Troubleshooting: Access Denied

"Access Denied" with a valid DAF user login and password

Troubleshooting this issue should be accomplished in two steps:

  1. Check IIS and DAF configuration for common issues
  2. Use the "Live Log" to understand what generates the "Access Denied"

1. Check NT, IIS and DAF configuration for common issues

IIS Settings:

  • T1.1: "Basic Authentication" scheme MUST be ENABLED.
  • T1.2: "Windows NT Challenge/response" scheme MUST be DISABLED.
  • T1.3: "Allow Anonymous Access" MUST be ENABLED.
  • T1.4: Is the filter (DAF35x.DLL) loaded?

DAF Settings:

  • T2.1: Is DAF registered?

DAF Database settings:

  • T3.1: Is the DAF database loaded?
  • T3.2: Is the DAF database mapped to the correct IP address?
  • T3.3: For an ODBC source, is the correct table mapped to the correct IP address?
  • T3.4: Is the DAF database registered?
  • T3.5: Is options "Concatenate to WEB user IP Addr" and/or "Concatenate to WEB user URL first directory" checked?
  • T3.6: Is DAF database searched for each HTTP authentication request?

DAF database content:

  • T4.1: Is each DAF login UNIQUE per data source?
  • T4.2: Mapped NT user does not have "Log on locally" privilege.

DAF User definition:

  • T5.1: Are your DAF users name and password valid?
  • T5.2: Are the mapped NT user login and password valid?
  • T5.3: Is the requested resource enabled regarding DAFAUTH.INI for a DAF Login?
  • T5.4: Is the requested resource readable regarding NT Security?

IIS Settings:

  • T1.1: "Basic Authentication" scheme MUST be ENABLED.

DAF will work only with Basic HTTP authentication scheme. If this mode is not enabled DAF cannot work.

If both authentication schemes (Basic and Windows NT Challenge/response) are enabled, DAF authentication will work with the Netscape browser but will not work with the Internet Explorer browser. This is because Netscape products do not handle NTLM authentication scheme.

(With IIS 4.0, make sure that you do not override a correct global setting with a wrong site setting.)

  • T1.2: "Windows NT Challenge/response" scheme MUST be DISABLED.
  • T1.3: "Allow Anonymous Access" MUST be ENABLED.

Anonymous access must be enabled to allow DAF user with no mapped NT user to log in. This is due to the fact that in this case DAF will replace the  login and password information with empty strings. Therefore, IIS will see the request as anonymous.

(With IIS 4.0, make sure that you do not override a correct global setting with an incorrect site setting.)

  • T1.4: Is the filter (DAF35x.DLL) loaded?

See: T7.1

DAF Settings:

  • T2.1: Is DAF registered?

If DAF is not registered, only the first ten web users requiring an HTTP authentication are usable, over this number all authentication requests for this database are denied.

To register DAF, you need to purchase a DAF 3.X engine and validate the license information with the DAF Configuration Tool, button "Register." DAF is registered if your license information is displayed in the left top frame "Registration Information."

DAF Database settings:

  • T3.1: Is the DAF database loaded?

The Database is loaded if it appears with a green up arrow in the "DAF Manager" Window.

Also, I recommend to look for a Database initialization error:

- Open the "Live Log" window
- Select the database button
- Reload the database with the "DAF Manager"
- Read what is reported in the "Live Log" Window to see if error messages are displayed

See "Live Log" samples: TEXT source, ODBC source.

  • T3.2: Is the DAF database mapped to the correct IP address?

Use the "Setup Summary" window to check what IP address is mapped to what Database.

Another way to check what IP addresses are attached to a database:

- Open the "Live Log" window
- Select the database button
- Reload the database with the "DAF Manager"
- Check the "Live Log" Window for initialization error. With or without error, lots of information should be displayed, if none is reported, the DAF database is not loaded.

  • T3.3: For a ODBC source, is the correct table mapped to the correct IP address?

A common mistake, is to forget to attach an IP address to a table of the ODBC source.

For an ODBC source:
- IP address must be attached to the database (as for a TEXT user list)
- IP address MUST also be attached to a table

  • T3.4: Is the DAF database registered?

If the current database is not registered, only the first ten web users requiring an HTTP authentication are usable, over this number all authentication requests for this database are denied.

The easiest way to know if  a DAF database is registered or not is to use the "Setup Summary" window from the DAF Configuration Tool.

One data source is included with a DAF 3.X engine license. If you use more than one user list, you need to purchase DAF data source extensions. A data source extension must be validated with the DAF Configuration Tool, button "Register." The number of DAF data sources usable is displayed in the window of the DAF Configuration Tool, on the left middle frame "Data Sources."

  • T3.5: Is options "Concatenate to WEB user IP Addr" and/or "Concatenate to WEB user URL first directory" checked?

These options (available in the DAF Configuration Tool) must be checked only if you clearly understand their effect. If not, all HTTP authentication requests will be rejected.

  • T3.6: Is DAF database searched for each HTTP authentication request?

To check if the DAF database is searched for each HTTP authentication request:

- Open the "Live Log" window
- Select the database button
- With the DAF Configuration Tool, select the database and activate the following log options: "Log when DAF user found," "Log When DAF user NOT found," "Log on Access Denied" and "Write in private log file"
- Reload the database with the "DAF Manager"
- Check the "Live Log" Window for initialization error. With or without error, lots of information should be displayed, if none is reported, the DAF database is not loaded.
- Protect an HTML file, for example, by removing all read access with NT permissions.
- Open a browser, and request the protected HTML file.
- If something is reported the filter and the database were invoked. If nothing is reported, the filter or the database was not invoked and something is wrong with the configuration.

See "Live Log" samples: "Invalid DAF authentication".

If the a DAF database is not searched for each HTTP request it is probably because the database is not loaded or that the correct IP address is not attached to the database and/or to the correct table (for ODBC source).

DAF database content:

  • T4.1: Is each DAF login UNIQUE per data source?

In each DAF data source, each web login must be UNIQUE.
Even with different passwords, a single web login should not be defined several times for one DAF data source.

  • T4.2: Mapped NT user does not have "Log on locally" privilege.

All mapped NT users MUST have "Log on locally" permission.

DAF User definition:

  • T5.1: Are your DAF user Login and Password valid?

Note that a valid DAF user does not mean that all HTTP requests using this user will be granted. It only means that the Login and Password can be found in the DAF user list (and is not expired). If you refer to the DAF Authentication Diagram in the documentation, it refers only to step 2.

Activate all log options and open Live Log window (See T3.6 for instructions).

A valid DAF user should report the following message in the Live Log window:

192.168.1.136:(AA100)(DAF LOGON SUCC.) User Found : Joe#grp1@1998-10-05 00:00:00 (-> john) in DAF db

An INVALID user will report the following message:

192.168.1.136:(BA111)(DAF LOGON FAIL.) User NOT Found : <jack> in DAF db (Forward to NT)

Common issues for an invalid DAF user are:
- wrong password
- User not unique in DAF user list
- DAF Account expired

  • T5.2: Are the mapped NT user login and password valid?

If an NT user is mapped to a DAF user, this NT user must be valid regarding NT security. An invalid NT user will generate the following message:

192.168.1.136:(CC131)(NT LOGON FAIL.) Access Denied. User <John> found in DAF database, mapped to invalid NT user <john>

No message are reported for a valid NT user.

Common issues for an invalid NT user are:
- wrong password
- Case difference between the login or password entered and found in the DAF user list
- "Log on Locally" privilege not allowed

This error has nothing to do with a resource, the problem is related to the NT user.

  • T5.3: Is the requested resource enabled regarding DAFAUTH.INI for a DAF Login?

When access is denied by DAFAUTH.INI permission the message reported is:

192.168.1.136:(CB201)(DAFAUTH.INI PERMISSION) Access Denied to </dafauth> for user <Joe>,<john>

To find why access is denied, check the DAFAUTH.INI Documentation.

  • T5.4: Is the requested resource readable regarding NT Security?

When access is denied by NT permission the message reported is:

192.168.1.136:(CD202)(NT PERMISSION) Access Denied to <I:\inetserv\wwwroot\cindy\> for user <Joe>,<john>

Common issues for an invalid NT user are:
- NT user does not have read access for the requested resource
- If NT user is an empty string, IIS default NT user (IUSR_XXXX) is invalid
- "Log on Locally" privilege not allowed

This message implies that the mapped NT user is valid, the problem is that this user cannot access the requested resource.

2. Use the live log to understand what generates the "Access Denied"

An "Access Denied" message can find its origin in four places:

  • User not found or account expired in the DAF user list
  • Access to the requested resource denied by DAFAUTH.INI file
  • Invalid mapped NT user
  • Access to the requested resource denied by NT security

The easiest way to find what is the cause of an "Access Denied" message, is to activate all log options and check what errors are reported in the "Live Log" window. See T3.6 for instructions on how to activate this feature.

Each failure case will generate a different error message, but several causes can accumulate and should be solved one by one.

To start, I recommend to read the "DAF Authentication Diagram" in the documentation to understand how DAF processes each authentication request.

For efficient troubleshooting I strongly recommend to follow these steps, one by one:

(Sample log messages in the following instructions are for DAF release 3.5e; with an older release they would be slightly different.)

1. Start with a resource readable with an anonymous request:

  • Create an HTML file, for example: TEST.HTM
  • Set NT permission Everyone|Read a for TEST.HTM
  • If present in the same directory, remove file DAFAUTH.INI (so access will be granted)
  • Restart an HTML browser
  • Load the TEST.HTM
  • Access should be granted without having to enter a Login and Password, if it is not there is probably a problem with the IIS Settings or the Default IIS User (IUSR_XXX).

important.GIF (334 bytes) If anonymous access is not granted, it is useless to try the next step.

2. Add a DAF user to your user list, with no NT user mapped, with no expiration date. For example:

DAF Login: john
DAF Password: 1998
NT Login: (empty string)
NT Password: (empty string)
Expiration Date: (empty string)

3. Add a DAFAUTH.INI file

If you do not intend to use a DAFAUTH.INI file, ignore this step.

  • In the same directory as TEST.HTM create a file DAFAUTH.INI with the following content only:

[PreAuthentication]
authenticated=enable

This DAFAUTH.INI should grant access to all valid DAF users.

  • Restart an HTML browser
  • Load the TEST.HTM
  • Access should be Denied and the Authentication popup window should be displayed. If access is granted for an anonymous user, it is probably related to an incorrectly attached IP address (See T3.1 and T3.2), or the filter DLL is not installed (See T7.1).
  • In the authentication popup window, enter "john" and "1998"
  • Access should be granted, if it is not, check the Live Log window, the problem is probably related to the DAF user list.

important.GIF (334 bytes) If access is not granted for user "john" password "1998" and denied for an anonymous user, it is useless to try the next step.

4. Remove DAFAUTH.INI file

If you do not intend to use a DAFAUTH.INI file, ignore this step.

Since now, we know that DAFAUTH.INI works, we can delete it. As with step 2 access should be granted for an anonymous request.

5. Add NT permissions

If you do not intend to map NT user to your DAF user, ignore this step.

  • Create an NT user, for example:
    - Login: dafprivate
    - Login: 007
    - "Log on Locally" user right
  • Remove NT permissions "Everyone|Read"
  • Set NT permissions "dafprivate|Read" for TEST.HTM
  • If needed, with the DAF Configuration Tool, set option "Forward unfound DAF user to NT"
  • Reload the database with the "DAF Manager"
  • Restart an HTML browser
  • Load the TEST.HTM
  • Access should be denied
  • In the authentication popup window, enter "dafprivate," with password "007"
  • Access should now be granted

Since user "dafprivate" is not a DAF user, Live Log should report a message like:

192.168.1.136:(BA111)(DAF LOGON FAIL.) User NOT Found : <dafprivate> in DAF db (Forward to NT)

If the following message is displayed, the NT user is NOT valid.

192.168.1.136:(CC132)(DAF&NT LOGON FAIL.) Access Denied. User <dafprivate> NOT found in DAF database, and invalid NT user

If the following message is displayed, NT user is valid and the problem is probably related to NT permission for NT user "dafprivate" for resource TEST.HTM.

192.168.1.136:(CD202)(NT PERMISSION) Access Denied to <I:\inetserv\wwwroot\test.htm> for user <dafprivate>,<dafprivate>

important.GIF (334 bytes) If access is not granted for user "dafprivate" password "007" and denied for an anonymous user, it is useless to try the next step.

6. Add mapped NT user to DAF user "john"

If you do not intend to map NT user to your DAF user, ignore this step.

  • Add to user "john" the mapped NT user "dafprivate" with password "007"
  • Restart an HTML browser
  • Load the TEST.HTM
  • Access should be denied
  • In the authentication popup window, enter "john" with password "1998"
  • Access should now be granted

Live Log should show:

192.168.1.136:(AA100)(DAF LOGON SUCC.) User Found : John#@(-> dafprivate) in DAF db

important.GIF (334 bytes) If access is not granted for user "john" password "1998" and denied for an anonymous user, it is useless to try the next step.

7. Add a DAFAUTH.INI file

If you do not intend to use a DAFAUTH.INI file, ignore this step.

  • In the same directory as TEST.HTM create a file DAFAUTH.INI with the following content only:

[PreAuthentication]
group1=enable

  • Add DAF Group "group1" to user "john" in the DAF user list
  • Restart an HTML browser
  • Load the TEST.HTM
  • Access should be denied
  • In the authentication popup window, enter "john" with password "1998"
  • Access should now be granted

You are now ready to to use DAF, with mapped NT user and DAFAUTH.INI file.

Authentication messages reported in "Live Log" window and DAF log file

(DAF, Release 3.5e and newer)

  • If option "Log when DAF user found" is enabled:
(AA100)(DAF LOGON SUCC.) User Found : <DAF Login>#<DAF Groups>@<expiration Date> (-> <NT Login>) in DAF db
(AA101)(DAF LOGON SUCC.) User Found : <DAF Login>:<DAF password>#<DAF Groups>@<expiration Date> (-> <NT Login>:<NT Password>) in DAF db
(AA102)(DAF LOGON SUCC.) User Found : can't log user info !
  • If option "Log when DAF user NOT found" is enabled:
(BA110)(DAF LOGON FAIL.) User NOT Found : <DAF Login>:<DAF password> in DAF db [Forward to NT]
(BA111)(DAF LOGON FAIL.) User NOT Found : <DAF Login> in DAF db [Forward to NT]
(BA112)(DAF LOGON FAIL.) User Found : <DAF Login> in DAF database, account expired (%s)
  • If option "Log on Access Denied" is enabled:

(CA112)(DAF LOGON FAIL.) Access Denied. User <DAF Login> found in DAF database, account expired <%s>
(CC131)(NT LOGON FAIL.) Access Denied. User <DAF Login> found in DAF database, mapped to invalid NT user <%s>
(CC132)(DAF&NT LOGON FAIL.) Access Denied. User <DAF Login> NOT found in DAF database, and invalid NT user
(CA133)(DAF LOGON FAIL.) Access Denied. User <DAF Login> NOT found in DAF database, forced Access Denied
(CC150)(NT LOGON FAIL.) Access Denied
(CC151)(NT LOGON FAIL.) Access Denied
(CB201)(DAFAUTH.INI PERMISSION) Access Denied to <Resource name> for user <DAF Login>,<NT Login>
(CD202)(NT PERMISSION) Access Denied to <Resource name> for user <DAF Login>,<NT Login>
(CD250)(NT PERMISSION) Access Denied
(CB301)(DAFAUTH.INI PERMISSION) Access Denied for user <DAF Login>,<NT Login> by application <Resource name>
(CE302)(FILTER) Access Denied for user <DAF Login>,<NT Login> by application <Resource name>
(CE350)(FILTER) Access Denied
(CB401)(DAFAUTH.INI PERMISSION) Access Denied for user <DAF Login>,<NT Login> by application <Resource name>
(CF402)(APPLICATION) Access Denied for user <DAF Login>,<NT Login> by application <Resource name>
(CF450)(APPLICATION) Access Denied
(CG501)(CONFIG) Access Denied
(CH601)(Unknown, Reason = 0) Access Denied
(CH701)(Unknown, Reason = <Error Code>) Access Denied
 
         DAF is an OpenFuture Software, Inc. Product