|
Home > Archive > IIS Server Security > March 2007 > SSL and Anonymous Authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL and Anonymous Authentication
|
|
| WhoKnows 2007-03-14, 7:20 pm |
| I want to use Anonymous authentication to a website served by IIS 6.0 and
Windows 2003 that is the front end for a database on a separate computer
that requires user logon to access the data. I also want to use SSL to
encrypt the return of the data from the browser to the anonymous user. It
seems that I must turn on sub-authentication to authenticate the anonymous
user on the website in order to continue beyond logging into the database.
Is this true? The problem with sub-authentication seems to be that the
anonymous user has to run under the local system account which could be a
security hole. Is there a way around this?
| |
| David Wang 2007-03-15, 7:22 am |
| Anonymous authentication works without sub-authentication.
http://blogs.msdn.com/david.wang/ar...entication.aspx
You just need to make sure that you set the correct password for the
configured anonymous user account so that IIS can login with it using
a normal, unprivileged account. If you do not set the correct password
in IIS configuration, then you will need to run IIS as LocalSystem to
use sub-authentication so that IIS can login the anonymous user
account without knowing the password.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Mar 14, 3:22 pm, "WhoKnows" <parkhens...@yahoo.com> wrote:
> I want to use Anonymous authentication to a website served by IIS 6.0 and
> Windows 2003 that is the front end for a database on a separate computer
> that requires user logon to access the data. I also want to use SSL to
> encrypt the return of the data from the browser to the anonymous user. It
> seems that I must turn on sub-authentication to authenticate the anonymous
> user on the website in order to continue beyond logging into the database.
> Is this true? The problem with sub-authentication seems to be that the
> anonymous user has to run under the local system account which could be a
> security hole. Is there a way around this?
| |
| WhoKnows 2007-03-15, 1:28 pm |
| Thanks,
That's good because I did not want to have my users running under local
system. But I do not see how to make sure that the correct password is used
in both Windows 2003 and IIS. In Local Users and Groups, I just see the
Internet Guest Account and no password box to change it and don't know what
it is so that I can then enter that into IIS. I guess the question really is
what is the Internet Guest Account password and can I change it and how?
Thanks
"David Wang" <w3.4you@gmail.com> wrote in message
news:1173942878.906225.315480@y80g2000hsf.googlegroups.com...
> Anonymous authentication works without sub-authentication.
>
> http://blogs.msdn.com/david.wang/ar...entication.aspx
>
> You just need to make sure that you set the correct password for the
> configured anonymous user account so that IIS can login with it using
> a normal, unprivileged account. If you do not set the correct password
> in IIS configuration, then you will need to run IIS as LocalSystem to
> use sub-authentication so that IIS can login the anonymous user
> account without knowing the password.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Mar 14, 3:22 pm, "WhoKnows" <parkhens...@yahoo.com> wrote:
>
| |
| David Wang 2007-03-15, 1:28 pm |
| The anonymous user's password is randomly generated on every machine.
You will need to manually first set it to a known value within Local
Users and Groups (Right click on user name and select "Set
Password..."), then use a script like the following to synchronize the
value in IIS to match this known value.
http://blogs.msdn.com/david.wang/ar...als-in-IIS.aspx
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Mar 15, 8:11 am, "WhoKnows" <parkhens...@yahoo.com> wrote:
> Thanks,
>
> That's good because I did not want to have my users running under local
> system. But I do not see how to make sure that the correct password is used
> in both Windows 2003 and IIS. In Local Users and Groups, I just see the
> Internet Guest Account and no password box to change it and don't know what
> it is so that I can then enter that into IIS. I guess the question really is
> what is the Internet Guest Account password and can I change it and how?
>
> Thanks
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1173942878.906225.315480@y80g2000hsf.googlegroups.com...
>
>
>
>
>
>
>
>
> - Show quoted text -
| |
| WhoKnows 2007-03-15, 7:23 pm |
| Thanks very much. Great solution.
"David Wang" <w3.4you@gmail.com> wrote in message
news:1173976195.300917.15840@n59g2000hsh.googlegroups.com...
> The anonymous user's password is randomly generated on every machine.
> You will need to manually first set it to a known value within Local
> Users and Groups (Right click on user name and select "Set
> Password..."), then use a script like the following to synchronize the
> value in IIS to match this known value.
>
> http://blogs.msdn.com/david.wang/ar...als-in-IIS.aspx
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Mar 15, 8:11 am, "WhoKnows" <parkhens...@yahoo.com> wrote:
>
|
|
|
|
|