|
Home > Archive > IIS Server Security > March 2004 > Problems with application pools
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Problems with application pools
|
|
| Jeremy Chapman 2004-03-26, 2:04 pm |
| I have created a web service and deployed it on IIS 6. When it uses the
DefaultAppPool I can connect to it fine when I have set the web service to
use windows authentication.
I need to set the web service to use a different app pool though, and when I
do, I get a 401.1 error 'you anre not authorized to view this page.
The error will occure if I have the web service running on a different
machine than my ie browser, but not if ie and the web service are on a
different machine.
I have ensured that the identity that I'm using for the app pool is in the
IIS_WPG group on the machine.
I originally thought that delegation had something to do with it, but I
don't think it does, because delegation usually only comes in to play when
there are 3 machines involved does it not?
If I look at the IIS log, I can see that when the the app pool for the web
service is not set to DefaultAppPool, the credentials do not get passed to
IIS, but the do get passed with the DefaultAppPool.
| |
| David Wang [Msft] 2004-03-26, 4:37 pm |
| When you use Integrated Authentication with Customized AppPool Identity and
your server is in a domain, you need to read this part of the documentation
on Custom AppPool Identity:
http://www.microsoft.com/technet/pr...rkridentity.asp
What is happening is that you start using Kerberos, which imposes conditions
on the worker process identity. Network Service is an identity that works
by default; you will need to do some additional configuration to have it
work with a custom process identity.
Basically, your choices are:
1. Configure Kerberos correctly
2. Fallback to use NTLM
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jeremy Chapman" <NoSpam@Please.com> wrote in message
news:%23Y1wxP2EEHA.2524@TK2MSFTNGP09.phx.gbl...
I have created a web service and deployed it on IIS 6. When it uses the
DefaultAppPool I can connect to it fine when I have set the web service to
use windows authentication.
I need to set the web service to use a different app pool though, and when I
do, I get a 401.1 error 'you anre not authorized to view this page.
The error will occure if I have the web service running on a different
machine than my ie browser, but not if ie and the web service are on a
different machine.
I have ensured that the identity that I'm using for the app pool is in the
IIS_WPG group on the machine.
I originally thought that delegation had something to do with it, but I
don't think it does, because delegation usually only comes in to play when
there are 3 machines involved does it not?
If I look at the IIS log, I can see that when the the app pool for the web
service is not set to DefaultAppPool, the credentials do not get passed to
IIS, but the do get passed with the DefaultAppPool.
|
|
|
|
|