|
Home > Archive > IIS Server Security > June 2005 > Anonymous access not working
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Anonymous access not working
|
|
|
| All,
We have a .NET application running on Windows 2003/IIS 6.0. I set up the
application pool account with the network service account and have allow
anonymous set for the web site. It is using the iusr machine account. In
order for us to access data from our SQL Server we impersonate the ASPNET
with a domain account so we can use windows authentication between the 2
servers.
The problem is that when we try to access the web site, we are prompted with
a challenge response. Even if I remove the impersonate=true from the
web.config, we still get prompted for user id and password.
What am I missing?
Thanks
--
Mike Gasperino
Sr. Software Developer
office: 919-807-2310
****************************************
************************************
E-mail correspondence to and from this address may be subject to the North
Carolina Public Records Law "NCGS.Ch.132" and may be disclosed to third
parties
****************************************
************************************
| |
| Ken Schaefer 2005-06-07, 2:48 am |
| Does the IIS_WPG (or Network Sevice, or whatever account ASP.NET is
configured to impersonate) have appropriate NTFS permissions to the actual
files on the server's hard disk?
Cheers
Ken
--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Mike" <announ@tkd.net> wrote in message
news:%238CNr$paFHA.1152@tk2msftngp13.phx.gbl...
: All,
:
: We have a .NET application running on Windows 2003/IIS 6.0. I set up the
: application pool account with the network service account and have allow
: anonymous set for the web site. It is using the iusr machine account. In
: order for us to access data from our SQL Server we impersonate the ASPNET
: with a domain account so we can use windows authentication between the 2
: servers.
:
: The problem is that when we try to access the web site, we are prompted
with
: a challenge response. Even if I remove the impersonate=true from the
: web.config, we still get prompted for user id and password.
:
: What am I missing?
:
: Thanks
: --
: Mike Gasperino
: Sr. Software Developer
: office: 919-807-2310
:
:
****************************************
************************************
: E-mail correspondence to and from this address may be subject to the North
: Carolina Public Records Law "NCGS.Ch.132" and may be disclosed to third
: parties
:
****************************************
************************************
:
:
| |
|
| Yes, based on the patterns and practices on how to set up a custom account
to run as ASP.NET. I added my custom account to the IIS_WPG group and
applied the permissions to that group. In order to have anonymous access,
who should be in that group besides my custom account?
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uyx367waFHA.3364@TK2MSFTNGP09.phx.gbl...
> Does the IIS_WPG (or Network Sevice, or whatever account ASP.NET is
> configured to impersonate) have appropriate NTFS permissions to the actual
> files on the server's hard disk?
>
> Cheers
> Ken
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Mike" <announ@tkd.net> wrote in message
> news:%238CNr$paFHA.1152@tk2msftngp13.phx.gbl...
> : All,
> :
> : We have a .NET application running on Windows 2003/IIS 6.0. I set up the
> : application pool account with the network service account and have allow
> : anonymous set for the web site. It is using the iusr machine account. In
> : order for us to access data from our SQL Server we impersonate the
> ASPNET
> : with a domain account so we can use windows authentication between the 2
> : servers.
> :
> : The problem is that when we try to access the web site, we are prompted
> with
> : a challenge response. Even if I remove the impersonate=true from the
> : web.config, we still get prompted for user id and password.
> :
> : What am I missing?
> :
> : Thanks
> : --
> : Mike Gasperino
> : Sr. Software Developer
> : office: 919-807-2310
> :
> :
> ****************************************
************************************
> : E-mail correspondence to and from this address may be subject to the
> North
> : Carolina Public Records Law "NCGS.Ch.132" and may be disclosed to third
> : parties
> :
> ****************************************
************************************
> :
> :
>
>
| |
| Tiago Halm 2005-06-10, 5:56 pm |
| Make sure you only have "Anonymous" set as the Auth for the VDir
(folder/file) you're accessing.
Make sure you add R(ead) access to the anonymous account onto the file
system where the VDir (folder/file) resides.
Do not add the anonymous account to the IIS_WPG. This group is for Worker
Process (AppPools) accounts, and not for Anonymous accounts.
Make sure the account with which you've set the impersonate also has R(ead)
access to the physical file system.
Microsoft's ASP.NET documentation is sometimes outdated regarding ASP.NET
settings when it comes to Win2003/IIS6.
While in WinXP/IIS5.1 non-ASP.NET code runs on inetinfo.exe, ASP.NET code
runs in aspnet_wp.exe. The account with which the only worker process
(aspnet_wp.exe) runs is set in machine.config.
In IIS6, all non-ASP.NET and ASP.NET code run inside the same process(es)
(w3wp.exe). The account with which the worker processes (w3wp.exe) run is
not set in machine.config, but in the AppPools node ... better yet, its set
on the metabase.xml file because Application Pools are now a part of IIS and
not only part of ASP.NET.
The ASPNET account on IIS6, does not "exist" anymore just like it existed in
IIS5.1. In WinXP/IIS5.1, this account is normally used by inetinfo.exe to
launch the aspnet_wp.exe process. Clearly, in Win2003/IIS6 tihs has changed
significantly as explained above. Some settings in machine.config are no
longer part of the overall picture when running ASP.NET in IIS6.
Tiago Halm
"Mike" <announ@tkd.net> wrote in message
news:%23mk%23ix2aFHA.464@TK2MSFTNGP15.phx.gbl...
> Yes, based on the patterns and practices on how to set up a custom account
> to run as ASP.NET. I added my custom account to the IIS_WPG group and
> applied the permissions to that group. In order to have anonymous access,
> who should be in that group besides my custom account?
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:uyx367waFHA.3364@TK2MSFTNGP09.phx.gbl...
actual[vbcol=seagreen]
the[vbcol=seagreen]
allow[vbcol=seagreen]
In[vbcol=seagreen]
2[vbcol=seagreen]
prompted[vbcol=seagreen]
****************************************
************************************[vbc
ol=seagreen]
third[vbcol=seagreen]
****************************************
************************************[vbc
ol=seagreen]
>
>
|
|
|
|
|