Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

XCCC: You Receive an Access Denied Error Message When You Join a Conference on a Failover Conferencing Server


View products that this article applies to.

This article was previously published under Q330346

↑ Back to the top


Symptoms

When you try to join a conference by using the Web access pages on the now-active Exchange 2000 Conferencing Server, you may receive the following error message:
Access Denied The Conference Management Service denied your request due to a lack of permissions. Please try the following: Verify that you are using the correct password if the conference requires one. Verify that you are not trying to join a private conference that you have not been invited to. Contact your system administrator. Microsoft VBScript runtime error / [Obtaining MCU] Error #46: Permission denied / [Unable to attach to the T.120 MCU while using the conference technology provider extension] Microsoft Exchange 2000 Conferencing Server.
When a failover occurs and the backup Exchange 2000 Conferencing Server becomes active, your active conferences may not appear on the failed Exchange 2000 Conferencing Server Web access pages. If you try to join a conference from the Exchange 2000 Conferencing Server Web access pages that failed, you may receive an error message that access is denied. If you view the Exchange 2000 Conferencing Server Web access pages on the now-active Exchange 2000 Conferencing Server, the conferences may not appear correctly.

↑ Back to the top


Cause

This behavior occurs because of a change in the way Microsoft Windows Server 2003 handles the Microsoft Internet Information Server (IIS) anonymous user SubAuthentication.

In Microsoft Windows 2000, IIS uses a SubAuthentication process that permits IIS to control the password of the anonymous user account. With SubAuthentication, IIS can replace typical Windows logon procedures with a validation scheme that is contained in a dynamic link library (Iissuba.dll) and log any Internet connection to the system directly. Therefore, SubAuthentication can permit the anonymous IIS user to access some network resources, such as Distributed Communication (DCOM) calls. Because the IIS anonymous user is not a domain user, the user does not have domain user rights, and therefore is not officially authorized to make DCOM calls to another domain computer. SubAuthentication makes these calls possible in Windows 2000.

Windows Server 2003 does not provide SubAuthentication support for IIS, and therefore the DCOM calls that are initiated by the IIS anonymous user fail.

↑ Back to the top


Workaround

To work around this behavior, create a user name and password pair that are the same for the IIS anonymous user on both computers.

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

Your two Exchange 2000 Conferencing Servers are installed on Windows Server 2003-based computers. One of the Exchange 2000 Conferencing Servers is configured as a failover backup.

Note IIS is running on the failed Exchange 2000 Conferencing Server.

For more information about Windows SubAuthentication, see the Microsoft Platform SDK and Microsoft Visual Studio 6.0 on-line product documentation. As of December 2002, Visual Studio 6.0 includes a SubAuthentication sample that is named SubAuth. For additional information about SubAuthentication, click the following article number to view the article in the Microsoft Knowledge Base:
216828� Password Synchronization/Allow IIS to Control Password May Cause Problems

↑ Back to the top


Keywords: KB330346, kbbug, kbrtc, kbprb, kberrmsg

↑ Back to the top

Article Info
Article ID : 330346
Revision : 5
Created on : 10/27/2006
Published on : 10/27/2006
Exists online : False
Views : 405