June 5, 2009

The W3WP.exe process crashes when the Anonymous authentication is disabled on the IISADMPWD virtual directory

SYMPTOMS
When a user's password is expired, you can use the Anonymous user account to change the expired password through the achg.asp file even when the Anonymous authentication is disabled on the IISADMPWD virtual directory.In this situation, if the AnonymousUserName and the AnonymousUserPass metabese properties are inconsistent or the "denied access this computer from the network" policy is applied for the Anonymous user, the Anonymous user cannot log on the server and an access violation occurs. In addition, the W3WP.exe process crashes.

RESOLUTION
To avoid this effect, use one of the following methods:
Set correct AnonymousUserName and AnonymousUserPass metabese properties or disable the "denied access this computer from the network" policy for anonymous user.
Separate the Application pool for the IISADMPWD virtual directory. Note A user may receive the 403.18 error when the request is redirected to the IISADMPWD password change pages, and the password cannot be changed through IISADMPWD. However, the W3WP.exe process does not crash.Note These settings violate the Internet Information Services (IIS) requirements that are described in the following Microsoft Knowledge Base:
812614Â (http://kbalertz.com/Feedback.aspx?kbNumber=812614/ ) Default permissions and user rights for IIS 6.0

Steps to reproduce this problemTo reproduce the problem, follow these steps:
On the IISADMPWD virtual directory, set an incorrect password in the AnonymousUserPass metabase for the IUSR account, or apply the "denied access this computer from the network" policy for the IUSR account.
Create a new local or domain user and enable "change their password the next time that the user logs on." This means the user's password is expired.
Disable Anonymous authentication for IISADMPWD.
Enable Basic authentication or Integrated Windows authentication for IISADMPWD.
Create a new TEST virtual directory that is enabled Basic or Integrated Windows authentication. When you access the TEST virtual directory, you will be redirected to the aexp3.asp Web page because the password is expired. If you enter an old password and a new password, and then click OK, the dialog box for Basic authentication appears. If you enter the old password, you will experience the symptoms that are described in the "Symptoms" section.

No comments:

Post a Comment