XCCC: You Receive an Access Denied Error Message When You Join a Conference on a Failover Conferencing Server

When you try to join a conference by using the Web access pages on the now-active Exchange 2000 Conferencing Server, you may receive the following error message:When a failover occurs and the backup Exchange 2000 Conferencing Server becomes active, your active conferences may not appear on the failed Exchange 2000 Conferencing Server Web access pages. If you try to join a conference from the Exchange 2000 Conferencing Server Web access pages that failed, you may receive an error message that access is denied. If you view the Exchange 2000 Conferencing Server Web access pages on the now-active Exchange 2000 Conferencing Server, the conferences may not appear correctly.

This behavior occurs because of a change in the way Microsoft Windows Server 2003 handles the Microsoft Internet Information Server (IIS) anonymous user SubAuthentication.

In Microsoft Windows 2000, IIS uses a SubAuthentication process that permits IIS to control the password of the anonymous user account. With SubAuthentication, IIS can replace typical Windows logon procedures with a validation scheme that is contained in a dynamic link library (Iissuba.dll) and log any Internet connection to the system directly. Therefore, SubAuthentication can permit the anonymous IIS user to access some network resources, such as Distributed Communication (DCOM) calls. Because the IIS anonymous user is not a domain user, the user does not have domain user rights, and therefore is not officially authorized to make DCOM calls to another domain computer. SubAuthentication makes these calls possible in Windows 2000.

Windows Server 2003 does not provide SubAuthentication support for IIS, and therefore the DCOM calls that are initiated by the IIS anonymous user fail.

To work around this behavior, create a user name and password pair that are the same for the IIS anonymous user on both computers.

This behavior is by design.

Your two Exchange 2000 Conferencing Servers are installed on Windows Server 2003-based computers. One of the Exchange 2000 Conferencing Servers is configured as a failover backup.

Note IIS is running on the failed Exchange 2000 Conferencing Server.

For more information about Windows SubAuthentication, see the Microsoft Platform SDK and Microsoft Visual Studio 6.0 on-line product documentation. As of December 2002, Visual Studio 6.0 includes a SubAuthentication sample that is named SubAuth. For additional information about SubAuthentication, click the following article number to view the article in the Microsoft Knowledge Base: