locked
Suddenly unable to log in over Internet RRS feed

  • Question

  • Having played with the WHS evaluation version for a couple of weeks, and being overall very content with the product, I now face a remote access problem I'm baffled with.
    Out of the blue WHS decided all users trying that log over internet are Administrators, thus denying access.
    I haven't have a clue as of why, as I did nothing on the server to trigger this behaviour. When I check the user properties on the server, they are not members of the Administrators group.  The only groups listed for all users are Remote Desktop Users, Users, Windows Home Server Users and a bunch of RW_x/RO_x groups, of which I gathered they represent the shares that user has access to.

    I would appreciate some insight that help me correct this problem.

    TIA
    Sunday, February 22, 2009 3:26 PM

Answers

  • Emdek said:

    @ Kariya21:
    The only groups listed for all users are Remote Desktop Users, Users, Windows Home Server Users, Print Operators and a bunch of RW_x/RO_x groups, of which I gathered they represent the shares that user has access to.
    When I check the admin group it contains entries for Administrator, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK, NT AUTHORITY/NETWORK SERVICE  and NT AUTHORITY\SYSTEM.



    From your reply to my first post in this thread I thought you had already checked this.

    Probably if you remove the Network Service from the Administrators group things will be OK again. If this doesn't fix it try deleting all but the Administrator account from the administrators group (one by one if you want to know which one is the culprit).
    • Marked as answer by Emdek Tuesday, February 24, 2009 3:59 PM
    Tuesday, February 24, 2009 12:25 PM
    Moderator
  • On my home server(s) only the Administrator account is member of the local Administrators group - this is the default setting.
    So either you have changed the configuration, some software you installed did or you have some malware in your network or/and on your server which made the change.

    Best greetings from Germany
    Olaf
    • Marked as answer by Emdek Tuesday, February 24, 2009 4:15 PM
    Tuesday, February 24, 2009 1:48 PM
    Moderator
  • Emdek said:

    ...

    @ Ken:
    Recenlty I did add a user account for WMI access using the 2003 management tools, the same way I added an user account for the bittorrent service when I installed WHS. The bittorrent user account never interfered  with the WHS user accounts as I was still able to log in over Internet useing the normal accounts. The only difference with the bittorrent user account was I had to open/foreward certain ports in Windows Firewall to allow WMI communications.

    ...


    In my experience, any attempt to make any system idiot proof will only challenge God to make a better idiot...

    I believe (but can't test at my location) that this is going to prove to be the source of your problem. I think that, in order for WMI tools to work properly, the additional built-in accounts you listed beyond Administrator need to have admin access. 

    My recommendation is to uninstall the WMI tools (which you don't need) and remove the additional accounts from the Administrators group. I will warn you may find that afterward some parts of your server no longer function correctly; I don't know what other changes may have occurred in terms of privileges granted/denied behind the scenes. In that case, probably a server reinstallation will be the quickest way to fix the problem.


    I'm not on the WHS team, I just post a lot. :)
    • Marked as answer by Emdek Tuesday, February 24, 2009 4:15 PM
    Tuesday, February 24, 2009 2:13 PM
    Moderator

All replies

  • On your server, any user in the Remote Desktop Users group is prohibited from logging in through the web interface.
    I'm not on the WHS team, I just post a lot. :)
    • Proposed as answer by Ken WarrenModerator Sunday, February 22, 2009 8:35 PM
    • Unproposed as answer by Emdek Monday, February 23, 2009 11:06 AM
    Sunday, February 22, 2009 8:35 PM
    Moderator
  • Ken Warren said:

    On your server, any user in the Remote Desktop Users group is prohibited from logging in through the web interface.


    I'm not on the WHS team, I just post a lot. :)



    Ken, that's not correct.  When a user is created in the Console, WHS automatically adds that user to the Remote Desktop Users group.  (I think you are thinking of the Administrators group.)
    Sunday, February 22, 2009 8:42 PM
    Moderator
  • I deleted and recreated the users, but that did not solve the problem. The fact that I cannot access my computers from work kinda renders the system useless to me, which is a shame as I was very happy finding a low-budget solution for remote acces and unified backup.
    Btw, kariya21 is right, users are added to the Remore Desktop User group by default.
    Still I'm curious to find out why my server decided all users belong to the Administrator group..... :(

    Monday, February 23, 2009 11:06 AM
  • Hi,
    what is the exact error message you receive and which related events are logged in the event logs (including security log) of the server?
    Do you have any software installed on the server, which may interfer with Internet Information Services?
    Best greetings from Germany
    Olaf
    Monday, February 23, 2009 1:20 PM
    Moderator
  • Porbably you already checked this, however just to be sure: 

    1. On your homeserver please do Start, Run, Type compmgmt.msc, Hit Enter.
    2. In the management console browse to "Local users and groups" then select "Groups", then in the Right pane double click "Administrators".
    3. The only member listed there should be "Administrator". If there's anything else listed this could be causing your problem.

    Monday, February 23, 2009 1:58 PM
    Moderator
  • @ brubber:

    Thank you for the suggestion, but it checking the admin group was my first action ;-)



    @ Olaf:

    No error messages are received, but every user gets the next text on the login-page:

    " To protect the security of your home network, you cannot log on remotely by using the Administrator user account. To administer your home network remotely, log on with your own user account. Then click the Console button on the Computers tab to connect to the Windows Home Server Console."

    When I check the eventlogs I see the Home Server event log containing entries like:

         Category: RemoteAccess
         ID: 2051
         Description: Remote Access logon fail. User Martin LogonFail

    The System Event log shows a more promissing entry:

         Category: None
         ID: 20106
         Description: Unable to add the interface {00241204-FEF1-41D4-9A7E-605FBFEEC2E4} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function.

    Now, according to Toolkit v1.1 there are no connectivity issues:

    Checking if Remote Desktop Connection is enabled on your home server......
        PASS: Remote Desktop connection is enabled on your Home Server.
    ---------------------------------------------------------
    Checking if Remote Desktop Connection is allowed by Group Policy......
        PASS: Remote Desktop connection is allowed by Group Policy.
    ---------------------------------------------------------
    Checking Windows Firewall settings on your Home Server......
        PASS: Windows Firewall is enabled on your Home Server.
    ---------------------------------------------------------
    Checking if Exception is allowed by Windows Firewall......
        PASS: Exception is allowed by Windows Firewall.
    ---------------------------------------------------------
    Checking if Remote Desktop proxy port is allowed by Windows Firewall......
        PASS: Remote Desktop proxy port is allowed
    ---------------------------------------------------------
    Checking if Remote Desktop is allowed by Windows Firewall......
        PASS: Remote Desktop is allowed by Windows Firewall.
    ---------------------------------------------------------
    Checking Website: "RemoteAccess"
    Checking path: "c:\inetpub\remote"
        PASS: Website RemoteAccess files are ok.
    ---------------------------------------------------------
    Checking Website: "PublicLanding"
    Checking path: "c:\inetpub\home"
        PASS: Website PublicLanding files are ok.
    ---------------------------------------------------------
    Checking Website: "Welcome"
    Checking path: "c:\inetpub\upnp"
        PASS: Website Welcome files are ok.
    ---------------------------------------------------------
        PASS: End checking Windows Home Server website files......
    ---------------------------------------------------------
    Checking IIS service status...
        PASS: IIS service status: Running
    ---------------------------------------------------------
    Checking Windows Home Server App Pool Status......
        PASS: Windows Home Server AppPool is on.
    ---------------------------------------------------------
    Checking default IIS site on your Windows Home Server......
        PASS: Default website is Windows Home Server Site
    ---------------------------------------------------------

    Now when I check Settings > Remote Access > Router > Details it claims the router is working correctly, so I'm out of my depth here...:(

    /*Edit:
    The error message "
    Unable to add the interface {00241204-FEF1-41D4-9A7E-605FBFEEC2E4} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function." relates to the 1394 Net Adapter aka FireWire. This message seems logical to me as I disabled the 1394 in the Windows Firewall. */
    Monday, February 23, 2009 4:20 PM
  • kariya21 said:

    Ken, that's not correct.  When a user is created in the Console, WHS automatically adds that user to the Remote Desktop Users group.  (I think you are thinking of the Administrators group.)

    My bad. I saw Remote Desktop users, wrote Remote Desktop users, thought Administrators. :(


    I'm not on the WHS team, I just post a lot. :)
    Monday, February 23, 2009 7:26 PM
    Moderator
  • Hi,
    regarding the error message - can you disable the FireWire interface in device manager (if you don't use it)? Or in Network under Advanced/Advanced Settings ensure, that the LAN connection has the top priority.
    (In my experience not each error message is really pointing to the real reason of trouble.)
    Since this is nothing usual, some things, what you could test.
    Does the logon work, if you try it locally (within your network via http://yourservername?
    Do you have another connection open to your home server involving the Administrator account (like via FTP or Web Folders 4 WHS or something similar)?
    Are there any usernames and passwords stored for the server in the user profiles of the clients?
    Did you install anything on the server around the time it stopped to work as expected (Windows Update, Add-In, other applications)?
    You may also check the IIS logfiles in subfolders of C:\Windows\system32\LogFiles on your server (maybe these give a hint, what happens).
    Best greetings from Germany
    Olaf
    Monday, February 23, 2009 9:19 PM
    Moderator
  • Emdek said:

    " To protect the security of your home network, you cannot log on remotely by using the Administrator user account. To administer your home network remotely, log on with your own user account. Then click the Console button on the Computers tab to connect to the Windows Home Server Console."

    When I check the eventlogs I see the Home Server event log containing entries like:

         Category: RemoteAccess
         ID: 2051
         Description: Remote Access logon fail. User Martin LogonFail

    The error you describe above really only comes from a user having been added to a group, or granted a right, that they should not have. I know this seems like beating a dead horse, but have you at any time made any modifications to security other than by using the Windows Home Server Console program? Realize that this could come about by other means than just you using the Windows Server 2003 user management tools. If you have installed software on your server through Remote Desktop it's possible that that software has changed user privileges, for example.


    I'm not on the WHS team, I just post a lot. :)
    Monday, February 23, 2009 11:59 PM
    Moderator
  • Emdek said:

    I deleted and recreated the users, but that did not solve the problem. The fact that I cannot access my computers from work kinda renders the system useless to me, which is a shame as I was very happy finding a low-budget solution for remote acces and unified backup.
    Btw, kariya21 is right, users are added to the Remore Desktop User group by default.
    Still I'm curious to find out why my server decided all users belong to the Administrator group..... :(



    Can you open Local Users and Groups on the server again, right click on a regular user (not the Administrator), select Properties, then the Member Of tab and post the results here?
    Tuesday, February 24, 2009 1:35 AM
    Moderator
  • @ Olaf:
    - Disabling the FireWire adapter did not result in any change
    - Trying to log in locally has the same result (denied), though I can access the shares so
    - the usernames and passwords match with the profiles on the server
    - I did install/uninstall the add-in Router Control by Gamer(WGS) last week but only after the login problem surfaced.

    @ Ken:
    Recenlty I did add a user account for WMI access using the 2003 management tools, the same way I added an user account for the bittorrent service when I installed WHS. The bittorrent user account never interfered  with the WHS user accounts as I was still able to log in over Internet useing the normal accounts. The only difference with the bittorrent user account was I had to open/foreward certain ports in Windows Firewall to allow WMI communications.

    @ Kariya21:
    The only groups listed for all users are Remote Desktop Users, Users, Windows Home Server Users, Print Operators and a bunch of RW_x/RO_x groups, of which I gathered they represent the shares that user has access to.
    When I check the admin group it contains entries for Administrator, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK, NT AUTHORITY/NETWORK SERVICE  and NT AUTHORITY\SYSTEM.

    So I'm still baffled as of why WHS regards normal users as admins, but I'm sure glad you guys putting up this effort :)

    /* Edit:
    @ Olaf:
    Forgot to mention, but the httperr1.log only shows a bunch of Timer_ConnectionIdle entries and the ex0902xx.log files show the appropriate GET/POST statements showing attempts to log in, no errors mentioned.
    */

    In my experience, any attempt to make any system idiot proof will only challenge God to make a better idiot...
    Tuesday, February 24, 2009 12:01 PM
  • Emdek said:

    @ Kariya21:
    The only groups listed for all users are Remote Desktop Users, Users, Windows Home Server Users, Print Operators and a bunch of RW_x/RO_x groups, of which I gathered they represent the shares that user has access to.
    When I check the admin group it contains entries for Administrator, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK, NT AUTHORITY/NETWORK SERVICE  and NT AUTHORITY\SYSTEM.



    From your reply to my first post in this thread I thought you had already checked this.

    Probably if you remove the Network Service from the Administrators group things will be OK again. If this doesn't fix it try deleting all but the Administrator account from the administrators group (one by one if you want to know which one is the culprit).
    • Marked as answer by Emdek Tuesday, February 24, 2009 3:59 PM
    Tuesday, February 24, 2009 12:25 PM
    Moderator
  • On my home server(s) only the Administrator account is member of the local Administrators group - this is the default setting.
    So either you have changed the configuration, some software you installed did or you have some malware in your network or/and on your server which made the change.

    Best greetings from Germany
    Olaf
    • Marked as answer by Emdek Tuesday, February 24, 2009 4:15 PM
    Tuesday, February 24, 2009 1:48 PM
    Moderator
  • Emdek said:

    ...

    @ Ken:
    Recenlty I did add a user account for WMI access using the 2003 management tools, the same way I added an user account for the bittorrent service when I installed WHS. The bittorrent user account never interfered  with the WHS user accounts as I was still able to log in over Internet useing the normal accounts. The only difference with the bittorrent user account was I had to open/foreward certain ports in Windows Firewall to allow WMI communications.

    ...


    In my experience, any attempt to make any system idiot proof will only challenge God to make a better idiot...

    I believe (but can't test at my location) that this is going to prove to be the source of your problem. I think that, in order for WMI tools to work properly, the additional built-in accounts you listed beyond Administrator need to have admin access. 

    My recommendation is to uninstall the WMI tools (which you don't need) and remove the additional accounts from the Administrators group. I will warn you may find that afterward some parts of your server no longer function correctly; I don't know what other changes may have occurred in terms of privileges granted/denied behind the scenes. In that case, probably a server reinstallation will be the quickest way to fix the problem.


    I'm not on the WHS team, I just post a lot. :)
    • Marked as answer by Emdek Tuesday, February 24, 2009 4:15 PM
    Tuesday, February 24, 2009 2:13 PM
    Moderator
  • Woot!!! I can access WHS online again! Removing all but Administrator from the admin group did the job. Thnx a ton guys :)

    In my experience, any attempt to make any system idiot proof will only challenge God to make a better idiot...
    Tuesday, February 24, 2009 4:16 PM