UltraJounin
Limp Gawd
- Joined
- Jun 25, 2004
- Messages
- 242
In our environment we use service accounts in AD with domain admin privileges to run specific 3rd party, home grown and MS apps.
Last week via GPO we implemented a policy on those service accounts to deny logon locally rights (RDP) to restrict our in house developers to use those accounts as means of having admin privileges. While there are other ways to do this, for our purposes this method was most efficient. Our domain consists of both server 2000 and 2003.
Once permissions were pushed all was well except for one particular server running server 2000/IIS 5. One of the accounts that W3SVC (IIS) uses to allow communication between the website and the image server was denied access thus causing the service to fail:
Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 02/08/2007 Time: 15:15:53 User: N/A Computer:
Description: The server was unable to logon the Windows NT account '#site_agent' due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. The data is the error code.
This error basically made the site inaccessible for the client.
We noticed that there was one small difference between this 2000/IIS5 box and others, what Id like to know is why? The security settings for the Default Website in IIS had Integrated Authentication disabled and we resolved the problem enabling it, however we generally leave it disabled, works fine on other 2003/IIS 6 boxes (even after gpo changes).
So what I am really after is an explanation of how 2000/ IIS 5 uses the local login privileges (RDP) in conjunction with enabling/disabling Integrated authentication (NT challenge response security/ NTLM) to run a service likeW3SVC?
Thanks in advance.
Last week via GPO we implemented a policy on those service accounts to deny logon locally rights (RDP) to restrict our in house developers to use those accounts as means of having admin privileges. While there are other ways to do this, for our purposes this method was most efficient. Our domain consists of both server 2000 and 2003.
Once permissions were pushed all was well except for one particular server running server 2000/IIS 5. One of the accounts that W3SVC (IIS) uses to allow communication between the website and the image server was denied access thus causing the service to fail:
Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 02/08/2007 Time: 15:15:53 User: N/A Computer:
Description: The server was unable to logon the Windows NT account '#site_agent' due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. The data is the error code.
This error basically made the site inaccessible for the client.
We noticed that there was one small difference between this 2000/IIS5 box and others, what Id like to know is why? The security settings for the Default Website in IIS had Integrated Authentication disabled and we resolved the problem enabling it, however we generally leave it disabled, works fine on other 2003/IIS 6 boxes (even after gpo changes).
So what I am really after is an explanation of how 2000/ IIS 5 uses the local login privileges (RDP) in conjunction with enabling/disabling Integrated authentication (NT challenge response security/ NTLM) to run a service likeW3SVC?
Thanks in advance.