Mmm.. not too sure. I would suggest you get filemon (sysinternals.com) and
trace the access error.
--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://www.tryiis.com/" target="_blank">http://www.tryiis.com/</a>
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
<a style='text-decoration: underline;' href="http://www.msmvps.com/bernard/" target="_blank">http://www.msmvps.com/bernard/</a>
"Tim Berk" <TimBerk.DeleteThis@discussions.microsoft.com> wrote in message
news:90E83201-5052-4DC4-AF46-A715350BEF71@microsoft.com...
> Hello all,
>
> I am having a problem with IIS 6 and ACL's. I have a webDAV folder setup
> with windows integrated and digest authentication. I am trying to tighten
> down the security so that only a few users can access this folder. I have
> 2
> user accounts which are able to access the folder with the correct level
> of
> permission. I have some other user accounts with the exact same
> permissions
> (I have checked and rechecked this repeatedly) and group membership and
> they
> are unable to access this folder. They recieve a "HTTP Error 401.3 -
> Unauthorized: Access is denied due to an ACL set on the requested
> resource",
> which is not the case. I can actually copy one of the working user
> accounts
> and it won't access the folder. THe content is hosted on a remote file
> server. I have the delegation of credentials set properly. I have enabled
> auditing on the file server where the folder resides and the audit log
> shows
> entries when the working user accounts are used, but nothing when one of
> the
> non-working user accounts is used. No success, no Failure, no anything, as
> if
> the request never made it to the file server. In the security log of the
> domain controller, both the "good_user" and the "bad_user" are recording
> successful account log on events, so it is not an authentication issue. In
> the web server log, all the requests are logged with some differences. A
> successful request looks something like this:
>
> 2005-03-17 00:28:42 xxx.xxx.xx.xxx GET /windyriver/ - 80 DOMAIN\good_user
> xxx.xxx.xx.xxx
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
> 200 0 0
>
> An unsucessful request looks something like this:
>
> 2005-03-17 02:06:15 xxx.xxx.xx.xxx GET /windyriver - 80 DOMAIN\bad_user
> xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 401
> 3 5
>
> THe difference seems to be the trailing slash '/' after the GET request,
> but
> I am not sure what to make of that. I have tried this from outside the
> firewall, inside from the LAN and from the console of the web server (by
> right-clicking the virtual directory and selecting "browse") and I get the
> same results every time. My question is why is the web server not using
> the
> entries from the ACL consistently? Why is there no entry for a failed
> request
> in the audit log of the file server? What am I missing here?
>
> Thanks in advance!
>
> tb<!-- ~MESSAGE_AFTER~ -->
FAQ
Profile
Private Messages
Log in
