Fix Application advisor fails to open with 401 Error

   Solution

  =========  

   Change Anonymous authentication to Enabled

   Change Asp Net Impersonation to Disabled

          Analyze
           =========  

IIS, Windows Authentication and the Double Hop issue

In IIS, you run into an interesting situation when you need to access another resource off of the IIS server and certain fairly common situations occur.  When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.  This includes access to a UNC path directly from IIS or SQL Server using Windows authentication.

The reason is because of a 'double hop' that authentication is doing.  When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'.  When IIS tries to access a network device, that would be the double or second hop which is not allowed.  IIS cannot in turn pass on those credentials to the next network device, otherwise the developer or administrator could abuse your credentials and use them in ways that the site visitor didn't anticipate.

This doesn't occur with anonymous access or with impersonation off because in that case IIS takes care of authenticating you and then it uses a different user for local or network access.  This means that the app pool identity or anonymous user can make a network call as the first hop.

Terminal - Restrict each user to one session

Windows 2003 和2008 都可以達到此需求 .

2003 預設可以多人連線 ,2008 預設僅能一個人使用 .有兩種方式可以開放多個使用者.

請參考下面步驟 .謝謝

To limit users to one remote session

·         Using Group Policies (best practice)

·         Using Terminal Services Configuration

Using Group Policies (best practice)

1.      Open Group Policy.

2.      In Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Restrict Terminal Services users to a single remote session setting.

3.      Click Enabled, and then click OK.
Important

·         You should thoroughly test any changes you make to Group Policy settings before applying them to users or computers. For more information on testing policy settings, see Resultant Set of Policy.

Notes

·         To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

·         Use the above procedure to configure the local Group Policy object. To change a policy for a domain or an organizational unit, you must log on to the primary domain controller as an Administrator. Then, you must invoke Group Policy through the Active Directory Users and Computers snap-in.

Using Terminal Services Configuration

1.      Open Terminal Services Configuration.

2.      In the console tree, click Server Settings.

3.      In the details pane, right-click Restrict each user to one session, and then click Properties.

4.      Check the Restrict each user to one session check box, and then click OK.
Note

·         To open Terminal Services Configuration, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Services Configuration.