If you get this:
HTTP 401.1: DENIED BY INVALID USER CREDENTIALS:
This error code will have you focus on the credentials of the IUSR account. If you are receiving a 401.1, from a IIS perspective it means we have to go and look at IIS to make sure the IUSR username and password is correct for Anonymous access on all the IIS vDir's.
Occasionally the IIS guest account (IUSR_ account) has it's password out of sync between the IIS Metabase, Active Directory OR SAM (depending if the IUSR account is a local or domain account) and the credentials entered as the Anonymous user and password for the WSUS Virtual Directories in IIS. We need to make sure that the correct user account and credentials are used at 2 places:
In Active Directory or Local Account.
In the IIS Metabase.
Ensure that the IUSR account is not locked. Sometimes a 401.1 error could be caused by a locked IUSR account.
Then query the IIS Metabase to establish what the existing IUSR password is:
Edit c:\Inetpub\AdminScripts\ADSutil.vbs
Search for the line that reads "IsSecureProperty = True" and change it to "IsSecureProperty = False". Save and close the file.
From command line run:
Cscript adsutil.vbs get w3svc\anonymoususerpass
This will return an output like this:
anonymoususerpass : (STRING) "ThisIsTheIUSRaccountPassword"
Take note of the password, INSIDE of the quotes. The quotes are not part of the password. For safety, copy it into notepad.
Go to either Active Directory (if a domain account is used for the IUSR account) or find the LOCAL ACCOUNT for IUSR. In most cases IUSR will be a local account. Reset the password for your IUSR account with the password we just pulled from the IIS Metabase.
No comments:
Post a Comment