Anonymous access is failing, 401 errors in IIS logs, and the IUSR account is locked out
search cancel

Anonymous access is failing, 401 errors in IIS logs, and the IUSR account is locked out

book

Article ID: 155008

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

  • Symantec Management Agents are unable to send basic inventory or update configuration due to HTTP 401 (Unauthorized) errors
     
  • All access attempts to web services which require anonymous access are failing with 401 errors
     
  • The IUSR_[machinename] user account is getting locked out

 

<event date='Sep 07 13:39:39' severity='2' hostName='WESS-CLIENT1' source='AeXNetworkTransport' module='AeXNetComms.dll' process='AeXNSAgent.exe' pid='1092' thread='1156' tickCount='1738468187' >
  <![CDATA[Post to 'http://[NSserverName]/Altiris/NS/Agent/GetClientPolicies.aspx' failed: HTTP error: 401 Unauthorized (-2147209951)]]>
</event>

 

Cause

This behavior occurs when the web service is not configured for Integrated Windows authentication (or access restrictions have been implemented at the ACL level), and there is an issue with the IUSR account or its password has been changed.

 

Resolution

  • Ensure that Integrated Windows authentication has been enabled for the web service in IIS if applicable
     
  • Ensure that ASP.NET, Authenticated Users, and Internet Guest Account all have Read permissions to the parent folder and containing files of the associated web service
     
  • If the above items appear to be in order, then there may be a problem with the Internet Guest Account. Steps may need to be performed to reconfigure and re-sycnhronize the IUSR  and IWAM accounts and their passwords

 

     To Reset IUSR password:

Steps from 3rd party website to resolve IUSR account issues:

1.  Open AD Users & Computers.  Expand the Users OU, right-click on the user account (iusr_servername/iwam_servername) and select 'Reset password'  to reset the password. Note: the password can't be blank.

2.  Open this User Account's properties and make sure that 'Password never expires' and 'User cannot change password' are selected.

3.  Open IIS from  Administrative Tools.

4.  Expand servername>Web Sites

5.  Right-click on 'Default Web Site' and select Properties.

6.  Go to the 'Directory Security' tab and click the Edit button under 'Authentication & Access Control'

7.  Enter the new password you just reset for the IUSR_servername account and click OK.

8.  Enter the password again to confirm and click OK.

9. Click OK.

10.  Open a command prompt and run IISRESET

11.  At the command prompt, enter the following commands:

1) cd

2) c:\inetpub\adminscripts adsutil SET w3svc/WAMUserPass “password”    (Where password = the password you entered for the IWAM_servername account in AD Users & Computers)   

3) c:\windows\system32\cscript.exe "c:\inetpub\adminscripts\synciwam.vbs" –v

4) IISRESET

 


Applies To

  • Symantec Management Platform  (any version)
  • Notification Server  (any version)