|
Home > Archive > IIS Server Security > November 2004 > What would prevent an ISAPI extension from opening a socket on IIS 6?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
What would prevent an ISAPI extension from opening a socket on IIS 6?
|
|
| David Cordes 2004-11-05, 5:50 pm |
| Problem
=-=-=-=-
I am working with a customer who has installed IIS 6. They have
installed two different products that communicate with other servers
through ISAPI Filters. In both products the ISAPI filters work
correctly until they try to obtain a socket.
Both of these programs are trying to communicate to different server
process on the same machine with 127.0.0.1 as the address. Both
server processes show every indication of working.
I suspect there is an IIS or Windows Server 2003 setting I am missing.
Technical Details
=-=--==-=--=-==-=-
One of the products is Open Source so I was able to determine the
exact line that gets called:
socket(AF_INET, SOCK_STREAM, 0);
The WinSock2 API using WSAGetLastError() indicates that permission is
denied.
The customer can use other programs (such as telnet) to obtain a
socket, open a connection to the local server process. The problem
appears only to occur when running within IIS 6 with the IUSR account.
Already Checked:
=-=-=-=-=-=-=-=-
- TCP/IP Filterting on the adaptor turned off.
- Local security policy has not applied any of the ip policies and all
network access user settings are identical to those on my Windows
Server 2003 machine.
- Customer indicates that no firewalls are running on this machine and
since I am connecting via 127.0.0.1 an external firewall should not
have any bearing here I would expect. I also do not suspect a
firewall, firewalls usually block communications but do not prevent a
socket from even being obtained from the OS.
Any suggestions are appreciated. Thank you.
| |
| David Wang [Msft] 2004-11-06, 2:46 am |
| Are you talking about an ISAPI Extension or an ISAPI Filter?
ISAPI Filter on IIS6 would be running as process identity, which is either
LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6
Worker Process Isolation Mode.
ISAPI Extension would be the impersonated identity, which is either the
configured anonymous user if anonymous authentication, or likely to be the
logged in browser user for any other authentication type.
I'm not certain if Windows Server 2003 has decided to deny certain user
identities access to Networking. Are you saying that the Winsock call works
on your Windows Server 2003 but not your customer's?
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Cordes" <David_Cordes@hotmail.com> wrote in message
news:c462028e.0411051531.5f7064a@posting.google.com...
Problem
=-=-=-=-
I am working with a customer who has installed IIS 6. They have
installed two different products that communicate with other servers
through ISAPI Filters. In both products the ISAPI filters work
correctly until they try to obtain a socket.
Both of these programs are trying to communicate to different server
process on the same machine with 127.0.0.1 as the address. Both
server processes show every indication of working.
I suspect there is an IIS or Windows Server 2003 setting I am missing.
Technical Details
=-=--==-=--=-==-=-
One of the products is Open Source so I was able to determine the
exact line that gets called:
socket(AF_INET, SOCK_STREAM, 0);
The WinSock2 API using WSAGetLastError() indicates that permission is
denied.
The customer can use other programs (such as telnet) to obtain a
socket, open a connection to the local server process. The problem
appears only to occur when running within IIS 6 with the IUSR account.
Already Checked:
=-=-=-=-=-=-=-=-
- TCP/IP Filterting on the adaptor turned off.
- Local security policy has not applied any of the ip policies and all
network access user settings are identical to those on my Windows
Server 2003 machine.
- Customer indicates that no firewalls are running on this machine and
since I am connecting via 127.0.0.1 an external firewall should not
have any bearing here I would expect. I also do not suspect a
firewall, firewalls usually block communications but do not prevent a
socket from even being obtained from the OS.
Any suggestions are appreciated. Thank you.
| |
| David Cordes 2004-11-08, 5:50 pm |
| They are two ISAPI Filters each made by different company that makes a
network connection. Both fail when they try to make that network
connection only on one customer's machine. They both work on my
machine and many other customers' machines.
I am collecting the customer's application pool settings to see
whether they are in isolation mode and if not which identity they are
using.
However, I am not sure how a user account can be configured in such a
way as to make opening any network connection impossible. Other
accounts can make network connections. Did you have a particular
setting in mind? I looked through the local security policy settings
for "Security Options" and confirmed that "Network access" settings
made sense when compared to my machine.
--- David
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
> Are you talking about an ISAPI Extension or an ISAPI Filter?
>
> ISAPI Filter on IIS6 would be running as process identity, which is either
> LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6
> Worker Process Isolation Mode.
>
> ISAPI Extension would be the impersonated identity, which is either the
> configured anonymous user if anonymous authentication, or likely to be the
> logged in browser user for any other authentication type.
>
> I'm not certain if Windows Server 2003 has decided to deny certain user
> identities access to Networking. Are you saying that the Winsock call works
> on your Windows Server 2003 but not your customer's?
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "David Cordes" <David_Cordes@hotmail.com> wrote in message
> news:c462028e.0411051531.5f7064a@posting.google.com...
> Problem
> =-=-=-=-
> I am working with a customer who has installed IIS 6. They have
> installed two different products that communicate with other servers
> through ISAPI Filters. In both products the ISAPI filters work
> correctly until they try to obtain a socket.
>
> Both of these programs are trying to communicate to different server
> process on the same machine with 127.0.0.1 as the address. Both
> server processes show every indication of working.
>
> I suspect there is an IIS or Windows Server 2003 setting I am missing.
>
> Technical Details
> =-=--==-=--=-==-=-
> One of the products is Open Source so I was able to determine the
> exact line that gets called:
>
> socket(AF_INET, SOCK_STREAM, 0);
>
> The WinSock2 API using WSAGetLastError() indicates that permission is
> denied.
>
> The customer can use other programs (such as telnet) to obtain a
> socket, open a connection to the local server process. The problem
> appears only to occur when running within IIS 6 with the IUSR account.
>
> Already Checked:
> =-=-=-=-=-=-=-=-
> - TCP/IP Filterting on the adaptor turned off.
> - Local security policy has not applied any of the ip policies and all
> network access user settings are identical to those on my Windows
> Server 2003 machine.
> - Customer indicates that no firewalls are running on this machine and
> since I am connecting via 127.0.0.1 an external firewall should not
> have any bearing here I would expect. I also do not suspect a
> firewall, firewalls usually block communications but do not prevent a
> socket from even being obtained from the OS.
>
> Any suggestions are appreciated. Thank you.
| |
| David Wang [Msft] 2004-11-09, 2:49 am |
| Yeah, I can't think of anything else to check. I'm curious about the user
identity that is executing the ISAPI Filter code and looking through
secpol.msc to see if any privileges are missing relative to your working
ones.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Cordes" <David_Cordes@hotmail.com> wrote in message
news:c462028e.0411081028.6dd0be49@posting.google.com...
They are two ISAPI Filters each made by different company that makes a
network connection. Both fail when they try to make that network
connection only on one customer's machine. They both work on my
machine and many other customers' machines.
I am collecting the customer's application pool settings to see
whether they are in isolation mode and if not which identity they are
using.
However, I am not sure how a user account can be configured in such a
way as to make opening any network connection impossible. Other
accounts can make network connections. Did you have a particular
setting in mind? I looked through the local security policy settings
for "Security Options" and confirmed that "Network access" settings
made sense when compared to my machine.
--- David
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
> Are you talking about an ISAPI Extension or an ISAPI Filter?
>
> ISAPI Filter on IIS6 would be running as process identity, which is either
> LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6
> Worker Process Isolation Mode.
>
> ISAPI Extension would be the impersonated identity, which is either the
> configured anonymous user if anonymous authentication, or likely to be the
> logged in browser user for any other authentication type.
>
> I'm not certain if Windows Server 2003 has decided to deny certain user
> identities access to Networking. Are you saying that the Winsock call
works
> on your Windows Server 2003 but not your customer's?
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "David Cordes" <David_Cordes@hotmail.com> wrote in message
> news:c462028e.0411051531.5f7064a@posting.google.com...
> Problem
> =-=-=-=-
> I am working with a customer who has installed IIS 6. They have
> installed two different products that communicate with other servers
> through ISAPI Filters. In both products the ISAPI filters work
> correctly until they try to obtain a socket.
>
> Both of these programs are trying to communicate to different server
> process on the same machine with 127.0.0.1 as the address. Both
> server processes show every indication of working.
>
> I suspect there is an IIS or Windows Server 2003 setting I am missing.
>
> Technical Details
> =-=--==-=--=-==-=-
> One of the products is Open Source so I was able to determine the
> exact line that gets called:
>
> socket(AF_INET, SOCK_STREAM, 0);
>
> The WinSock2 API using WSAGetLastError() indicates that permission is
> denied.
>
> The customer can use other programs (such as telnet) to obtain a
> socket, open a connection to the local server process. The problem
> appears only to occur when running within IIS 6 with the IUSR account.
>
> Already Checked:
> =-=-=-=-=-=-=-=-
> - TCP/IP Filterting on the adaptor turned off.
> - Local security policy has not applied any of the ip policies and all
> network access user settings are identical to those on my Windows
> Server 2003 machine.
> - Customer indicates that no firewalls are running on this machine and
> since I am connecting via 127.0.0.1 an external firewall should not
> have any bearing here I would expect. I also do not suspect a
> firewall, firewalls usually block communications but do not prevent a
> socket from even being obtained from the OS.
>
> Any suggestions are appreciated. Thank you.
| |
| David Cordes 2004-11-09, 5:52 pm |
| Sadly we may never find out :-) The customer tried a re-installation
of IIS which didn't work, but then re-installed the OS and the problem
vanished.
--- David
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<ujYfVvhxEHA.3968@TK2MSFTNGP10.phx.gbl>...[vbcol=seagreen]
> Yeah, I can't think of anything else to check. I'm curious about the user
> identity that is executing the ISAPI Filter code and looking through
> secpol.msc to see if any privileges are missing relative to your working
> ones.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "David Cordes" <David_Cordes@hotmail.com> wrote in message
> news:c462028e.0411081028.6dd0be49@posting.google.com...
> They are two ISAPI Filters each made by different company that makes a
> network connection. Both fail when they try to make that network
> connection only on one customer's machine. They both work on my
> machine and many other customers' machines.
>
> I am collecting the customer's application pool settings to see
> whether they are in isolation mode and if not which identity they are
> using.
>
> However, I am not sure how a user account can be configured in such a
> way as to make opening any network connection impossible. Other
> accounts can make network connections. Did you have a particular
> setting in mind? I looked through the local security policy settings
> for "Security Options" and confirmed that "Network access" settings
> made sense when compared to my machine.
>
> --- David
>
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
> works
> rights.
| |
| David Wang [Msft] 2004-11-10, 2:49 am |
| Well, I'm happy that the problem was "solved", though I tend to like knowing
why it worked vs the fact it did. Though I totally understand from a
business perspective, one values the fact that something works and not
necessarily why/how.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Cordes" <David_Cordes@hotmail.com> wrote in message
news:c462028e.0411091543.f45c743@posting.google.com...
Sadly we may never find out :-) The customer tried a re-installation
of IIS which didn't work, but then re-installed the OS and the problem
vanished.
--- David
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:<ujYfVvhxEHA.3968@TK2MSFTNGP10.phx.gbl>...
> Yeah, I can't think of anything else to check. I'm curious about the user
> identity that is executing the ISAPI Filter code and looking through
> secpol.msc to see if any privileges are missing relative to your working
> ones.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.[vbcol=seagreen]
> //
> "David Cordes" <David_Cordes@hotmail.com> wrote in message
> news:c462028e.0411081028.6dd0be49@posting.google.com...
> They are two ISAPI Filters each made by different company that makes a
> network connection. Both fail when they try to make that network
> connection only on one customer's machine. They both work on my
> machine and many other customers' machines.
>
> I am collecting the customer's application pool settings to see
> whether they are in isolation mode and if not which identity they are
> using.
>
> However, I am not sure how a user account can be configured in such a
> way as to make opening any network connection impossible. Other
> accounts can make network connections. Did you have a particular
> setting in mind? I looked through the local security policy settings
> for "Security Options" and confirmed that "Network access" settings
> made sense when compared to my machine.
>
> --- David
>
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
either[vbcol=seagreen]
the[vbcol=seagreen]
> works
> rights.
|
|
|
|
|