Do Assistant Admins require 'Log on Locally' rights on the server when using the Web Console? (NETIQKB38264)

  • 7738264
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

goal
Do Assistant Admins require 'Log on Locally' rights on the server when using the Web Console?

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

fix
No, Assistant Admins using the Web Console do not require 'Log on Locally' user rights on the Directory and Resource Administrator (DRA) server or on the IIS server running the Web Console if Integrated Authentication is used.  However, if you select to only use Basic Authentication, Assistant Admins will be prompted for a username and password when launching the Web Console, and in order for the users to successfully launch the Web Console, the users must have Log on Locally rights on the IIS server.  For more information, please refer to the 'Configuring Basic Authentication' topic in Microsoft IIS Help.

note

The following information has been obtained from Microsoft IIS Help:

Configuring Basic Authentication
Enabling Basic authentication does not automatically configure your Web server to authenticate users. Windows user accounts must be created and the NTFS permissions properly set, as described earlier.

To properly authenticate users with Basic authentication, the Windows user accounts being used for Basic authentication must have Log On Locally user rights. This right must be assigned because Basic authentication impersonates a local user (that is, a user physically logged on to the server). By default, user accounts on a Windows primary domain controller (PDC) are not granted the Log On Locally user rights.



note

For more information on this topic, please refer to the following Microsoft Knowledge Base article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262233 - IIS: How to Configure Basic/Clear Text Authentication for IIS 5.0 in Windows 2000



Additional Information

Formerly known as NETIQKB38264