 | | | RE: Access denied to local computer, even as ADMIN !! | RE: Access denied to local computer, even as ADMIN !! 2005-07-10 - By Ken Schaefer
You said "I just had this problem"
You appear to be having a problem accessing a web page.
Original poster is having a problem using the IIS Manager MMC Snapin to
manage their IIS server. How are these the same problem?
Additionally, as mentioned delegation doesn't have anything to do with
passing the identity to ASP.NET (as far as I can tell from the description of
your error). Delegation is there so that ServerA can get a service ticket on
behalf of user to access a service on ServerB, eg:
User1 ---> ServerA ----> ServerB
If User1 is accessing a webpage on ServerA, and the identity is not being
passed to ASP.NET /running/ on ServerA, then this does not involve
delegation.
Since original poster is trying to access the IIS Manager interactively,
there aren't two (or more) servers involved, and there is no need for a
service ticket to a remote machine. So, please be careful when recommending
that people change security settings on their machines, when the root cause
of the issue isn't known.
Cheers
Ken
: -----Original Message-----
: From: Tim Curtin [mailto:tjc_tek@(protected)]
: Sent: Saturday, 9 July 2005 12:32 AM
: To: aspnet-admin@(protected)
: Subject: [aspnet-admin] RE: Access denied to local computer, even as ADMIN
: !!
:
: Administrator logged on but could not access the page: Access Denied.
: In reading the stack trace, the framework could not '_ResolveIdentity'
: which
: told me the identity wasn't getting passed to ASP.Net which was either
: delegatation (which was turned on, but I threw it out there as a rabbit to
: chase for this thread) or something else. I pasted the error into Google
: and
: it ended up being a W2K SP4 bug that shuts down IWAM's impersonation
: priviledges.
:
: Not sure if it fixes this thread's issue, but I just threw it out there...
:
:
: >From: "Ken Schaefer" <Ken@(protected)>
: >Reply-To: aspnet-admin@(protected)
: >To: aspnet-admin@(protected)
: >Subject: [aspnet-admin] RE: Access denied to local computer, even as
: ADMIN
: >!!
: >Date: Fri, 8 Jul 2005 10:40:40 +1000
: >
: >"Trust this server for delegation" does not have anything, per se, to do
: >with
: >SeImpersonateUser privilege.
: >
: >Be careful about advising people to relax security settings on their
: >servers,
: >especially when we don't know the root cause of the issue at hand.
: >
: >Or are you saying that you logged onto your Windows 2000 DC, and
: attempted
: >to
: >use the IIS Manager and got the same Access Denied error message? If so,
: I
: >apologise, but I'm surprised by the relationship between these settings
: and
: >the issue at hand.
: >
: >Cheers
: >Ken
: >
: >--
: >www.adOpenStatic.com/cs/blogs/ken/
: >
: >: -----Original Message-----
: >: From: Tim Curtin [mailto:tjc_tek@(protected)]
: >: Sent: Friday, 8 July 2005 4:39 AM
: >: To: aspnet-admin@(protected)
: >: Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >ADMIN
: >: !!
: >:
: >: if you're using win2000 SP4 with Active Directory, I just had this
: >: problem.
: >: Also, make sure 'Trust this server for Delegation' is turned on in AD.
: >:
: >: SP4 removes IWAM impersonation priviledges.
: >:
: >: Here's the steps to correct:
: >: http://support.microsoft.com/kb/824308/EN-US/
: >:
: >: Tim
: >:
: >: >From: "Scott Forsyth" <scottnewsgroups@(protected)>
: >: >Reply-To: aspnet-admin@(protected)
: >: >To: aspnet-admin@(protected)
: >: >Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >: ADMIN
: >: >!!
: >: >Date: Thu, 7 Jul 2005 02:24:15 -0400
: >: >
: >: >>I realise that the metabase has it's own permissions, but does the
: >: >>metabase
: >: >>respect a user having the seTakeOwnership permission? (I noticed that
: >: keys
: >: >>within the metabase do have an owner property).
: >: >
: >: >I couldn't say for sure. The metabase inheritance and ownership
: >: functions
: >: >a bit different than NTFS does so I assume that it has it's own way of
: >: >doing things and doesn't rely on the NT rights / events / methods.
: >: >
: >: >
: >: >Scott Forsyth
: >: >Microsoft MVP - ASP/ASP.NET
: >: >ASPInsider Member - MCP
: >: >
: >: >http://www.orcsweb.com/
: >: >Powerful Web Hosting Solutions
: >: >#1 in Service and Support
: >: >
: >: >
: >: >----- Original Message ----- From: "Ken Schaefer"
: <Ken@(protected)>
: >: >To: <aspnet-admin@(protected)>
: >: >Sent: Tuesday, July 05, 2005 7:01 PM
: >: >Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >: ADMIN
: >: >!!
: >: >
: >: >
: >: >I realise that the metabase has it's own permissions, but does the
: >: metabase
: >: >respect a user having the seTakeOwnership permission? (I noticed that
: >: keys
: >: >within the metabase do have an owner property).
: >: >
: >: >Alternatively, running that script via a scheduled task (and using the
: >: >at.exe
: >: >command to schedule the task) would mean that the script could run as
: >: >LocalSystem (which presumably still has permissions to the metabase if
: >: IIS
: >: >is
: >: >running)
: >: >
: >: >Cheers
: >: >Ken
: >: >
: >: >--
: >: >www.adOpenStatic.com/cs/blogs/ken/
: >: >
: >: >: -----Original Message-----
: >: >: From: Scott Forsyth [mailto:scottnewsgroups@(protected)]
: >: >: Sent: Wednesday, 6 July 2005 12:29 AM
: >: >: To: aspnet-admin@(protected)
: >: >: Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >: >ADMIN
: >: >: !!
: >: >:
: >: >: > AFAIK, the metabase doesn't obey NT rights (such as SeTcbPrivilege
: >or
: >: >: SeTakeOwnershipPrivilege), but maybe it does.
: >: >:
: >: >: That's correct, the metabase has its own set of permissions that are
: >: >: stored
: >: >: in the metabase directly. If a setting is set on a particular node,
: >it
: >: >: will
: >: >: not inherit from the root.
: >: >:
: >: >: Metabase explorer is probably the best bet. A command line option
: is
: >: >: metaacl.vbs.
: >: >:
: >: >: Darren, what would have changed to cause this? It's pretty
: (actually
: >: >: 'really') uncommon for someone to be locked out like this. Did you
: or
: >: >: another administrator do something that would have changed these
: >: >settings?
: >: >:
: >: >:
: >: >: Scott Forsyth
: >: >: Microsoft MVP - ASP/ASP.NET
: >: >: ASPInsider Member - MCP
: >: >:
: >: >: http://www.orcsweb.com/
: >: >: Powerful Web Hosting Solutions
: >: >: #1 in Service and Support
: >: >:
: >: >:
: >: >: ----- Original Message -----
: >: >: From: "Ken Schaefer" <Ken@(protected)>
: >: >: To: <aspnet-admin@(protected)>
: >: >: Sent: Tuesday, July 05, 2005 9:29 AM
: >: >: Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >: >ADMIN
: >: >: !!
: >: >:
: >: >:
: >: >: AFAIK, the metabase doesn't obey NT rights (such as SeTcbPrivilege
: or
: >: >: SeTakeOwnershipPrivilege), but maybe it does.
: >: >:
: >: >: My suggestion: download Metabase Explorer (part of the IIS6.0
: Resource
: >: >: Kit,
: >: >: but it works with IIS5.1 as well) [1]. Right-click on the root-node
: >and
: >: >: choose "Permissions". If Administrators group is not listed, attempt
: >to
: >: >: add
: >: >: it. If you can't add it, go to the Owner tab, and seize ownership of
: >: the
: >: >: entire heirachy, then do the preceeding step.
: >: >:
: >: >: If the metabase permissions actually honour the NT rights, then
: ensure
: >: >: (via
: >: >: the Local Security Policy) that your Admin account has "Take
: Ownership
: >: >: Privileges) [2]
: >: >:
: >: >: Cheers
: >: >: Ken
: >: >:
: >: >: [1]
: >: >:
: >http://www.microsoft.com/downloads/details.aspx?FamilyIDVfc92ee-a71a-
: >: >: 4c73-b
: >: >: 628-ade629c89499&DisplayLang=en
: >: >: [2] Start -> Run -> secpol.msc -> User Rights Assignment node
: >: >:
: >: >: --
: >: >: www.adOpenStatic.com/cs/blogs/ken/
: >: >:
: >: >: : -----Original Message-----
: >: >: : From: Darren Logan [mailto:Darrenl@(protected)]
: >: >: : Sent: Tuesday, 5 July 2005 11:06 PM
: >: >: : To: aspnet-admin@(protected)
: >: >: : Subject: [aspnet-admin] RE: Access denied to local computer, even
: as
: >: >: ADMIN
: >: >: : !!
: >: >: :
: >: >: : Hi Ken,
: >: >: :
: >: >: : Thanks for this... BUT HOW?
: >: >: :
: >: >: : Vbr,
: >: >: : Darren
: >: >: :
: >: >: : -----Original Message-----
: >: >: : From: Ken Schaefer [mailto:Ken@(protected)]
: >: >: : Sent: 05 July 2005 14:03
: >: >: : To: aspnet-admin@(protected)
: >: >: : Subject: [aspnet-admin] RE: Access denied to local computer, even
: as
: >: >: : ADMIN !!
: >: >: :
: >: >: :
: >: >: : Even when you are an administrator, ACLs (Access Control Lists)
: can
: >: be
: >: >: : configured to deny access to administrators. It's just that, by
: >: >default,
: >: >: : administrators have access to most things. However, that doesn't
: >stop
: >: >: the
: >: >: : default ACLs being modified.
: >: >: :
: >: >: : As a general rule however, Administrators can take ownership of
: most
: >: >: : resources (which, in turn gives them permission to alter the ACLs,
: >: >given
: >: >: : them
: >: >: : access to the resource in question).
: >: >: :
: >: >: : It seems that the Administrator account doesn't have permissions
: to
: >: >keys
: >: >: : in
: >: >: : the IIS metabase. You may need to reset the permissions on those
: >: keys.
: >: >: :
: >: >: : Cheers
: >: >: : Ken
: >: >: :
: >: >: : --
: >: >: : www.adOpenStatic.com/cs/blogs/ken/
: >: >: :
: >: >: : : -----Original Message-----
: >: >: : : From: Darren Logan [mailto:Darrenl@(protected)]
: >: >: : : Sent: Tuesday, 5 July 2005 8:19 PM
: >: >: : : To: aspnet-admin@(protected)
: >: >: : : Subject: [aspnet-admin] Access denied to local computer, even as
: >: >ADMIN
: >: >: : !!
: >: >: : :
: >: >: : : Hi,
: >: >: : :
: >: >: : : I have a SBC running Windows XP Embedded with IIS5.1
: >: >: : :
: >: >: : : I log on as administrator, yet when i click to expand "Local
: >: >computer"
: >: >: : in
: >: >: : : internet information services, i get a message thus "You have
: been
: >: >: : denied
: >: >: : : access to this machine".
: >: >: : :
: >: >: : : Errmmmm, what's that all about?
: >: >: : :
: >: >: : : This is very frustrating.. do i need to re-install windows XPE
: do
: >: you
: >: >: : : think?
: >: >: : :
: >: >: : : How do i access user account settings to ensure access
: permissions
: >: >are
: >: >: : : setup correctly etc.?
: >: >: : :
: >: >: : :
: >: >: : : Best regards
: >: >: : : Darren Logan BSc(Hons)
: >: >: : : Development Engineer
: >: >: : : ________________________________________________________________
: >: >: : :
: >: >: : : MICHELL INSTRUMENTS LTD Tel: +44 (0)1223 434 854
: >: >: : : Nuffield Close Fax: +44 (0)1223 434 895
: >: >: : : Cambridge e-mail: darrenl@(protected)
: >: >: : : CB4 1SS, UK web: www.michell-instruments.com
: >: >: : :
: >: >: : : UKAS accredited: 0179 * BS EN ISO9001:2000 registered: Q6284 *
: >: >: : : Member BCAS * Investor in People
: >: >: : :
: >: >: : : --------------------------------- Dew point specialists
: >-----------
: >: -
: >: >: : : ---------------------
: >: >: : :
: >: >: : : This communication contains information which is confidential
: and
: >: may
: >: >: : also
: >: >: : : be privileged. It
: >: >: : : is for the exclusive use of the intended recipient(s). If you
: are
: >: not
: >: >: : the
: >: >: : : intended recipient(s),
: >: >: : : please note that any distribution, copying or use of this
: >: >: communication
: >: >: : or
: >: >: : : the information in
: >: >: : : it is strictly prohibited. If you have received this
: communication
: >: in
: >: >: : : error, please notify the
: >: >: : : sender immediately and then destroy any copies of it.
: >: >: : :
: >: >: : :
: >: >: : :
: >: >: : :
: >: >: : :
: >: >: : : Need SQL Advice? http://sqladvice.com
: >: >: : : Need RegEx Advice? http://regexadvice.com
: >: >: : : Need XML Advice? http://xmladvice.com
: >: >: :
: >: >: : Need SQL Advice? http://sqladvice.com
: >: >: : Need RegEx Advice? http://regexadvice.com
: >: >: : Need XML Advice? http://xmladvice.com
: >: >: :
: >: >: :
: >: >: : Need SQL Advice? http://sqladvice.com
: >: >: : Need RegEx Advice? http://regexadvice.com
: >: >: : Need XML Advice? http://xmladvice.com
: >: >:
: >: >: Need SQL Advice? http://sqladvice.com
: >: >: Need RegEx Advice? http://regexadvice.com
: >: >: Need XML Advice? http://xmladvice.com
: >: >:
: >: >:
: >: >:
: >: >: Need SQL Advice? http://sqladvice.com
: >: >: Need RegEx Advice? http://regexadvice.com
: >: >: Need XML Advice? http://xmladvice.com
: >: >
: >: >Need SQL Advice? http://sqladvice.com
: >: >Need RegEx Advice? http://regexadvice.com
: >: >Need XML Advice? http://xmladvice.com
: >: >
: >: >
: >: >
: >: >Need SQL Advice? http://sqladvice.com
: >: >Need RegEx Advice? http://regexadvice.com
: >: >Need XML Advice? http://xmladvice.com
: >:
: >:
: >:
: >:
: >: Need SQL Advice? http://sqladvice.com
: >: Need RegEx Advice? http://regexadvice.com
: >: Need XML Advice? http://xmladvice.com
: >
: >Need SQL Advice? http://sqladvice.com
: >Need RegEx Advice? http://regexadvice.com
: >Need XML Advice? http://xmladvice.com
:
:
:
:
: Need SQL Advice? http://sqladvice.com
: Need RegEx Advice? http://regexadvice.com
: Need XML Advice? http://xmladvice.com
Need SQL Advice? http://sqladvice.com
Need RegEx Advice? http://regexadvice.com
Need XML Advice? http://xmladvice.com
|
|
|
