newbieadmin
Mon Feb 27 07:51:32 CST 2006
Dear David, thanks again for your reply.
I had read 2 articles in your blog regarding authentication (what user
identity doese IIS use to run code like ISAPI and CGI). They are very nice.
>identify what authentication protocol is in effect for every URL
Do you mean the configuration in IIS for the virtual directories? They are
set to designated accounts created by us for web accessing.
> as well as what user identity actually authenticated
How can I find out these? Since only anonymous and windows integrated
authentication are selected, when the users can enter the directories (they
don't have password memorized in local machine, the password for that
anonyous user is only know by me), I thought they are authenticated as that
anonymous user for the virtual directory URL they clicked.
My iusr_machinename (and the groups it belongs) has no NTFS permission to
the folder and all the parent (ancester) folders and the drive root. But when
I configure it to a new virtual directory to replace the repeatly
intermittance one it will work. As I have worked with IIS5 for 3 years I
can't quite understand this.
"David Wang [Msft]" wrote:
> I have no idea. But I would start by assuming that you are seeing
> unexplained phenomenon based on misconfiguration.
>
> You need to identify what authentication protocol is in effect for every URL
> as well as what user identity actually authenticated, before you can say
> "the iusr_machinename has NO NTFS permission to the actual folder, but it
> can work!" because believe me, IIS6 runs as low-privileged user that cannot
> do anything, so you had to configure something to make it work, even if the
> mechanism is not immediately understood.
>
> You can also just browse through my blog for a variety of insights into how
> IIS works to serve a request. For example, I describe how the authentication
> process works to come up with a user identity, how ISAPI can alter server
> behavior arbitrarily, and how request handlers are decided.
>
> --
> //David
> IIS
>
http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "newbie admin" <newbieadmin@discussions.microsoft.com> wrote in message
> news:C21ED4E2-F68A-4A3C-9326-040EA6397A14@microsoft.com...
> > Thanks David.
> >
> > I don't have any additional restrictions to those anonymous users or
> > group.
> > Do you have any ideas about my problem?
> >
> > Another question is, when I user iusr_machinename in a new virtual
> > directory
> > to replace a faulty one (no one modified password in IIS, and when
> > manually
> > supply it those users who are required to provide credential in IE can
> > enter
> > the virtual directory, while at the same time some other users can be
> > authenticated automatically as anonymous user), the iusr_machinename has
> > NO
> > NTFS permission to the actual folder, but it can work!
> >
> > I checked thoroughly in advance options and also every parent folder.
> > While
> > I think in IIS I must grant NTFS read permission for anonymous user.
> >
> >
> > "David Wang [Msft]" wrote:
> >
> >> The feature has been removed from IIS6 for security purposes. You will
> >> have
> >> to figure out how to re-enable that security vulnerability yourself...
> >>
> >> I suggest that you identify the actual problem and fix it -- because even
> >> with "Let IIS control password", user login still has to work... just
> >> password is not needed. In other words, unless your issue has to do with
> >> mismatched passwords, "Let IIS control password" doesn't gain you
> >> everything
> >> but requires weakening system security -- a lose-lose situation.
> >>
> >>
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx
> >>
> >> For example, maybe your anonymous user or the Guest group has some login
> >> hour/time restrictions coming from Group Policy or Security Template that
> >> keep kicking in periodically to invalidate IIS's token cache, thus
> >> requiring
> >> you to "touch/recreate" things again to make things work. "Let IIS
> >> control
> >> password" won't help at all.
> >>
> >> --
> >> //David
> >> IIS
> >>
http://blogs.msdn.com/David.Wang
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> //
> >>
> >> "newbie admin" <newbieadmin@discussions.microsoft.com> wrote in message
> >> news:4FD4D631-259A-4D75-8209-37869789D358@microsoft.com...
> >> >I want to try this option because, even credentials stored in IIS are
> >> >correct
> >> > (sync with the actual account since I can logon from console using that
> >> > account, IIS will fail (sometimes, or even for some users only) to
> >> > authenticate.
> >> >
> >> > Below is what drive me crazy:
> >> >
> >> > Some (not all) users can't be anthenticated by IIS to enter a virtual
> >> > directory, while credential stored in IIS is right. We just create
> >> > another
> >> > virtual directory and using the same anonymous account, pointing to the
> >> > same
> >> > directory. The same virtual directory works!
> >> >
> >> > Another scene is all users can't enter a virtual directory, then I just
> >> > reenter the same password in IIS for that anonymous account, then
> >> > everything
> >> > is fine again.
> >> >
> >> >
> >>
> >>
> >>
>
>
>