Friday, January 12, 2007

Why IIS can lose configuration changes on server reboot

Question:

We are running IIS 6 on Windows 2003. Our public website is configured to to allow anonymous access using the default IUSR_ account.

Everything works just like it is supposed to until the server is rebooted. After a reboot, our public website challenges users to provide credentials. To fix this, we go into IIS Directory Security and re-enter the anonymous access account password to the same password that is in Active Directory. Then, everything works again.

What is going wrong that causes IIS to lose the anonymous password when the server reboots? Is there any way to fix this problem so that IIS will remember the password?

Answer:

By default, IIS remembers configuration changes, such as altering the anonymous user password, unless you terminate IIS before it persists that change to disk. IIS6 runtime configuration is hosted by the IISADMIN service inside the inetinfo.exe process.

So, the real question is whether something:

  1. Killed IISADMIN service on the reboot, before it persisted the change to disk
  2. Or changed the anonymous user password to an invalid value on the server restart.

To verify what is going awry:

  1. Enter the password such that anonymous access works on IIS
  2. Open the IIS Manager UI, Right click on the Computer Name, select "All Tasks", and choose "Save Configuration to Disk". This forces IIS to persist the password to disk.
  3. Go ahead and reboot the server as you normally do

If anonymous access works after the reboot, then your problem was that the reboot was killing IIS prior to it persisting the encryptped password to disk. You intentionally persisted the change to disk from within the UI, thus breaking the cycle.

If anonymous access still fails, then your problem is that something outside of IIS runs during the reboot/restart process with administrative privileges and changes AT LEAST the anonymous user password in IIS to an incorrect value. You will have to figure out the identity of that arbitrary something and correct it - it is running with Administrative privileges and may be doing other inappropriate things.

//David

4 comments:

Anonymous said...

Hi David,

I have an ASP page written with vbscript. This page was able to run a .exe on a Windows 2003 Server using the "run" method of "WScript.Shell".

Everything worked fine when I had IE6 installed on the server. This code stopped working when I installed IE7 on the server. I now get a "permission denied" error.

Have you run into this problem?

Anonymous said...

I found a workaround - use the exec method instead of the run method. IE7 installs a new vbscript engine version 5.7 - this may be the cause of the bug.

Anonymous said...

nice post.
-----------
dvdshop88
Lost DVD 1-6
Sex and the City DVD 1-6
Curb Your Enthusiasm DVD 1-7
Bones DVD 1-4
House MD DVD 1-6
Zumba DVD Boxset
Two and a Half Men DVD 1-7
Your Baby Can Read DVD
MI5 DVD 1-8
Walt Disney 172 Discs DVD
Grey's Anatomy Seasons DVD 1-6
One Tree Hill DVD 1-7
Desperate Housewives DVD 1-6
Doctor Who DVD 1-5

Unknown said...

The high quality Louis vuitton bags
We offer in our store, you can always find latest news of all lv , which are all designed by the experts and made by the top technology. Our store will make your dream come true. It is obvious that louis vuitton handbags is the best choice for everyone who wants to become a modern people and they hope to buy Louis vuitton bags which could make them look more charming and shining.