Win2003 IIS6 server settings troubleshooting

Many people in the process of using IIS to build a website more or less problems, some of the IIS6 has appeared in the previous version, IIS6 is also a new discovery The problem of this article is a brief summary of the problems that have arisen in the construction of the station, I hope to be helpful to everyone.

Problem 1: Parent path not enabled

Symptom example:

Server.MapPath() Error 'ASP 0175 : 80004005'

Path not allowed Character

/0709/dqyllhsub/news/OpenDatabase.asp, line 4

The character '..' is not allowed in the Path parameter of MapPath.

Reason analysis:

Many web pages use statements such as ../format (ie return to the previous page, which is the parent path), while IIS6.0 For security reasons, this option is turned off by default.

Workaround:

In IIS Properties -> Home Directory -> Configuration -> Options. Put ” enable the parent path “ in front of the tick. Confirm the refresh.

Question 2: ASP's Web extension is not properly configured (also for ASP.NET, CGI)

Examples of symptoms:

HTTP Error 404 - File or directory not found.

Reason Analysis:

Added the option of web program extension in IIS6.0, where you can allow or prohibit programs such as ASP, ASP.NET, CGI, IDC, etc. By default, programs such as ASP are forbidden.

Solution:

Select Active Server Pages in the Web Services Extension in IIS and click "Allow”.

Question 3: Inappropriate authentication configuration

Examples of symptoms:

HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.

Cause Analysis: IIS supports the following web authentication methods:

Anonymous Authentication

IIS creates an IUSR_ computer name account (where the computer name is IIS running) The name of the server) used to authenticate anonymous users when they request web content. This account grants users local login privileges. You can reset anonymous user access to use any valid Windows account.

Basic identification?

Use basic authentication to restrict access to files on NTFS-formatted web servers. With basic authentication, the user must enter credentials and the access is based on the user ID. User IDs and passwords are sent in clear text between networks.

Windows Integrated Authentication

Windows Integrated Authentication is more secure than Basic Authentication and works well in intranet environments where users have Windows domain accounts. In integrated Windows authentication, the browser attempts to use the credentials that the current user used during the domain logon process, and if the attempt fails, the user is prompted for a username and password. If you use integrated Windows authentication, the user's password will not be transferred to the server. If the user logs in to the local computer as a domain user, he does not have to authenticate again when accessing the network computers in this domain.

Digest Authentication

Digest authentication overcomes many of the shortcomings of basic authentication. When using digest authentication, the password is not sent in clear text. Alternatively, you can use digest authentication with a proxy server. Digest authentication uses a challenge/response mechanism (a mechanism used by integrated Windows authentication) where passwords are sent in encrypted form.

.NET Passport Authentication

Microsoft .NET Passport is a user authentication service that allows single sign-in security to enable users to access .NET Passport-enabled Web sites And safer when serving. Sites with .NET Passport enabled rely on the .NET Passport central server to authenticate users. However, the hub server does not authorize or deny specific users access to individual .NET Passport-enabled sites.

Workaround:

Configure different authentications as needed (typically anonymous authentication, which is the authentication method used by most sites). Authentication options are configured under IIS Properties -> Security -> Authentication and Access Control.

Question 4: Improper IP restriction configuration

Examples of symptoms:

HTTP Error 403.6 - Forbidden: The client's IP address is rejected.

Cause Analysis:

IIS provides a mechanism for IP restrictions. You can configure to restrict certain IPs from accessing the site, or restrict only certain IPs to access the site, and if the client If the end is within the IP range that you are blocking, or if it is not within your allowable range, an error message will appear.

Solution:

Enter IIS Properties -> Security -> IP Address and Domain Name Restrictions. If you want to restrict access to certain IP addresses, you need to select authorized access, click Add to select the IP address that is not allowed. Otherwise, only certain IP addresses can be accessed.

Question 5: IUSR account is disabled

Examples of symptoms:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

Cause Analysis:

Since the account used for anonymous access by the user is the IUSR_ machine name, if this account is disabled, the user will be inaccessible.

Solution:

Control Panel -> Administrative Tools -> Computer Management -> Local Users and Groups, enable the IUSR_ machine name account.

Question 6: Improper settings for NTFS permissions

Examples of symptoms:

HTTP Error 401.3 - Unauthorized: Access is denied due to ACL settings for the requested resource.

Cause Analysis:

The user of the web client belongs to the user group. Therefore, if the file has insufficient NTFS permissions (for example, no read permission), the page will be inaccessible.

Solution:

Enter the security tab of the folder, configure the permissions of the user, at least give read permissions. The NTFS permission settings are no longer described here.

Question 7: IWAM account is out of sync

Examples of symptoms:

HTTP 500 - Internal server error

Cause analysis:

IWAM The account is a built-in account automatically created by the system when IIS is installed. After the IWAM account is established, it is used by the Active Directory, IIS metabase database and COM+ application. The account password is saved by the three parties, and the operating system is responsible for the synchronization of the IWAM passwords saved by the three parties. The system's password synchronization work for IWAM accounts sometimes fails, resulting in inconsistent passwords for IWAM accounts.

Solution:

If AD exists, select Start -> Programs -> Administrative Tools -> Active Directory Users and Computers. Set a password for the IWAM account.

Run c:\\Inetpub\\AdminScripts>adsutil SET w3svc/WAMUserPass + Password Synchronize IIS metabase database password

Run cscript c:\\inetpub\\adminscripts\\synciwam.vbs -v Synchronize IWAM account at Password in COM+ application

Question 8: MIME setting problem causes some types of files to be undownloadable (in the case of ISO)

Examples of symptoms:

HTTP error 404 - The file or directory was not found.

Cause Analysis:

IIS 6.0 has removed support for certain MIME types, such as ISO, causing client download errors.

Workaround:

In IIS Properties -> HTTP Header -> MIME Type -> New. In the subsequent dialog, the extension is filled in with .ISO and the MIME type is application.

In addition, firewall blocking, ODBC configuration errors, Web server performance limitations, thread restrictions and other factors are also possible reasons for the IIS server can not be accessed, here is no longer one by one.