403 error - IIS running on sole domain controller

[grantwilliams]

I have a single domain controller (Win2K) running IIS 5. When I type

http://xxx.xxx.xxx.xxx

from a computer WITHIN the domain, I am able to view the default web page. When I attempt this from a computer OUTSIDE of the domain (i.e. the Internet), I get a 403 error.

I have the directory permissions (both the NTFS and IIS permissions) set to Read/Read and Execute/List. I also have anonymous access on. I have even gone as far as uninstalling/reinstalling IIS.

Does anybody have ANY idea what's causing this? I have NEVER had this problem before, however I have only ever had IIS running on Win2K Pro and WinXP Pro.

Thanks all,

Grant

 

[TRACEYMARYLAND]

Run a really basic page is it html or asp or ? what type of page ....and see if that works first...

 

[grantwilliams]

Yep, have tried just a very simple page and it still gets the 403 error, even when addressing the page directly (that is, not relying on it being the default document and being set up properly).

What is confusing me most is that I am having no problems whatsoever on computers that are within the domain. The problem is only for computers outside of the domain.

Grant

 

[grantwilliams]

I've turned "Show friendly HTTP messages" off and this is what I get from outside of the domain.

Error - 403

--------------------------------------------------------------------------------

Failed to connect to server:
xxx.xxx.xxx.xxx (80)

Reason: SockStream::Connect(): Unable to connect

 

[RobBentley]

Just going back to the obvious, i presume your using your WAN ip when you leave the domain & i presume if your using a router you've opened the ports & in the case of NAT used "Virtual Servers" or "Port Forwarding", however your router refers to them.

Robert Bentley

SynergyworksHosting.co.uk
"reliable services at realistic prices

 

[guod]

I've experienced this before.

when you're outside of the domain, you're accessing the page with the iusr_machinename account. (which is a local account)

On a domain controller, there are no local accounts. you need to set up a domain account for anonymous browsers to use. Then go into directory security and set that account as the anonymous account to use.

You'll also have to allow that account to log on locally within the domain controller security policy.

 

[guod]

http://support.microsoft.com/default.aspx?scid=kb;en-us;263140&Product=iis50

asp.net will also throw fits when you put it on a public Web server (been there too)

Public IIS servers should not be domain controllers. (I speak from experience) It can be done, but it's not worth the hassle. I STRONGLY advide you to just use a member server (or a server in it's own workgroup) as your IIS server

Doug

 

[grantwilliams]

Thanks for all the good tips guys, however the solution was a very simple one. I am using a Netcomm NB1300 ADSL modem/router which has an inbuilt web server. This web server was using port 80 and was blocking all external trafic on port 80. Reconfiguring the router's web server to use port 8080 allowed external port 80 requests to be passed through to the domain controller.

Thanks all the same!

Grant