|
Home > Archive > IIS Server Security > September 2004 > Anonymous logon and ISAPI in IIS 5
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Anonymous logon and ISAPI in IIS 5
|
|
|
| Hi. I have a website configured for windows integrated authentication with
Anonymous access enabled (using default IIS anonymous user account). On this
website I have "isapi" sub-folder and in it "MyIsapi.dll". Directory/file
security for both is the same as for the rest of the site. NTFS permissions
for "MyIsapi.dll" allow all access to Everyone group. I think with these
settings Anonymous logon should be possible, but it's not. When I connect to
isapi dll using Internet Explorer from a machine other than the server, I get
401.3 error - "Access denied by ACL on resource". A couple of other
quirks... The server runs Windows 2000 server. It's a domain controller and
part of a 2-machine Microsoft cluster. Active directory is enabled and
that's where all user accounts are configured. The Web site is a clustered
resource. So is the disk on which the files for the web site are located. It
is a local disk, i.e. web site doesn't point to any shares. I am able to
access all other files on the site, but IIS refuses to load MyIsapi.dll
anonymously.
If I connect from the server machine, it works and MyIsapi.dll is loaded
into memory. After that I can connect anonymously from other machines, until
IIS is restarted or decides to clear MyIsapi.dll from memory cache for some
reason.
Is anything wrong with my security settings? Please help!!! I appreciate
any suggestions.
Thank You very much
| |
|
| Never mind, I solved this problem. I forgot that MyIsapi.dll uses some other
dlls. When I checked NTFS permissions on those, anonymous users didn't have
access. I changed permissions to allow "Everyone" read and execute access
and the thing started working.
"Alex" wrote:
> Hi. I have a website configured for windows integrated authentication with
> Anonymous access enabled (using default IIS anonymous user account). On this
> website I have "isapi" sub-folder and in it "MyIsapi.dll". Directory/file
> security for both is the same as for the rest of the site. NTFS permissions
> for "MyIsapi.dll" allow all access to Everyone group. I think with these
> settings Anonymous logon should be possible, but it's not. When I connect to
> isapi dll using Internet Explorer from a machine other than the server, I get
> 401.3 error - "Access denied by ACL on resource". A couple of other
> quirks... The server runs Windows 2000 server. It's a domain controller and
> part of a 2-machine Microsoft cluster. Active directory is enabled and
> that's where all user accounts are configured. The Web site is a clustered
> resource. So is the disk on which the files for the web site are located. It
> is a local disk, i.e. web site doesn't point to any shares. I am able to
> access all other files on the site, but IIS refuses to load MyIsapi.dll
> anonymously.
>
> If I connect from the server machine, it works and MyIsapi.dll is loaded
> into memory. After that I can connect anonymously from other machines, until
> IIS is restarted or decides to clear MyIsapi.dll from memory cache for some
> reason.
>
> Is anything wrong with my security settings? Please help!!! I appreciate
> any suggestions.
>
> Thank You very much
|
|
|
|
|