401.3, you say? Not 403?

You’re running an IIS 6.0 website, and you have a virtual directory configured for anonymous authentication only (that is, you’ve unticked Integrated Windows Authentication).

Using a web browser, you try to access a file in that virtual directory. http://example.com/vdir/something.txt

What’s a web browser?

Know what IE is, Leon?


Same thing.

I’ve never seen an IE. But I know what you mean.

Anyway, the something.txt file is ACLd such that the anonymous user account (IUSR_MACHINENAME) doesn’t have any NTFS permissions to it. IIS impersonates the anonymous user for any anonymous request, and if it’s knocked back, it 401s the client with a WWW-Authenticate header describing the types of authentication supported.

Now IIS needs to ask for some kind of credential, but the only authentication method ticked is Anonymous. So IIS can’t ask for credentials. It can’t 401 with a WWW-Authenticate header because it’s got nothing to put in it. It won’t send a 403 because it hasn’t yet made a good-faith attempt to impersonate a user other than Anonymous.

But you haven’t configured it to ask for credentials. You could tick Integrated Windows and make the pain go away. Or you could allow the Internet Guest Account (at least) Read access to the file. But you’re not doing that, Leon.

Why is that, Leon?

Do you make these questions up yourself, or do you have them written down for you?

Actually, people come to me with questions all the time, and I sometimes write them down. 

Like this one: tell me only the good things that come to your mind, about… Personal Web Server on Windows 95.

Personal Web Server? Let me tell you about Personal Web Server…

Tip o’ the Week: WEVTUTIL for EVTX/EVT file conversion

This week, a pointer to a solution to a problem I occasionally hit.

Windows Vista (and by extension Windows Server 2008, I assume) utilizes a new EVTX log format for event log exports. It’s XML-based, natch.

Problem: Everyone’s Favourite Log Digestion Tool Log Parser uses system APIs to read event log exports, and the old .EVT event log format isn’t “native” any more. Long story short, it chokes on them.

This, to put it mildly, was annoying, as most customers haven’t moved to Windows Server 2008 yet (I mean, it’s only five months from release – is there ever a better time?) and so supply event logs in the old format when asked.

Anyway – you can convert the old-school event logs into shiny new event logs through the user interface (just double-click the EVT, wait for it to open and display in chronological order; then do a Save As, pick a location and filename and answer an obscure question about language formatting; then find and open the newly-resaved log file), but bluntly, the GUI process leaves a bit to be desired if you have the slightest inkling towards type-A behaviour, and all I really want is something that’ll work in Log Parser, really.

WEVTUTIL (and NeilCar) to the rescue. It’s included out of the box, and it’ll convert those dusty old event logs from the command line, with nary a GUI or common dialog in sight, ready for consumption by Logparser, or any other EVTX-friendly file muncher.

Neil’s example (for the click-inhibited):

wevtutil epl application.evt application.evtx /lf:true