|
Home > Archive > IIS Server Security > February 2004 > IIS 5 looses authenticated user
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 5 looses authenticated user
|
|
| Dan Ackermann 2004-02-25, 9:40 am |
| Hi all,
On my website I set up a admin area where users needs to authenticate to
read pages.
After authenticated user may choose an upload page where a file is
imported to a specific directory.
In 9 of 10 cases the WriteFile fails with permission denied because
IIS uses the anonymous user to write the file (anonymous does not have
access to this specific directory) in the 10th case it works because IIS
uses the authenticated user????
What makes IIS switching usercontext ????
What are I'm doing wrong ???
Any help is highly appreciated.
TIA
Dan
| |
| Bernard 2004-02-25, 11:34 pm |
| if it work, it should work all the time.. not 9 out of 10.
are you using IIS authentication ?
when accessing content, IIS will first check your IP to see if it's allow,
then authentication if any, then web permission, and finally ntfs
permission. through out the process you will have process identity and
request identity. process as in the account running application, such as
localsystem for inetinfo, iwam for dllhost, and request identity is the
thread that actually accessing the content. if anonymous is allowed, iusr
will be the authenticated user token for the content or the authenticated
user if a registered account logged in.
you can try filemon (sysinternals.com) to track related access issue to see
what user actually is accessing or writing the content.
--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"Dan Ackermann" <dummy@intos.ch> wrote in message
news:#Dna0e4#DHA.2216@TK2MSFTNGP10.phx.gbl...
> Hi all,
> On my website I set up a admin area where users needs to authenticate to
> read pages.
> After authenticated user may choose an upload page where a file is
> imported to a specific directory.
> In 9 of 10 cases the WriteFile fails with permission denied because
> IIS uses the anonymous user to write the file (anonymous does not have
> access to this specific directory) in the 10th case it works because IIS
> uses the authenticated user????
>
> What makes IIS switching usercontext ????
> What are I'm doing wrong ???
>
> Any help is highly appreciated.
>
> TIA
>
> Dan
>
| |
| Dan Ackermann 2004-02-26, 5:33 am |
| Bernhard,
That's exactly what I'm thinking myself - but the reality shows it's
different !!!
We are using NTFS Permissions. (IIS permissions set to allow anonymous,
& basic auth.)
In the specific directory anonymous has NTFS read rights and the
admingroup for this customer NTFS full control.
Checked with filemon and it's excatly what I'm expected. If it does not
work I see a Access denied for user anonymous if it works I see User
<unable to open token> ???
Well, somthing makes dllhost.exe switch user context just haven't found
out what it is :-(
Do you have any other idea ??
TIA
Dan
Bernard wrote:
> if it work, it should work all the time.. not 9 out of 10.
> are you using IIS authentication ?
>
> when accessing content, IIS will first check your IP to see if it's allow,
> then authentication if any, then web permission, and finally ntfs
> permission. through out the process you will have process identity and
> request identity. process as in the account running application, such as
> localsystem for inetinfo, iwam for dllhost, and request identity is the
> thread that actually accessing the content. if anonymous is allowed, iusr
> will be the authenticated user token for the content or the authenticated
> user if a registered account logged in.
>
> you can try filemon (sysinternals.com) to track related access issue to see
> what user actually is accessing or writing the content.
>
| |
| Bernard 2004-02-27, 2:34 am |
| What's the ACLs for the upload folder ?
Do a test, grant everyone full control, do you have any problem with the
upload ? if not, it is related to the ACLs settings on that particular
folder.
when you application is runing medium pooled or high isolation, the process
identity will be iwam user.
--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"Dan Ackermann" <dummy@intos.ch> wrote in message
news:e1wLyNF$DHA.2432@TK2MSFTNGP09.phx.gbl...
> Bernhard,
> That's exactly what I'm thinking myself - but the reality shows it's
> different !!!
> We are using NTFS Permissions. (IIS permissions set to allow anonymous,
> & basic auth.)
> In the specific directory anonymous has NTFS read rights and the
> admingroup for this customer NTFS full control.
> Checked with filemon and it's excatly what I'm expected. If it does not
> work I see a Access denied for user anonymous if it works I see User
> <unable to open token> ???
> Well, somthing makes dllhost.exe switch user context just haven't found
> out what it is :-(
>
> Do you have any other idea ??
> TIA
>
> Dan
>
>
>
>
>
> Bernard wrote:
allow,[color=darkred]
iusr[color=darkred]
authenticated[color=darkred]
see[color=darkred]
>
|
|
|
|
|