IIS not accepting credentials to run sites

Question

Hello, 

We have a web server which has been working correctly for some months now. This morning, we noticed that all the sites are down because the domain account used to access the website files was locked out. We unlocked the password and reset the password and get back to the IIS server and proceed with the following steps:

1. Connect to a site,
2. Right Click on site, go to Basic Settings -> Connect as -> Set -> Enter account details -> OK -> OK
3. Click Test Settings... (all tests pass)
4. Click Close -> OK

At this point, all seems normal. However, on going back to Basic Settings -> Test Settings, the tests now fail.

After multiple tests, the account is locked out, as if the password was wrong. This occurs, even if I try with the Domain Admin account. Every other site on this server is now showing the same issue with their credentials.

We edited the applicationHost.config file and replaced the encrypted password added by IIS on the website by a plain-text password and it works fine. So, we are sure that something is happening with the IIS server.

I provisioned a new server and was able to reproduce as soon as I imported the sites from the faulty server to the newly provisioned.

Googling the issue, I found only a few old posts showing the same issue but none of them get a solution.

Share with me any thoughts.

Thanks.

Extra details which may be relevant:

• Windows Server 2019 Datacenter
• IIS 10.0.17763.1
• Shared configuration when the issue started (but even without it we still have the same issue)
• A couple of other webservers have the same issue

Answer 1

On your domain controller, there should be a lockout event in the security eventlog. That will identify the source machine that caused the lockout. Find that and verify that it's your web server.

In the audit events on the web server, do they show process id? Can you trace that back to a specific w3wp.exe and identify the site? You may need to enable process tracking in your audit policy. Or use Process Monitor to trace program activity.

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

What about creating a second domain account and adding that to the same groups that the problem account is in? Migrate the sites one by one to use the second account. When the first account stops getting locked out, you'll know that you found the problem web site.

Answer 2

Hello DZ,

Thank you for your question and for reaching out with your question today.

Based on the information provided, it appears that there might be an issue with the shared configuration or a common configuration setting that is causing the domain account to become locked out consistently on multiple web servers. Here are a few suggestions to investigate and troubleshoot the issue:

1. Check Account Lockout Policies: Verify the account lockout policies in your domain environment. Ensure that there are no specific policies or settings in place that might be causing the domain account to lock out frequently. You can check the Account Lockout Policy settings in the Group Policy Management Console.
2. Examine IIS Shared Configuration: Since you mentioned that the issue started with shared configuration, investigate if there are any configuration settings related to authentication or account credentials that might be causing the account lockout. Review the shared configuration settings and compare them with the individual site configurations to identify any discrepancies or conflicts.
3. Analyze Event Logs: Check the Event Viewer logs on the web servers for any relevant error messages or events related to the account lockout issue. Look for events related to account lockouts, IIS, authentication failures, or security audits. These logs might provide additional insights into what is causing the issue.
4. Review IIS Authentication Settings: Double-check the authentication settings for the websites in IIS. Ensure that the correct authentication methods are enabled and configured properly. Pay attention to any custom authentication providers or modules that might be affecting the account authentication process.
5. Investigate Application Code: Examine the websites' application code or scripts to identify any potential issues that might be causing excessive authentication attempts or incorrect authentication calls. Look for any loops, misconfigured login attempts, or unusual authentication patterns that could trigger the account lockout.
6. Consider Password Expiration and Complexity: Confirm that the domain account used for website access has not expired or has any password complexity requirements that might be causing issues. Make sure the password is up to date and compliant with the domain policies.
7. Test Without Shared Configuration: As a troubleshooting step, try removing the shared configuration temporarily and configure the websites individually on each web server. This will help determine if the shared configuration is causing the account lockout issue.
8. Consult Microsoft Support: If the issue persists and you have exhausted all possible troubleshooting steps, it may be beneficial to reach out to Microsoft Support for further assistance. They can provide in-depth analysis and guidance specific to your environment and help identify any underlying issues.

Remember to take appropriate precautions and perform thorough testing when making any changes to the production environment.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.

Best regards.