IIS Server Security - Diff behavior for "Integrated windows authentication" in IIS6 Vs I

Author

Diff behavior for "Integrated windows authentication" in IIS6 Vs I

David Zhu

2006-11-24, 1:21 pm

Hi,

I'm quite confused by the behavior of IIS6's "Integrated windows
authentication"!

Because when I specify an admin account as the Identity of the application
pool which my web application used. Then, even an anounymous user in the
intranet
would be able to access my application, and in the meanwhile I didn't enable
the anounymous access in IIS6.

But this case, would never happenned in IIS5, because as we know that other
users who did not have the priviledge to access the server, would not be able
to
access my web application when "Integrated windows authentication" be
enabled only.

Please help me, thanks.

Roger Abell [MVP]

2006-11-25, 1:30 am

You need to provide more precise details.
It is not just whether Windows integrated authentication is or is
not enabled for use, but also what permissions exist on the content
that determines what access happens. The account used for the
application pool does not really alter the authentication behavior
when the browser hits on the site.

"David Zhu" <DavidZhu@discussions.microsoft.com> wrote in message
news:487A0A8C-AA7F-4C05-915C-137F378DA605@microsoft.com...
>
> Hi,
>
> I'm quite confused by the behavior of IIS6's "Integrated windows
> authentication"!
>
> Because when I specify an admin account as the Identity of the application
> pool which my web application used. Then, even an anounymous user in the
> intranet
> would be able to access my application, and in the meanwhile I didn't
> enable
> the anounymous access in IIS6.
>
> But this case, would never happenned in IIS5, because as we know that
> other
> users who did not have the priviledge to access the server, would not be
> able
> to
> access my web application when "Integrated windows authentication" be
> enabled only.
>
> Please help me, thanks.
>
>