ISAPI extension creating a file in IIS 6

TheMSsForum.com: The Microsoft Software Forum

Hi,

We are currently running IIS5 on Win2K and have started to test migrating to
IIS 6 on 2003. I have added our custom IIS exntesions to the allowed
extension list, but the first attempt to use it failss (401 error in the IIS
log file).

The first things the extension constructor does is open HKLM t oread some
entries and then tries to open a log file which resides in a different
directory. The log file is never created, so I assume that if the DLL is
trying to run, it is failing because it cannot access either the folder where
the log file is to exist, or cannot create files in that folder.

We are running the webserver with anonymous access turned on, and not in IIS
5 mode (though I tried that without any change in behavior). I have tried to
figure out how to add the "Network Service" account or the Ixxx_machinename
accounts to those with rights on those folders but havent had much luck (it
doesn't seem to know either "Network Service" or IUSR_XXXXXXXX, the "Check
Names" says it doesn't know them even if I limit the scope to the local
machine). I am a local admin on the box but am unfamiliar with admin tasks
because I usually just write the applications, not configure web servers.

We will be moving away from anonymous access in the near future so if there
are any caveats to suggested steps (I thought I saw something on that in
another thread), I would appreciate knowing that also.

Suggestions, tips, steps, or links welcome.

Thanks,
Bill
Top

RE: ISAPI extension creating a file in IIS 6 by BillBeacom

BillBeacom
Tue Oct 05 08:33:06 CDT 2004

Here are the entries from the log files for the attemtped request:

2004-10-05 13:21:47 10.236.21.25 GET / - 80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:47 10.236.21.25 GET / - 80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:47 10.236.21.25 GET /Broker.htm - 80 PROD-AM\beacwh
10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;+.NET+CLR+1.1.4322) 200 0 0
2004-10-05 13:21:52 10.236.21.25 GET /isapi/eoeapi.dll
EoeApiProcess?User=MYUSER&PassWord=8939CE78B126&EoeApiRequest=0000002560110.102.112.15+++++++54++0000000020+++20041005082152++++++++++++++++++++MYUSER++++++++++8939CE78B126++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++01++++++++
80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:52 10.236.21.25 GET /isapi/eoeapi.dll
EoeApiProcess?User=MYUSER&PassWord=8939CE78B126&EoeApiRequest=0000002560110.102.112.15+++++++54++0000000020+++20041005082152++++++++++++++++++++MYUSER++++++++++8939CE78B126++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++01++++++++
80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:52 10.236.21.25 GET /isapi/eoeapi.dll
EoeApiProcess?User=MYUSER&PassWord=8939CE78B126&EoeApiRequest=0000002560110.102.112.15+++++++54++0000000020+++20041005082152++++++++++++++++++++MYUSER++++++++++8939CE78B126++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++01++++++++
80 PROD-AM\beacwh 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;+.NET+CLR+1.1.4322) 500 0 126

I was able to get "Network Service" added to the folder with permissions to
create, write and append to files, but I still get the error....

Thanks,
Bill
Top

Re: ISAPI extension creating a file in IIS 6 by David

David
Wed Oct 06 19:09:35 CDT 2004

Use AuthDiag to troubleshoot.

http://www.microsoft.com/downloads/details.aspx?FamilyId=E90FE777-4A21-4066-BD22-B931F7572E9A&displaylang=en

You are getting 401.1 for those requests (invalid username/password to
login), and if you only have anonymous authentication enabled, it means that
you have the wrong anonymous username/password configured on this machine.
Fix that.

BTW, ISAPI DLL will run with the remote authenticated identity (depends on
authentication protocol that you select), so you should ACL resources on the
server accordingly. If you do not want the remote user to have access to
what the ISAPI is reading/writing on the server, then you need to look into
additional impersonation inside the ISAPI such that the identity performing
those actions is DIFFERENT than the remote user (this is what impersonation
is all about). Randomly changing ACLs is unlikely to work -- security
always requires precise configuration to be 100% correct or else it won't
work, and IIS6 is no exception.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Bill Beacom" <BillBeacom@discussions.microsoft.com> wrote in message
news:F60047A4-BE0B-4FF0-B701-8CBAD3533F35@microsoft.com...
Here are the entries from the log files for the attemtped request:

2004-10-05 13:21:47 10.236.21.25 GET / - 80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;
+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:47 10.236.21.25 GET / - 80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;
+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:47 10.236.21.25 GET /Broker.htm - 80 PROD-AM\beacwh
10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;
+.NET+CLR+1.1.4322) 200 0 0
2004-10-05 13:21:52 10.236.21.25 GET /isapi/eoeapi.dll
EoeApiProcess?User=MYUSER&PassWord=8939CE78B126&EoeApiRequest=0000002560110.
102.112.15+++++++54++0000000020+++20041005082152++++++++++++++++++++MYUSER++
++++++++8939CE78B126++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++01++++++++
80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;
+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:52 10.236.21.25 GET /isapi/eoeapi.dll
EoeApiProcess?User=MYUSER&PassWord=8939CE78B126&EoeApiRequest=0000002560110.
102.112.15+++++++54++0000000020+++20041005082152++++++++++++++++++++MYUSER++
++++++++8939CE78B126++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++01++++++++
80 - 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;
+.NET+CLR+1.1.4322) 401 1 0
2004-10-05 13:21:52 10.236.21.25 GET /isapi/eoeapi.dll
EoeApiProcess?User=MYUSER&PassWord=8939CE78B126&EoeApiRequest=0000002560110.
102.112.15+++++++54++0000000020+++20041005082152++++++++++++++++++++MYUSER++
++++++++8939CE78B126++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++01++++++++
80 PROD-AM\beacwh 10.102.112.15
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+T312461;+IE5.5_+SP2_wOLE;
+.NET+CLR+1.1.4322) 500 0 126

I was able to get "Network Service" added to the folder with permissions to
create, write and append to files, but I still get the error....

Thanks,
Bill


Top

Re: ISAPI extension creating a file in IIS 6 by BillBeacom

BillBeacom
Thu Oct 07 08:53:03 CDT 2004

Thanks for the tip on the tool. It seems we hadn't followed all the steps to
set up anonymous access properly. I did notice that there is an entry in the
security audit log for a logon failure, eg:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: 10/07/2004
Time: 8:35:54 AM
User: NT AUTHORITY\SYSTEM
Computer: FTEKCWSAOMWEB01
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: IUSR_FTEDCWSAOMWEB01
Domain: FTEKCWSAOMWEB01
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: FTEKCWSAOMWEB01
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3012
Transited Services: -
Source Network Address: -
Source Port: -

I don't know what a logon type of 8 is, but I noticed that the user name did
not match what one would expect on the local domain (ie, its not *exactly*
IUSR_<machinename>. It seems this box may have gotten "renamed" after IIS was
installed. Will this be a problem? I've tried the recommended steps from the
AuthDiag tool to correctly configure anonymous access, but the problem
persists (the log above is from after following the steps to configure
subauthentication). Also, the documentation suggests that this (IIS
subauthentication) is not the best appraoch under IIS 6, but I didn't find a
recommended alternative. Do you have a link to what is recommended?

Thanks again for your help...

Bill
Top

Re: ISAPI extension creating a file in IIS 6 by David

David
Thu Oct 07 17:32:47 CDT 2004

> I don't know what a logon type of 8 is, but I noticed that the user
> name did not match what one would expect on the local domain
> (ie, its not *exactly* IUSR_<machinename>. It seems this box
> may have gotten "renamed" after IIS was installed.
> Will this be a problem?

Renaming the computer is not a problem. IIS just needs a valid
username/password -- it doesn't care if the name is bob, IUSR_<new_machine>,
IUSR_<old_machine>, etc. However, there are plenty of broken scripts out
there that assume IIS anonymous user is named IUSR_<machinename> -- so your
machine may give them problems.

I don't know what logon type of 8 is, either, but looking it up on MSDN for
the LogonUser Win32 API explained what value were possible, a quick search
through the platform SDK for LOGON32_LOGON shows that a logon type of 8
means LOGON32_LOGON_NETWORK_CLEARTEXT, which gives sufficient context to
re-read the LogonUser API documentation.


>Also, the documentation suggests that this (IIS subauthentication)
> is not the best appraoch under IIS 6, but I didn't find a recommended
> alternative. Do you have a link to what is recommended?

There is no recommendation link because the recommended behavior is
default -- i.e. sub authentication is the alternative configuration. As
soon as you stop configuring sub authentication, the default recommended
behavior will automatically be used.

Also, on clean installations IIS6 will use the default behavior -- so you
get sub authentication only if you intentionally configured it, or you
upgraded from prior IIS version.


Your current problems seem to stem from the fact that your configured
anonymous user does not have the necessary logon type to successfully logon
to the machine -- hence IIS is failing all those requests. You either need
to use a new anonymous user that can logon to the machine, or you need to
fix the existing account. AuthDiag should detect this scenario.

Now, IIS5 tends to cover over these issues because it runs as LocalSystem
and can do whatever it wants -- but this is also insecure and easy to
exploit. IIS6 is secure and does not run as a privileged user, thus it
cannot make things automagically work -- so you need to configure everything
perfectly or else things can strangely fail. That is the way security
works.

I recommend that you migrate to IIS6 (i.e. clean install OS, then migrate
the website) instead of upgrading in place. Upgrading is a mixed bag
security-wise -- we leave some settings to old values to not break your
code, but we must change other values to secure values that may break you,
and you can hit many odd combinations that do not exist otherwise.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Bill Beacom" <BillBeacom@discussions.microsoft.com> wrote in message
news:1D555C1D-9895-4513-821A-326FB1782E08@microsoft.com...
Thanks for the tip on the tool. It seems we hadn't followed all the steps to
set up anonymous access properly. I did notice that there is an entry in the
security audit log for a logon failure, eg:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: 10/07/2004
Time: 8:35:54 AM
User: NT AUTHORITY\SYSTEM
Computer: FTEKCWSAOMWEB01
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: IUSR_FTEDCWSAOMWEB01
Domain: FTEKCWSAOMWEB01
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: FTEKCWSAOMWEB01
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3012
Transited Services: -
Source Network Address: -
Source Port: -

I don't know what a logon type of 8 is, but I noticed that the user name did
not match what one would expect on the local domain (ie, its not *exactly*
IUSR_<machinename>. It seems this box may have gotten "renamed" after IIS
was
installed. Will this be a problem? I've tried the recommended steps from the
AuthDiag tool to correctly configure anonymous access, but the problem
persists (the log above is from after following the steps to configure
subauthentication). Also, the documentation suggests that this (IIS
subauthentication) is not the best appraoch under IIS 6, but I didn't find a
recommended alternative. Do you have a link to what is recommended?

Thanks again for your help...

Bill


Top