IIS Server Security, IIS 5 looses authenticated user

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> IIS 5 looses authenticated user

by Dan Ackermann » Wed, 25 Feb 2004 18:11:13 GMT

Hi all,
On my website I set up a admin area where users needs to authenticate to
read pages.
After authenticated user may choose an upload page where a file is
imported to a specific directory.
In 9 of 10 cases the WriteFile fails with permission denied because
IIS uses the anonymous user to write the file (anonymous does not have
access to this specific directory) in the 10th case it works because IIS
uses the authenticated user????

What makes IIS switching usercontext ????
What are I'm doing wrong ???

Any help is highly appreciated.

TIA

Dan


Top

IIS Server Security >> IIS 5 looses authenticated user

by Bernard » Thu, 26 Feb 2004 11:40:28 GMT


if it work, it should work all the time.. not 9 out of 10.
are you using IIS authentication ?

when accessing content, IIS will first check your IP to see if it's allow,
then authentication if any, then web permission, and finally ntfs
permission. through out the process you will have process identity and
request identity. process as in the account running application, such as
localsystem for inetinfo, iwam for dllhost, and request identity is the
thread that actually accessing the content. if anonymous is allowed, iusr
will be the authenticated user token for the content or the authenticated
user if a registered account logged in.

you can try filemon (sysinternals.com) to track related access issue to see
what user actually is accessing or writing the content.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...








Top

IIS Server Security >> IIS 5 looses authenticated user

by Dan Ackermann » Thu, 26 Feb 2004 18:29:39 GMT

Bernhard,
That's exactly what I'm thinking myself - but the reality shows it's
different !!!
We are using NTFS Permissions. (IIS permissions set to allow anonymous,
& basic auth.)
In the specific directory anonymous has NTFS read rights and the
admingroup for this customer NTFS full control.
Checked with filemon and it's excatly what I'm expected. If it does not
work I see a Access denied for user anonymous if it works I see User
<unable to open token> ???
Well, somthing makes dllhost.exe switch user context just haven't found
out what it is :-(

Do you have any other idea ??
TIA

Dan








Top

IIS 5 looses authenticated user

by Bernard » Fri, 27 Feb 2004 14:54:07 GMT

What's the ACLs for the upload folder ?
Do a test, grant everyone full control, do you have any problem with the
upload ? if not, it is related to the ACLs settings on that particular
folder.

when you application is runing medium pooled or high isolation, the process
identity will be iwam user.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...





allow,
iusr
authenticated
see



Top
Similar Threads

1. IIS 5 looses authenticated user

2. 401.1 Unable to Authenticate Users in IIS in IIS 6 under 2003 Serv

3. 401.1 Unable to Authenticate Users in IIS in IIS 6 under 2003

4. Loosing Active Directory Users and Computers icons after custom snapin resource extension dll loaded 

I have an mmc Active Directory Users and Computers computer object
property page snapin.

My snapin loads an extension dll for its resources and once it is
loaded and when using the release versions of my dlls (snapin dll and
resource dll ) the icons used by the Active Directory Users And
Computers snapin to denote users, computers etc in its list views cant
be found (I assume).

In debug mode however there is not a problem.  

I am guessing it looks no further than my extension resource dll for
the icons to use in its image lists.

It really is as soon as my extension dll that contains resources to be
used by the my snapin dll that the icons are lost. They remain lost
even if the computer object is closed as my snapin dll and the
extension dll remain loaded.

Bah mfc

Any clues as to how I can get around this would be appreciated.

Regards Sarah

5. NT User created programatically, authenticating with IIS fails - .Net Framework

6. Does IIS Time-Out Authenticated Users? 

This is a very strange error I've been dealing with.  I think these items 
might be related.

I am able to debug code on IIS using VS.NET 2003.  I can step through code, 
set breakpoints, and do everything I want.

However, every 15-20 minutes or so, when I try to debug code I get the 
"Error while trying to run project: Unable to start debugging on the web 
server.  You do not have permissions to debug the webserver.  Verify that you 
are a member of the "Debugger Users" group on the server.

Closing VS.NET and reopening the project fixes that problem.  It's a pain, 
but I can live with it.

But, my users also get a similar error periodically.  They can use the 
application for a while.  But, every so often an NT login prompt will come 
up.  They click cancel and the application dies.  


This is making me wonder if there is some type of configuration in IIS where 
authenticated users are timing out.  It's very bizarre.

7. Does IIS Time-Out on Authenticated Users? - Microsoft .NET Framework

8. using IIS as SMTP relay, now POP users cannot authenticate 

Hi NG,

Our exchange server was configured to send mail to our ISP as a smart host. 
I have just modified our exchange server to use an IIS server we have in our 
DMZ to act as a smart host, our firewall (incoming) SMTP rule was also 
changed to forward mail to our new IIS server in the DMZ, all looked well.

But, our POP3 users (external) cannot autherticate anymore?

Any ideas why this would be?