IIS Server Security, IIS 6.0 configured application pool and Integrated Windows Auth

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> IIS 6.0 configured application pool and Integrated Windows Auth

by Gursharan Singh » Thu, 22 Jul 2004 04:00:48 GMT

I have created an application pool in IIS 6.0 and configured it to use a
domain account. The application pool starts up ok. I have also added the
domain account to IIS_WPG group and granted it change process token and
adjust memory quotas for a process identity.

When I turn on integrated windows authentication on apps under this pool, i
get a pop-up instead of getting authenticated. resetting the app pool to the
default pool (running as network service) resolves the authentication
problem.

What am I doing wrong?

Thanks,
Gursharan



Top

IIS Server Security >> IIS 6.0 configured application pool and Integrated Windows Auth

by David Wang [Msft] » Tue, 27 Jul 2004 11:35:53 GMT


Is this machine also in a domain? If so, you forgot to read the following
documentation associated with Custom Application Pool Identity.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ca_cfgwrkridentity.asp

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//


I have created an application pool in IIS 6.0 and configured it to use a
domain account. The application pool starts up ok. I have also added the
domain account to IIS_WPG group and granted it change process token and
adjust memory quotas for a process identity.

When I turn on integrated windows authentication on apps under this pool, i
get a pop-up instead of getting authenticated. resetting the app pool to the
default pool (running as network service) resolves the authentication
problem.

What am I doing wrong?

Thanks,
Gursharan





Top
Similar Threads

1. IIS6, Integrated Windows Auth, and IE6 Integrated Windows Auth dis

2. IIS6, Integrated Windows Auth, and IE6 Integrated Windows Auth 

Your log entry snippets suggests that on IIS5, you were not using Integrated
Authentication -- I'd expect to see a 401.2 followed by a 200 , but you show
a successful 200 -- this may be due to how you are repro'ing the issue (i.e.
you've already made a successful request), but I want to make sure that you
only had Integrated authentication enabled on IIS5 and NOTHING else (like
anonymous).

What happens if you do:
CSCRIPT %systemdrive%\inetpub\adminscripts\adsutil.vbs SET
W3SVC/NTAuthenticationProviders "NTLM"

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
" XXXX@XXXXX.COM " < XXXX@XXXXX.COM @discussions.microsoft.com>
wrote in message news: XXXX@XXXXX.COM ...
Thank you for responding, David.

Both servers are in the same domain.  The IIS6 server is the first of a
group of servers that I am upgrading from Win2K to Win2K3/IIS6.  The
function requested is not supported" appears to be returned by Internet
Explorer stating that the function in IE is not supported.

This is the web log entry from the IIS 5 website (successful):
2004-06-25 12:24:54 139.72.117.151 - 139.72.11.88 80 GET
/searchadsvc/searchad.asmx - 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705;+.NET+C
LR+1.1.4322)

This is the web log entry from the IIS6 website (unsuccessful):
2004-06-25 12:25:57 139.72.109.63 GET /searchadsvc/searchad.asmx - 80 -
139.72.117.151
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705;+.NET+C
LR+1.1.4322) 401 2 2148074254
2004-06-25 12:25:57 139.72.109.63 GET /searchadsvc/searchad.asmx - 80 -
139.72.117.151
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705;+.NET+C
LR+1.1.4322) 500 0 2148074242

Does this help?

Dave


"David Wang [Msft]" wrote:

> Were both IIS5 and IIS6 servers joined to a domain or not?
>
> Is "The function requested is not supported" the actual error text that
> comes back, or ???  Because IIS doesn't send such an custom error, meaning
> that your problem may be related to something ELSE running on the
webserver
> and not necessarily IIS6.
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> " XXXX@XXXXX.COM " < XXXX@XXXXX.COM @discussions.microsoft.com>
> wrote in message
news: XXXX@XXXXX.COM ...
> My application returns an HTTP 500 error when the application is
configured
> for Integrated Windows Authentication on IIS 6.  The application works
okay
> under IIS5 under Integrated Windows Authentication.  When I disable "Show
> friendly HTTP error messages" in IE6, then I get the following error
message
> in my browser "The function requested is not supported".  After further
> investigation, I found an IE6 setting called, "Enable Integrated Windows
> Authentication (requires restart)".  By default, this setting is disabled.
> When enabled, my application works properly on the Windows 2003 server
> running IIS6.
>
> Why is this setting in IE6 required under Win2K3/IIS6 and not required
under
> Win2K/IIS5?
>
> I have not found this setting under lower versions of IE.  So changing
this
> setting on thousands of PCs at my company is not an option.  I prefer a
> configuration change on my server.  Configuring all of my websites with
> Basic only is not an acceptable alternative.
>
> Your suggestions will be greatly appreciated. Thanks.
>
> Dave
>
>
>

3. windows integrated authentication does not work with a configurable application pool identity in iis 6.0

4. Windows authentication breaks after configuring application pool identity 

Hi group

I run IIS 6.0 on W2k3 being an Active Directory Controller in a test lab.
Create a virtual directory 'test' with Windows authentication on and
anonymous access off.
Create a static test.html file in the directory.
Open it in a browser and it's ok.
Now I configure a separate application pool for this virtual directory (ASP
1.1) with the default Netwok Service identity. It's ok, too.
Now I create a domain account, add it to IIS_WPG group and configure it to
be the application pool identity. This breaks Windows authentication and I
keep getting 401.1 errors from IIS.

The same works fine on another W2k3 not a domain member.

Any ideas where I can be wrong ?

Thanks

5. IIS Windows Integrated Auth works with IP and not name

6. IIS 5.0 integrated windows auth trouble...

7. Integrated Windows Auth Problem - IIS Server Security

8. Combining Anonymous + Integrated Windows auth 

I am running Intranet with Win2k/IIS 5/asp.net and am trying to force Integrated Windows auth to IE users and give a friendly error message saying "change your browser to IE" to those who access the site with none-IE browsers. In IIS 5, when I enable both Anonymous access and Integrated Windows authetication, it ignores the Integrated Windows auth. Is there any way I can make it so that Integrated Windows auth takes precedence over Anonymous access? If this can be done, I can let IIS to allow the non-IE users and my script can redirect them to the friendly error page. Can anyone help on this?