Local | Thomas Maurer (tm)

After a late night session doing some work on a new webserver, I found a really important blog post (windowsitpro.com) for IIS administrators. The blog post shows how you get the password of the IUSR and the IWAM local accounts form the metabase.

Normally the IUSR and IWAM password are set automatically and unknown. But if you import the metabase on another you have to change the passwords of these two users (IUSR_<local machine name> and IWAM_<local machine name>).

First you have to update the adsutil.vbs script (localdiskdrive:\Inetpub\AdminScripts). You have to replace all the “”IsSecureProperty = True” with “”IsSecureProperty = False” otherwise the command would not show the real password.

Now you can run the following commands to get the password of these users

Get the IUSR password:

C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass

return:

anonymoususerpass : (STRING) "password"

Get the IWAM password:

C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/wamuserpass

return:

wamuserpass : (STRING) "password"

you also can set the passwords for those accounts in the metabase

Set the IUSR password:

C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/anonymoususerpass "password"

Set the IWAM password:

C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/wamuserpass "password"

after you change the passwords, you should sync the password from IIS with Microsoft Transaction Server (MTS) and component services with the following command

sync MTS:

C:\Inetpub\AdminScripts>cscript.exe synciwam.vbs -v

Thanks to John Savill

After I installed a Sharepoint (WSS 3.0) test environment and created a new Site Collection, I tried to logon on to a new Site Collection. But the login didnt work. After I spend some hours checking the whole configuration of IIS7 and AD on a Windows Server 2008 I finally found the problem and the solution here:

http://ppalakollu.blogspot.com/2009/04/ie-8-ntlm-authentication-on-windows.html

If you are using host headers to resolve the websites, then you might have seen the following issue with NTLM authenticated sites on IE 8. When you access the websites on a machine other than the one where it is hosted, you will be able to get to the sites.
Once you RDP onto the server and try to connect to the website, it will prompt for your windows credentials and will get an access denied message. This problem occurs because Windows includes a loopback check security feature that helps prevent reflection attacks on your computer(Probably some kind of security change has been made in IE8 related to this feature). Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

Resolution: Disable the loopback check

Click Start, click Run, type regedit, and then click OK.

In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Right-click Lsa, point to New, and then click DWORD Value.

Type DisableLoopbackCheck, and then press ENTER.

Right-click DisableLoopbackCheck, and then click Modify.

In the Value data box, type 1, and then click OK.

Quit Registry Editor, and then restart your computer.

I did not try the registry modification, I just installed Mozilla Firefox and it worked without any problems.I really hate to install software like these on a server, but I also hate to do registry “hacks” as well.