods accepted by the web server as well as the user credentials negotiated between the web browser and web server.

In other words, the local Administrator can make a request in a web browser to run a CGI EXE on the web server, but the web server can use any identity to launch the CGI EXE server-side. The choice of identity can be influenced by authentication.

Anonymous does not allow access

As for enabling anonymous authentication in IIS - this merely tells IIS to automatically log in with a pre-configured user identity to execute the request, regardless of authentication attempted. There is no special Windows account that magically passes access checks and has access to everything.

In fact, the user identity used for anonymous access can be the target of allow/deny ACLs, just like any other Windows user, so it is still possible to see "Access Denied" when you have anonymous authentication enabled. You have to make sure that you have the correct user password AND the configured anonymous user identity actually has ACLs to the requested resource in order to allow anonymous authentication a chance to work. Otherwise, you still get 401 access denied and browsers will keep popping up the login dialog box no matter what you give (however, this is only one possible way to get into that state - there are others).

I hope this helps to demystify two common IIS misconceptions.

//David

Comments

Anonymous
June 12, 2005
I've added the account used for anonymous authentication to the administrators group and I still get the error.

THAT should have fixed it.
Anonymous
June 14, 2005
There are many types of "access denied":
401.1 - incorrect username/password
401.2 - incorrect authentication protocol
401.3 - lack ACL on resource
401.4 - denied by ISAPI Filter for some reason
401.5 - denied by application for some reason

Until you determine the type of "401 access denied", random changes will not help.

For example, adding anonymous user to the administrators group ASSUMES that the problem is 401.3 - that you are anonymous authenticated and that the anonymous user lacks ACL on the resource. However, if this is not the 401 error, or if administrators group is denied or lacks ACLs on the resource (as mentioned above), then you will STILL have access denied.

In other words, adding anonymous user to the administrators group makes very little sense. There is no sure-fire way to never see access-denied. You need to use the IIS log file to determine WHY you are getting access denied and then address that.

//David
Anonymous
July 26, 2005
The comment has been removed
Anonymous
August 08, 2005
I'm getting a 401.1 error. The weird thing is that everything was working just ducky last week. This server is intended for intranet use as well as distributing Crystal Reports via the crystal .net interface.

The only thing I can think of that's changed since Friday is the default name of the site. I'm going to check that one out, maybe permissions are still granted for the old name.
Anonymous
October 04, 2005
I am also getting a access denied. My error is 401.3 Does anyone has any idea of overcoming the problem?
Anonymous
October 05, 2005
The comment has been removed
Anonymous
November 03, 2005
The comment has been removed
Anonymous
November 14, 2005
Hello David,

I have played around with permissions but I still can't get our website to work without having to logon with a username / password.

Our test site required a username / password but our Default Website is working perfectly via a browser.

Default Website:
http://localhost/v3/home.asp -> no username / password required

Test Site:
http://test.ourdomain.com -> username / password required

Please help.

benc007@sbcglobal.net
Anonymous
November 14, 2005
Test Site:
http://test.ourdomain.com -> username / password required

It asks for a username / password but I can just click "Enter", it disappears and everything works. Please help.

benc007@sbcglobal.net
Anonymous
November 14, 2005
I have another server set up using anonymous access and both the Default Website http://localhost/v3/home.asp and the Test Site http://test.ourdomain.com work.

I think the problem is that this server has two IUSR_MACHINENAME accounts since I changed the MACHINENAME sometime ago. I removed and re-installed IIS, but the two IUSR_MACHINENAME accounts still exist. How can I fix this?

ie. IUSR_OLDMACHINENAME and IUSR_NEWMACHINE exist.

benc007@sbcglobal.net
Anonymous
February 09, 2006
thanks for the reminder and clarification around this; was exactly what I was looking for :-)
Anonymous
April 03, 2006
i am having problem in uploadignn file to a server.....
its shows "405 HTTP verb used to access this page is not allowed".
Please help me to figure this....
Anonymous
April 03, 2006
The comment has been removed
Anonymous
April 18, 2006
It's another 10K entry!

//David
Anonymous
April 21, 2006
Sigh... security continues to befuddle users... because why would you change the Service User Account&nbsp;from...
Anonymous
April 27, 2006
It's good stuff, but no one seems to have had my problem... :-( I can't start my WWW service on this server with exchange to access OWA.
Anonymous
April 27, 2006
The comment has been removed
Anonymous
April 30, 2006
Question:
Hi ,
I have two web servers. One web server(w2k3Ent) and IIS 6.0 in a work group and One...
Anonymous
June 06, 2006
I am facing an issue with my IIS 6.0, when i click on browse through my IIS Manager console onto my Default Web Site, my IUSR account is also added to the list of my Administrators group and the password has been set for that. Also the option of Enbale Anonymous Access in checked and so is the option of Integreted Windows Authentication.

Please help.
Anonymous
June 06, 2006
Forgot to mention that the error is same ACCESS DENIED :-(
Anonymous
June 06, 2006
The comment has been removed
Anonymous
July 01, 2006
Sigh... security is never black and white, is it? :-)&nbsp;
Question:
Environment: IIS6.0 Windows 2003...
Anonymous
August 02, 2006
i'm working with Office server and Project 2007 (beta 2). i'm trying to access the PSI (Project web services).
when i'm trying to browes the site i get 401.3 but when i use IE i can see the site. why?
Anonymous
August 02, 2006
omri - Since you have installed non-IIS software on top of IIS which can alter server behavior, the reason for any behavior is arbitrary and determined by server-modifications made by the Office server product.

My guess is that it is using customized forms authentication which IE will negotiate, but other HTTP clients/browsing will not do correctly after passing anonymous authentication - hence 401.3. But it is just a guess - one needs to know an debug the server configuration to figure out what is going on.

//David
Anonymous
August 03, 2006
The comment has been removed
Anonymous
August 10, 2006
I worked yesterday and opend two new projects. I turned off the computer in the night and today i can't open them because of:

HTTP/1.1 403 Access Forbidden

I tried to change all folder permissions.
Even if I try to make a new project in the C:Inetpubwwwroot folder it says Access Forbidden

I have IIS 5.1 and 6. It's seems to run with 6 but the LogFiles say 5.1

Don't know what to do anymore... sitting here for hours!
Does anyone have the same problem?
Thx a lot,

Phil
Anonymous
August 30, 2006
Please remove the anonymous access and try again it works.

:]
Anonymous
September 04, 2006
I have anonymous access enabled for a web site in IIS. If I try to go to the web site, I get challenged for a user name and password. If I enter an administrator username and password for the server, it lets me it to the web site. If I cancel, I get a 401.3 error. When I check the log, the entry says that it rejected user serverName$ (where serverName is the name of my server). I added the IUSR_serverName account to the ACL for the directory, but apparently that is not the user accessing the directory. After reading all of these posts, it seems like I am close. Any ideas?
Anonymous
April 07, 2007
I have a similar problem on SBS Premium and Standard 2003 where all users were configured during the setup using the wizards etc. Inside my LAN I can access the OWA as the different users but from the net only the Administrator can get in. I tried with users set up as administrators but this does not work. Any help would be appreciated
Anonymous
July 17, 2007
I am having an odd situation that I hope someone can help with. I get a 401.3 error whenever I attempt to click on a link pointing to a .DOC file. If I point to an .HTM file in the same directory the file is displayed. Also the site is running over SSL. Anonymous access is enabled and using IUSR... On one of my ASP.NET pages I have an ASP:Table that I populate at runtime with several peices of information. One of the things that I add to the table is a Link control to link to a word document in a particular directory under my virtual directories root. (physical directory structure) C: ---->Deployments --------->Clients --------------->wwwroot --------------------->images (directory containing the images for the site) --------------------->arcletters (directory containing the .DOC files) --------------------->bin (directory containing dlls, etc) ---------------------default.aspx ---------------------letters.aspx bla bla bla.... Based on your previous suggestions I downloaded FileMon and saw that it is indeed the IUSR user that is being denied access to the arcletters directory. When I click on the link mentioned above I get a new windows with the 401.3 error. If I run the same code from my local machine I get a prompt asking if I would like to save the document (which is the desired functionallity). My question is, do you have any suggestions for me and is there a difference between opening a .DOC file and an .HTM file via a link? Also I forgot to mention that I have given IUSR full control of the arcletters directory with no improvment. Thanks, William
Anonymous
July 18, 2007
I have been fighting to get things set up for Interdev debugging on Windows XP SP2 with IIS and Front Page Extensions 2002 for DAYS to no avail. I am so frustrated and cannot for the life of me figure this out. I get prompted for username/password when I try to either launch interdev's debugger or when I try to check server extensions from the IIS control panel. I have added full control permissions on all the folders to Everyone. When I try to check server extensions I am prompted for: enter the username and password for user "" on http://machinename When I try to run debugger in Interdev I am prompted similiarly for a username and password for a user account with permissions to debug. My own user account has full permissions on all folders and is a member of Administrators. My user account does not have a password associated with it and never has. The http error I get is a 401.1
Anonymous
July 19, 2007
Hi,I am running Project Server 2003 with win server 2003.I am able to access the projectserver bt if i try to connect the client with the server with the same username and password is giving error of http 401.1-unauthorised access.wht to do im stuck with this problem for the last 2 days.Please help me. garima_chandra@rediffmail.com.
Anonymous
July 20, 2007
William - there is no difference to IIS between a DOC and HTM file. They are both static files served for download by default. You may be running 3rd party ISAPIs on the server that result in different behavior between different file extensions. //David
Anonymous
July 20, 2007
Ed - by default, XP simply does not allow network login of user accounts with blank passwords. You may be hitting that in some fashion - no amount of giving ACLs to Everyone will help if Windows is not even allowing the user to login (401.1). You will have to configure XP to allow such logins of accounts with blank passwords, but I wouldn't do it in your case since you are running as administrator with no password. //David
Anonymous
July 25, 2007
I have enabled Anonymous Access in IIS. But for its not eve asking for any id password, rather its directly showing access denied error. http://www.eorangecountyrealestate.com/ http://www.ilongbeachrealestate.com/ for both of this option it says "You are not authorized to view this page". Can any one help regarding this issue? p.biswas@yahoo.com
Anonymous
July 25, 2007
The comment has been removed
Anonymous
July 26, 2007
Prithwish - Enabling anonymous access in IIS does NOT mean you will not get Access Denied. Please start with the "401 Diagnosis Guide" link on the sidebar of this blog to start troubleshooting your misconfiguration. //David
Anonymous
September 17, 2007
The comment has been removed
Anonymous
September 17, 2007
The comment has been removed
Anonymous
September 21, 2007
Dear All I have win2k3 with IIS 6.0. Every Morning I get 401.1 Error. The Directory security has been set to Anonymous Access, Once I give IISReset everything starts working again for for few hours and again it stops
Anonymous
January 03, 2008
I have Windows 2000 and everytime I log in as an Administrator and try to install new hardware or anything, it says "You do not have sufficient security privileges to install or uninstall devices on this computer. Please contact your site administrator, or log off and log on again as an administrator and try again." Naturally, I have tried many times to no avail. I even made two other accounts allowing Admin. access and yet both of those also don't allow me to install new hardware. I don't seem to have any administrator access anymore but all the profiles are listed as having administrator access. Am I missing something? What is the problem here?
Anonymous
January 04, 2008
The comment has been removed
Anonymous
January 05, 2008
Nathan - your problem sounds like it is related to Group Security Policy in Windows and not IIS. There are security policies within Group Policy that prevent users from altering hardware configuration (to lock down against people plugging in USB memory sticks, for example), regardless if you are an "Administrator" or not. See the following: http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx I think you want to investigate in this direction. //David
Anonymous
January 05, 2008
The comment has been removed
Anonymous
January 20, 2008
I have just brought a Laptop with Vista Business when I first set it up I could view the sidebar now when I log on I get a message saying the system administrator controls the sidebar and I cannot view or make changes to the sidebar.
Anonymous
January 28, 2008
THE GROUP POLICY SNAP IN WAS UNABLE TO SAVE YOUR CHANGES DUE TO THE FOLLOWING ERROR :ACCESS DENIED Can you help with this problem PAUL WIGG paulwigg@atcollege.eu
Anonymous
January 31, 2008
Hi..last day when I was loggd in as administrator, i changed the C drive security settings to denied unknowingly :-(. Now I am getting all the time C drive as "Access denied"...I am unable to see any option to change the security settings now..please help me..thanks!
Anonymous
January 31, 2008
JG - take that hard drive out and put it in another machine you have successful Administrator access, and reset ACLs there. Personally, I would not trust your ACLs on that drive to be secure after recovery, but that's another issue. //David
Anonymous
February 05, 2008
Thanks a lot david for reply. But I am having laptop with VISTA as OS. I am less aware of the hardware stuffs. I am planning to format the OS itself. Will that over come this problem?..Please suggest me a proper way. looking forward for ur reply. Thanks!
Anonymous
March 13, 2008
I have been getting things from a E mails from a particular place and every time that I try to look at or read them I get a thing on my computer that says access denied.
Anonymous
March 13, 2008
I have been getting things from a E mails from a particular place and every time that I try to look at or read them I get a thing on my computer that says access denied.
Anonymous
March 17, 2008
Hi David, You're probably getting sick of postings on this thread, and I apologize for posting another. We have a Win2K3 server running IIS 6. One of the virtual directories has anonymous authentication set (all other authentication modes are disabled). The host anonymous account works on other applicable virtual directories on the server. Recently, some users at one site started getting prompts for a user ID and password when accessing the site in question. It is in their trusted/Intranet sites in IE settings and the authentication on the client is set to use the current credentials to authenticate. We have cleared their cache and cookies to see if it was being caught from previous security settings (default settings of anonymous and Windows authentication - the latter has been turned off). I have double checked the ACL list on the folder for the virtual directory and the anonymous account has read permissions to the folder. This has started since the removal of the Windows authentication on the virtual directory. It also doesn't do it all the time. It will work for a time, then all of a sudden prompts for a user ID and password. Any ideas? Thanks in advance.
Anonymous
March 17, 2008
The comment has been removed
Anonymous
November 16, 2008
Thanks for the info. However, if it is not too much trouble, could you also explain HOW I could change an ACL???
Anonymous
January 13, 2009
The comment has been removed
Anonymous
January 16, 2009
The comment has been removed
Anonymous
February 19, 2009
Sorry, but if I'm logged as administrator I can change the owner and the objetcts permissios to get effective access to all objects. I'm try to change the owner and the permissions to have full control to these objects and the windows return "access us denied" at "Advanced Security Settings for [object]". What's happen with this system ? When I was OpenVMS System Manager this situation was impossible! The System Manager was the Machine King. Walter
Anonymous
March 02, 2009
Walter Ferrari Veras - if on Vista/WS08/Win7, then you have UAC active and need to elevate your action, which grants those permissions to your interactive user to use on that action. When non-elevated, the administrator cannot change ownership even if it is a privilege the user holds. This security system gives good compromise to allow people to have access (under user permission) to all sensitive administrative privileges but NOT have them freely available by default for malware to attack the user. The outdated approach of OpenVMS where Administrator is machine king is still there if you turn off UAC, but that option is for the knowledgeable. //David
Anonymous
March 02, 2009
Sir, my website is on godaddy with IIS6, i am getting access denied error when i upload the images using back office, what is the problem, in IIS setting only 3 previliegs are there First i have enter the directory name and there are 3 option Anonomious Access, Directory Browsing, ....... Please tell me what i do, so remove this error. its too urgent i m waiting 4 ur reply
Anonymous
March 02, 2009
Sir, my website is on godaddy with IIS6, i am getting access denied error when i upload the images using back office, what is the problem, in IIS setting only 3 previliegs are there First i have enter the directory name and there are 3 option Anonymous Access, Directory Browsing, ....... Please tell me what i do, so remove this error. its too urgent i m waiting 4 ur reply
Anonymous
March 26, 2009
I do not want to be denied access when I need continue working on my computer. I need to have access to all that I want to see.
Anonymous
March 26, 2009
open up whatever I need to see and use on my computer.
Anonymous
October 07, 2009
The comment has been removed
Anonymous
November 02, 2009
I have an intranet site that, for some reason, when first loading gets a 401.1 error. Hit refresh and it comes up just fine. This is more of a nuisance than anything else but I just trying to figure out why it would only happen at first and then work. Thank you in advance.
Anonymous
February 09, 2010
The comment has been removed
Anonymous
February 09, 2010
The comment has been removed

Freigeben über

Why you get Access Denied despite being an Administrator or enabled Anonymous Access in IIS

Administrator can be denied access

Anonymous does not allow access

Comments

Zusätzliche Ressourcen