|
Home > Archive > IIS Server Security > March 2004 > Basic question on Windows Integrated Security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Basic question on Windows Integrated Security
|
|
|
| I've asked in another post a more detailed question about IIS6
communicating with SQLServer 2000 when the two are on different
servers, but it occurred to me that I may have a very basic
misunderstanding about Windows Integrated Security in an internet
scenario.
When we allow anonymous access in IIS6, and specify which user
will be the default user for anonymous access (e.g.
IUSR_SERVERNAME) , I am assuming there we can still use Windows
Integrated Security because the security model determines what
IUSR_SERVERNAME can access on the domain, and that we can use
Integrated Security EVEN IF the anonymous internet user is not
browsing with Internet Explorer but with another browser such as
Mozilla or Opera. Is my understanding not correct?
In other words, when we select Integrated Security on the IIS
properties dialog, is that with respect to communication between
the IIS worker account and other resources on the domain, or is
for communication between the remote browser-client and the IIS
service itself?
Thanks
Timo
| |
| Ken Schaefer 2004-03-24, 8:36 pm |
| Hi
There is no "integrated security" option in IIS. There is "Integrated
Windows Authentication". This governs communication between browser and
server.
There is an "integrated security" option for SQL Server (as opposed to Mixed
Mode, which also allows SQL Server Authentication).
If you want the IUSR_<machinename> account to be used to login to SQL
Server, then you nede to allow "Anonymous Authentication" in IIS. In this
case, IIS will impersonate the configured anonymous user account, rather
than having the user specify a Windows user account.
Note: the IUSR_<machinename> account is, by default, local to the webserver
and can't be assigned permissions to remote resources. You could change this
to a domain account if you wanted to
Note: ASP.Net does not use IUSR_<machinename> by default, unless you
configure <identity impersonate="true"> on IIS5, ASP.Net uses the
Machine\ASPNet account by default (you can change this in machine.config for
example). In IIS6 ASP.Net uses the Web Application Pool process identity
(configurable via the IIS Manager).
Cheers
Ken
"Timo" <timo@anonymous.com> wrote in message
news:MPG.1acbd74bc63f19e19896e7@msnews.microsoft.com...
: I've asked in another post a more detailed question about IIS6
: communicating with SQLServer 2000 when the two are on different
: servers, but it occurred to me that I may have a very basic
: misunderstanding about Windows Integrated Security in an internet
: scenario.
:
: When we allow anonymous access in IIS6, and specify which user
: will be the default user for anonymous access (e.g.
: IUSR_SERVERNAME) , I am assuming there we can still use Windows
: Integrated Security because the security model determines what
: IUSR_SERVERNAME can access on the domain, and that we can use
: Integrated Security EVEN IF the anonymous internet user is not
: browsing with Internet Explorer but with another browser such as
: Mozilla or Opera. Is my understanding not correct?
:
: In other words, when we select Integrated Security on the IIS
: properties dialog, is that with respect to communication between
: the IIS worker account and other resources on the domain, or is
: for communication between the remote browser-client and the IIS
: service itself?
:
: Thanks
: Timo
:
| |
|
| Ken,
Thanks for the clarifications. Beginning to see some light through
the trees ;-)
Is the default Web Application Pool process identity, like the
IUSR_<machinename> account, local to the machine so that it too
cannot be granted permissions on remote resources? If we were to
specify a particular domain account (with requisite SQL
permissions) as the Web Application Pool process identity, are we
then required to create some sort of special relationship ("trust
relationship?") between the SQL server and that domain account?
I'm confused by the articles I've been reading and the advice I've
been getting on this; some say to assign Service Principal Names
and others say this is unnecessary. We're Win2003 with
ActiveDirectory, IIS6, SQL2000.
Thanks
Timo
In article <eiSgGdgEEHA.3424@tk2msftngp13.phx.gbl>,
kenREMOVE@THISadOpenStatic.com writes...
>Note: the IUSR_<machinename> account is, by default, local to the webserver
>and can't be assigned permissions to remote resources. You could change this
>to a domain account if you wanted to
>
>Note: ASP.Net does not use IUSR_<machinename> by default, unless you
>configure <identity impersonate="true"> on IIS5, ASP.Net uses the
>Machine\ASPNet account by default (you can change this in machine.config for
>example). In IIS6 ASP.Net uses the Web Application Pool process identity
>(configurable via the IIS Manager).
>
>
| |
| Ken Schaefer 2004-03-25, 8:42 pm |
| Hi,
This is going to be even more confusing... :-)
IUSR_<machinename> is not the default Web App Pool identity.
IUSR_<machinename> is used by IIS as the account to impersonate for requests
where the user has not provided any credentials. So, if I request
http://servername/somepage.htm then IIS needs to impersonate a user account
in order to read the file off the hard disk. This user account is
IUSR_<machienname> (by default),
Now, each web application/website runs inside a process called w3wp.exe
(there can be multiple w3wp.exe processes on the server, if you configure
many app pools - eg to isolate your applications from each other for
stability purposes). The w3wp.exe process itself must have a user context
(called a process identity). Why? Well, even when the website is not
receiving any requests, w3wp.exe is still running, and it needs to run under
some kind of user account (everything in Windows does). This is the Web App
Pool identity, and is configurable via the Application Pools node in the IIS
Manager. The default process identity it NT AUTHORITY\Network Service.
Now, remember before how I said IIS impersonates IUSR_<machinename? Well, it
does, for all requests for static files, and all ASP files. But *not*
ASP.Net files (eg .aspx, .asmx etc). ASP.Net just uses the default Web App
Pool identity (by default). So, if you wanted to login to SQL Server, then:
a) you could change the default web app pool identity to a domain account.
Make sure the domain account is in the IIS_WPG group on the webserver (this
group is allocated the necessary minimum rights to function as a worker
process). In SQL Server, in the "Security->Logins" node, you add
Domain\UserAccount as a permitted login, and configure whatever database
accesses you need
b) if you also have ASP pages etc, then you might want to configure the IIS
anonymous user account (IUSR_<machinename)) to also be this domain account.
To have ASP.Net use the IUSR account instead of the worker process identity,
set <identity impersonate="true"> in your web.config. Then you can leave the
Worker Process identity alone.
c) SPNs, delegation etc are only required when the user authenticates to
IIS. When the user authenticates using Digest or IWA authetentication, IIS
*does not have the user's password*. All is has is a token from the Domain
Controller verifying the user's identity. The token does not have privileges
to logon to other network resources. To do that, you need to configure
delegation, and SPNs (if required) (see the thread above this one for a
whole bunch of links).
Cheers
Ken
"Timo" <timo@anonymous.com> wrote in message
news:MPG.1acc9ccbd9761e5e9896e8@msnews.microsoft.com...
: Ken,
: Thanks for the clarifications. Beginning to see some light through
: the trees ;-)
:
: Is the default Web Application Pool process identity, like the
: IUSR_<machinename> account, local to the machine so that it too
: cannot be granted permissions on remote resources? If we were to
: specify a particular domain account (with requisite SQL
: permissions) as the Web Application Pool process identity, are we
: then required to create some sort of special relationship ("trust
: relationship?") between the SQL server and that domain account?
: I'm confused by the articles I've been reading and the advice I've
: been getting on this; some say to assign Service Principal Names
: and others say this is unnecessary. We're Win2003 with
: ActiveDirectory, IIS6, SQL2000.
:
: Thanks
: Timo
:
:
: In article <eiSgGdgEEHA.3424@tk2msftngp13.phx.gbl>,
: kenREMOVE@THISadOpenStatic.com writes...
: >Note: the IUSR_<machinename> account is, by default, local to the
webserver
: >and can't be assigned permissions to remote resources. You could change
this
: >to a domain account if you wanted to
: >
: >Note: ASP.Net does not use IUSR_<machinename> by default, unless you
: >configure <identity impersonate="true"> on IIS5, ASP.Net uses the
: >Machine\ASPNet account by default (you can change this in machine.config
for
: >example). In IIS6 ASP.Net uses the Web Application Pool process identity
: >(configurable via the IIS Manager).
: >
: >
| |
|
| Thank you, Ken, for getting us onto the right track, and for this
extended explanation. We are up and running!
Timo
|
|
|
|
|