| David Wang [Msft] 2004-01-24, 1:57 am |
| Your problem lies with delegation. Integrated Auth is not delegatable from
IIS5. It works with IIS6+AD, though.
Basic auth should work (i've successfully used ASP pages that use ADSI to
make property changes on another IIS server over Basic auth with admin
credentials).
See this Whitepaper for explanation/links. It describes it in the context
of access to UNC shares, but the concepts apply.
http://www.microsoft.com/technet/tr...at/RemStorg.asp
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Petr SIMUNEK" <simunekp@hotmail.com> wrote in message
news:uHdeqzNxDHA.1484@TK2MSFTNGP09.phx.gbl...
Scenario:
--------------------------
- Native W2K domain
- Multiple DS and MS
- IIS installed on one of the Member Servers
- Main public WEB site with security set to ANONYMOUS ACCESS uses LOCAL
IUSER_MachineName account
of this member server. Inside Virtual Dir with security set to INTEGRATED
contains pages for manipulating USERs properties over ADSI
Integrated authentication works fine, but nobody - even Domain Admin can't
do any change to AD from remote computer - even DC. All fails on: [ Active
Directory error '80070005' ]
When i run the same on the Member Server where IIS resides all goes fine.
? Tried couple of things but nothing so far helped
- setting the IIS MS - Trusted for delegation
- switching to Basic Authentication
- When I logIn localy on ISS MS machine as non Privileged user the script
fails as well
----------------------------------------
? I assume
- scripts(ASP) are fine since they run smoothly on IIS machine
- if the pages run in security context of authenticated user / as they
should - makes no sense to setting up DOMAIN-wide
IUSER account
Help me out pls...this must be well maped area
Petr Simunek
MOD Admin
.....thanx for any guide
|