|
Home > Archive > IIS Server Security > October 2005 > Looking for an article on identities used in IIS 6.0 web applicati
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Looking for an article on identities used in IIS 6.0 web applicati
|
|
| Chris Cichocki 2005-10-24, 11:03 am |
| I'm looking for an article that would explain the request processing that
goes on in IIS 6.0. For example, when a request is received, it starts a new
process by running w3wp.exe and it is started with the identity specified in
the Application Pool settings. But then if you request a file, the file is
requested with the identity of either the anonymous user specified in the
Directory Security configuration of the virtual directory, or with the user's
Windows identity if Windows Authentication is checked (and the resource is
not accessible to the anonymous user). The result is that you need to grant
permission to BOTH the identity running w3wp.exe AND the identity in the
HTTPContext object.
I've found bits and pieces of this explained by various documents, but I'm
wondering if there is a single document that explains all this from start to
finish.
Thanks!
Chris
| |
| Tom Kaminski [MVP] 2005-10-24, 11:03 am |
| "Chris Cichocki" <chris.cichocki@newsgroup.nospam> wrote in message
news:C2717817-DD51-413D-AD9C-12AB0068B44E@microsoft.com...
> I'm looking for an article that would explain the request processing that
> goes on in IIS 6.0. For example, when a request is received, it starts a
> new
> process by running w3wp.exe and it is started with the identity specified
> in
> the Application Pool settings. But then if you request a file, the file
> is
> requested with the identity of either the anonymous user specified in the
> Directory Security configuration of the virtual directory, or with the
> user's
> Windows identity if Windows Authentication is checked (and the resource is
> not accessible to the anonymous user). The result is that you need to
> grant
> permission to BOTH the identity running w3wp.exe AND the identity in the
> HTTPContext object.
>
> I've found bits and pieces of this explained by various documents, but I'm
> wondering if there is a single document that explains all this from start
> to
> finish.
Are you talking about ASP.NET? Does this do it?
http://support.microsoft.com/defaul...kb;en-us;317012
--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
| |
| Wei-Dong XU [MSFT] 2005-10-24, 11:03 am |
| Hi Chris,
Tom has suggested a very good article on this topic in ASP.net.
Furthermore, I'd also suggest the article "Web Site Authentication" in IIS
online help contains all the information about the IIS6 authentications.
In addiation, some articles on the IIS authentication will also be helpful:
158229 INFO: Security Ramifications for IIS Applications
http://support.microsoft.com/?id=158229
174775 How Windows NT Challenge/Response Works
http://support.microsoft.com/?id=174775
About Authentication
http://www.microsoft.com/windows200...p?url=/windows2
000/en/server/iis/htm/core/iiabasc.htm
Please feel free to let me know if you have any further question on this
matter.
Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
It is my pleasure to be of assistance.
|
|
|
|
|