Tuesday, April 21, 2009

IIS Disaster Update

I got a response from Microsoft, which is actually more of an information request. They wanted to know if I can connect to the IIS on the data tier using the 'Connect As' checkbox on the 'Connect to Computer' dialog, like this:

Apparently, I can not. This did not come as a surprise. However, I decided to do an experiment and use the service account credentials in the 'Connect As' dialog box. Strangely enough, that worked. Very strange - both account are administrators on both machines, but only one of them can connect to IIS on data tier remotely. I started looking for a possible reason and noticed that the service account was a member of the IIS_WPG on the app tier, and the TFS admin account was not. Aha! So, I added the admin account to the group.

Now, the really strange thing is happening. I logon to the app tier as the TFS admin account, start IIS Manager, right-click 'Internted Information Services' and click 'Connect'. From here, I try 2 different approaches:

1. Connect without providing credentials. Which, I assume, is connecting as a current user - the TFS admin user.

and this is what I get for my efforts.

2. Connect specifying the credentials explicitly. Which are, of course, the credentials of the TFS admin user.

and voila

Suddenly I have all the access I need. Unfortunately, that does not help much because the TFS installation still fails - I assume it tries to login to the data tier using the first approach.

Which obviously means ... which means ... ugh, I have no idea what that means. I do not have enough knowledge on the subject. Somehow the remote (data tier) IIS treats these logins differently, even though it is the same domain account that tries to login. Something should be configured in a different way somewhere. I tried to play with authentication settings on both servers, but did not succeed yet. I forwarded my new findings to Microsoft support. Stay tuned ...

by . Also posted on my website

No comments: