共用方式為


HOWTO: Synchronize User Credentials in IIS

Question:

Hello,

I recently had to modify a domain administrator account on my system and as a result parts of my web site are no longer operational.  I keep getting a 401.1 error whenever my web pages attempt to execute a Perl script that dynamically builds web pages.  Regular HTML pages execute with no problem.

I've checked the error logs and the perl scripts POST entries show a "401 1 0 ".

I've re-installed PERL on the server and gave the language permissions to execute.  I've run the scripts manually at the DOS prompt, and they execute.

I believe that the domain account password is not synchronized the account in IIS.  Is there a way I can force the synchronization to occur?

Any help would be GREATLY appreciated.

Answer:

Ok, let me first get over the security shock of you configuring the domain administrator to be the anonymous user that ANY user account can wield to run Perl. You basically have a gun pointed to your head and you might as well pull the trigger now... ;-) but let's ignore that outrage for the moment and get back to your question...

Yes, it is likely that the cached username/password in IIS configuration is no longer in sync with reality. However, there is no way to "force" the synchronization to occur for two reasons:

  1. Your custom user account is not "owned" by IIS, so there is no way for IIS to just change its password.
  2. There is no way to recover the password given just a username. That would be a security vulnerability.

In other words, you should find the cached username/password in IIS configuration and hand-synchronize it yourself. There are a couple of ways to do this:

  1. cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs FIND AnonymousUserPass
  2. Within the IIS Manager UI, navigate to the "Websites" or "Global" node, right click properties and navigate to the security node to change the anonymous username/password. When you change this value and OK out of the dialog box, the UI will pop up another dialog box telling you all other nodes which have Anonymous username/password custom configured.

These methods all come back with a list of locations where the Anonymous User password is customized. All you need to do is check if the associated Anonymous user name is your Domain Administrator and if so, synchronize that password.

I suspect that your vdir containing the Perl scripts has a customized Anonymous user account (so they are affected), while the directory containing your HTML pages do not have such customizations.

i.e.

 C:\Inetpub\adminscripts>cscript adsutil.vbs FIND AnonymousUserName
Property AnonymousUserName found at:
  W3SVC
  W3SVC/1/Root

C:\Inetpub\adminscripts>cscript adsutil.vbs GET W3SVC/AnonymousUserName
AnonymousUserName               : (STRING) "IUSR_MACHINENAME"

C:\Inetpub\adminscripts>cscript adsutil.vbs GET W3SVC/1/Root/AnonymousUserName
AnonymousUserName               : (STRING) "Administrator"

C:\Inetpub\adminscripts>cscript adsutil.vbs SET W3SVC/1/Root/AnonymousUserPass NewPass

I found that AnonymousUserName was customized at two locations in my IIS configuration. The first one was not set to Administrator so I do not care about it; the second one was set to Administrator so I changed its password to synchronize with reality.

Script to Selectively Synchronize IIS User Accounts

Of course, all of this is scriptable with a little "glue" code since all the basic build blocks are already there. I have an example batch script at the end of this entry which does exactly that. You can copy it into a file named "SyncIISUser.bat" and call:

 SyncIISUser.bat Anonymous "Administrator" "New Password"

This command searches the local IIS configuration for all Anonymous user accounts named "Administrator" (the quotes are required, even for user names without spaces) and changes their cached password to "New Password" (the quotes are not considered part of the password).

The script currently has a safety-lock in that it ECHOs what it will do. You can inspect the output to see if it is OK and then copy/paste the commands yourself, or you can remove SET DEBUG=ECHO to have the script take action.

I always recommend backing up IIS configuration file prior to making such automated changes so that you can recover in the worst case scenario, and I cannot take any responsibility for whether the script works or not. It should work, but you should remember that all blog content is published "as-is with no warranties, and confers no rights." :-)

Enjoy.

//David

 @IF ?%_ECHO%?==?? ECHO OFF
SETLOCAL
SET CMD_ADSUTIL=CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs
SET DEBUG=ECHO

IF ?%1? EQU ?? GOTO :Help
IF ?%2? EQU ?? GOTO :Help

IF /I ?%1? EQU ?Anonymous? SET PROPERTY_TO_FIND=AnonymousUserName& SET PROPERTY_TO_CHANGE=AnonymousUserPass
IF /I ?%1? EQU ?WAM?       SET PROPERTY_TO_FIND=WAMUserName&       SET PROPERTY_TO_CHANGE=WAMUserPass
IF /I ?%1? EQU ?UNC?       SET PROPERTY_TO_FIND=UNCUserName&       SET PROPERTY_TO_CHANGE=UNCPassword

SET USERNAME_TO_MATCH=%2
SET NEW_PROPERTY_VALUE=%3

FOR /F "usebackq skip=1 tokens=*" %%I IN ( `%CMD_ADSUTIL% FIND %PROPERTY_TO_FIND%` ) DO (
    FOR /F "usebackq tokens=3,* delims= " %%J IN ( `%CMD_ADSUTIL% GET "%%I/%PROPERTY_TO_FIND%"` ) DO (
        IF /I ?%USERNAME_TO_MATCH%? EQU ?%%K? (
            %DEBUG% %CMD_ADSUTIL% SET "%%I/%PROPERTY_TO_CHANGE%" %NEW_PROPERTY_VALUE%
        )
    )
)

ENDLOCAL

GOTO :EOF



REM
REM Display syntax
REM
:Help
ECHO %~n0 {Anonymous^|WAM^|UNC} "UserName" [Password]
ECHO.
ECHO Find all [Anonymous^|WAM^|UNC] user accounts matching "UserName" in
ECHO IIS configuration and change its password to [Password]
ECHO.

Comments

  • Anonymous
    March 29, 2006
    Thanks a zillion for the instructions. I have been looking over two weeks for the solution to my anonymous login problem and finally I found it here. Great blog!

  • Anonymous
    April 30, 2006
    Question:
    Hi ,
    I have two web servers. One web server(w2k3Ent) and IIS 6.0 in a work group and One...

  • Anonymous
    May 08, 2006
    Thank you David.  This solution worked very well for me.  I appreciate the time you take to upload these solutions to your blog.

  • Anonymous
    August 08, 2006
    Just wanted to add my "Thank you!" along with everyone else. I spent an entire day trying to figure out why my C# sharp program was passing a blank value to AD for UserName. Then came across your articles on 401.1 errors and synching the annonymous user credentials. That did the trick!

  • Anonymous
    May 31, 2007
    Thanks for the article. It was very useful in recovering our IIS metabase. We used IIS Metabase Explorer to restore our IIS from old backups. But we couldn't run asp files, we got Server Application Error all the time. We realized that IIS Metabase Explorer exported the ex-username (IUSR_XXX) but with the installation of the operating system, the IUSR account name had been changed (let's say IUSR_YYYY). When we ran "cscript adsutil.vbs GET W3SVC/AnonymousUserName", we got IUSR_XXX. We changed the Identity of IIS Out of Process Com+ application to IUSR_XXX and tried to run asp files but nothing happened. Then  we changed the default IIS anonymous username to IUSR_YYYY and it worked. The following command saved our lives :) : cscript adsutil.vbs SET W3SVC/AnonymousUserName "IUSR_YYYY (here your IUSR account name comes)" That was not in your article and I wanted to share it with the readers of this article who may face the same problem. That solution was not written elsewhere.

  • Anonymous
    October 05, 2007
    The comment has been removed

  • Anonymous
    January 30, 2008
    The comment has been removed

  • Anonymous
    January 30, 2008
    Ray - it can cause an existing site to stop working, or it may cause it to keep working. I would caution that you do NOT change any of the other nodes that hav ecustom anoynmous username/passwords custom configured. UNLESS you know those nodes also use the same username/password. If you do not know, then do not select any of them in the followon popup. The logic should be clear - if you do not know what you are changing, don't change it. If you do know what you are changing to synchronize, then by all means change it. //David

  • Anonymous
    January 30, 2008
    William - For static files, if you selected Anonymous Authentication and the user account is synchronized in the metabase, then the remaining suspect is user permissions modified by Group Policy. Default settings work. If you have tweaked with them, then it may not work. //David

  • Anonymous
    October 30, 2008
    I am having problems with my non-domain servers that are trying to connect to my WSUS 3.0 server.  My servers that are in the domain work fine.  The ones that are having issues are getting 401.1 errors, even though Anonymous is enabled.  I think it could be an IUSR_Machine name password issue.  I have read this post and when I run the script I only have one entry for Anonymous, it's W3SVC.  When I get the user name it does not come back as "Administrator".  It come back with the IUSR_Machinename.  Should I still update the password or do I have another issue?

  • Anonymous
    October 30, 2008
    I found something that I think will help.  When a server is trying to use the IUSR_Machinename to logon Anonymous, the IUSR_Machinename is getting locked out.  Has to be password issue.  Please check my previous post.  Thanks!

  • Anonymous
    October 31, 2008
    The comment has been removed