|
Home > Archive > IIS Server Security > November 2005 > why do .asp files prompt for login but .htm files do not?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
why do .asp files prompt for login but .htm files do not?
|
|
|
| IIS 5.0 in a domain. IIS has Basic & Integrated selected, NOT
anonymous. All users have I.E. browser. All users are members of the
same domain. IIS Basic Auth MMC section has the correct domain entered.
There is no global.asa file in the directory. All links in the .asp
page have been validated and checked to ensure that they exist and have
the correct ACL's.
I'm wondering why the .asp pages are prompting for login but the .htm
pages are not. I searched but was unable to find any solution to this
question, however I see that others have asked it before...just no
responses.
TIA!
| |
| David Wang [Msft] 2005-11-14, 8:50 pm |
| Well, for .htm page, IIS just opens that file and sends it back -- so if the
user credentials are all good, this should just succeed.
For .asp page, it could run code to do other things -- like talk to a DB to
authenticate users, or read files from a remote UNC share -- and some of
those other things may not be possible given the authenticated user
credentials -- so you could get 401 access denied and browser ends up
prompting for login.
In other words, there is a good reason why people ask this question and get
no response -- because as-stated, it is really ambigous and not possible to
answer without more details.
Unfortunately, people are usually pretty bad about providing details and
since this is a community supported on everyone's own free time, no one is
obligated to solve your problem. So, it is to your best advantage to do your
homework and make the problem so attractive that people can't help but help
you out...
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"mushu" <tim.m.valdez@gmail.com> wrote in message
news:1132004889.746492.46310@z14g2000cwz.googlegroups.com...
IIS 5.0 in a domain. IIS has Basic & Integrated selected, NOT
anonymous. All users have I.E. browser. All users are members of the
same domain. IIS Basic Auth MMC section has the correct domain entered.
There is no global.asa file in the directory. All links in the .asp
page have been validated and checked to ensure that they exist and have
the correct ACL's.
I'm wondering why the .asp pages are prompting for login but the .htm
pages are not. I searched but was unable to find any solution to this
question, however I see that others have asked it before...just no
responses.
TIA!
| |
| karl levinson, mvp 2005-11-17, 6:12 pm |
| You say that file permissions have been checked, but this still sounds to me
like a permissions problem. Depending on the circumstances, the
IWAM_machinename, IUSR_machinename AND the user accounts used might be
missing needed permissions. And the permissions don't need to be applied
just to the content files of your web page, but to some Windows system files
as well. You may also need to grant more than just read permissions for
some of those places as well.
I would suggest troubleshooting this like any other file permission problem.
Checking the iis web server log after reproducing the web site failure may
show you what account if any is being denied access to what file. Look of
course for 400-level error messages relating to authentication and rights
first, and possibly 500-level messages as well. Next, run filemon [file
monitor] free from www.sysinternals.com on the server while reproducing the
web site failure.
You can also enable NTFS file access failure auditing for all users on the
content files, windows folder and program files folder, then reproduce the
error and check the Windows security event log for failures.
http://securityadmin.info/faq.asp#auditing
I'm guessing that when you are not being asked to authenticate, the web
browser has silently authenticated for the user, and you are asked to
authenticate when the browser is told that the user authentication failed
due to insufficient permissions.
Just a guess, but if in the IIS server properties for that folder you have
chosen Medium or High for Application isolation, then the IWAM_machinename
account by default is used to access those files, while IUSR_machinename is
used by default to access static files like HTML. This is most true when
anonymous authentication is used, but some of the articles I googled suggest
that this might also happen under some other scenarios as well.
Some articles suggest that in some instances, the user configured to run COM
/ DCOM might come into play, depending. I'm less knowledgeable in that
area, but running dcomcnfg or checking for user accounts in the Component
Services control panel might be something to try if all else fails.
You may have already seen these, but more information on what IIS
permissions are required where are at:
How to set secure NTFS Permissions on IIS directories and log files -
http://support.microsoft.com/?kbid=310361
Minimum NTFS file permissions required for IIS:
http://support.microsoft.com/?kbid=187506
If all that fails, some of these articles might have some other suggestions
and information:
http://www.joelonsoftware.com/print...ngIWAMacco.html
www.windowsitpro.com/Articles/Index.cfm?ArticleID=45549
www.google.com/search?q=iwam+anonym...c+OR+integrated
"mushu" <tim.m.valdez@gmail.com> wrote in message
news:1132004889.746492.46310@z14g2000cwz.googlegroups.com...
> IIS 5.0 in a domain. IIS has Basic & Integrated selected, NOT
> anonymous. All users have I.E. browser. All users are members of the
> same domain. IIS Basic Auth MMC section has the correct domain entered.
> There is no global.asa file in the directory. All links in the .asp
> page have been validated and checked to ensure that they exist and have
> the correct ACL's.
>
> I'm wondering why the .asp pages are prompting for login but the .htm
> pages are not. I searched but was unable to find any solution to this
> question, however I see that others have asked it before...just no
> responses.
>
> TIA!
>
|
|
|
|
|