HI Guys.
I hope you can help me out!

I've poseted a similar question on "inetserver.asp.general" a couple of days
ago, but I think I'm gonna have better luck here since it's more of a
security issue, than a programming issue...

Here's the scenario:  2 Windows 2000 servers and one workstation. (Let's
call them WebServer, FileServer and XPClient). All 3 computers are on the
same domain.  Both Servers are DC's. (I've also tried with 1 DC and 1 Member
server)

I've written some asp pages for my Intranet that allows me to see basic
information aount user accounts.  Included in that information is disk quota
data such as QuotaLimit, QuotaUsed, etc.

The web server (IIS5) is configured for "Integrated Windows Authentication"
which appears to be working perfectly. In every instance, I connect using an
Admin account.  NTFS permissions on the web site make sure of that.

If IE on WebServer connects to WebServer, IIS properly connects to
\\FileServer\c$ and retrieves the quota information correctly.

If IE running on either XPClient or FileServer connects to WebServer, IIS
fails to retrieve the Quota Information for \\FileServer\c$.  IIS returns an
"Access Denied" error to the "QuotaObject.Initialize \\FileServer\c$\, true"
statement

I attempted to make IWAM_WebServer a member of the Administrators and Domain
Admins global groups.  No success

Since the page loads perfectly when I connect from the web server, this
indicates that the problem is not that the IIS server can't talk properly to
the file server.  Rather it seems to indicate that the user account IIS uses
to retrieve the data is different if I'm using the server itself instead of 
a
client.

Any thoughts?

-Pauli

[ Post a follow-up to this message ]

"Paul J. Landry" <PaulJLandry@discussions.microsoft.com> wrote in message
news:49095294-6DE0-46E4-9001-365587F1F742@microsoft.com...
> HI Guys.
> I hope you can help me out!
>
> I've poseted a similar question on "inetserver.asp.general" a couple of
> days
> ago, but I think I'm gonna have better luck here since it's more of a
> security issue, than a programming issue...
>
> Here's the scenario:  2 Windows 2000 servers and one workstation. (Let's
> call them WebServer, FileServer and XPClient). All 3 computers are on the
> same domain.  Both Servers are DC's. (I've also tried with 1 DC and 1
> Member
> server)
>
> I've written some asp pages for my Intranet that allows me to see basic
> information aount user accounts.  Included in that information is disk
> quota
> data such as QuotaLimit, QuotaUsed, etc.
>
> The web server (IIS5) is configured for "Integrated Windows
> Authentication"
> which appears to be working perfectly. In every instance, I connect using
> an
> Admin account.  NTFS permissions on the web site make sure of that.
>
> If IE on WebServer connects to WebServer, IIS properly connects to
> \\FileServer\c$ and retrieves the quota information correctly.
>
> If IE running on either XPClient or FileServer connects to WebServer, IIS
> fails to retrieve the Quota Information for \\FileServer\c$.  IIS returns
> an
> "Access Denied" error to the "QuotaObject.Initialize \\FileServer\c$\,
> true"
> statement
>
> I attempted to make IWAM_WebServer a member of the Administrators and
> Domain
> Admins global groups.  No success
>
> Since the page loads perfectly when I connect from the web server, this
> indicates that the problem is not that the IIS server can't talk properly
> to
> the file server.  Rather it seems to indicate that the user account IIS
> uses
> to retrieve the data is different if I'm using the server itself instead
> of a
> client.
>
> Any thoughts?

Could be a double-hop delegation issue.  What happens if you use Basic
authentication instead on Windows Integrated?

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS

[ Post a follow-up to this message ]

Hi Tom.

Yeah, Basic works.  But *I'd* really like to use Windows Intrgrated!  Is
there any way to get that to work?

I got some code from MSDN that is supposed to allow ASP to impersonate a
user, but from what I see, a username and password has to be passed to the
script. (And I don't think Windows Integrated lets me see the user's passwor
d)
And it also doesn't seem to work....   :-(

Thoughts?

-Pauli

[ Post a follow-up to this message ]

Classic problem. Class solution -- not possible. NTLM does not support
double hop because that is a security vulnerability.

Now, this looks like a classic problem that networking introduces, so why is
this a security vulnerability? Let me give another example to clarify the
underlying issue.

Suppose your ASP page, when authenticated, connects to the user's bank using
that identity, authorizes the withdraw of all their money and puts it into
the crook's account.

If the ASP page can access the FileServer as the remote authenticated admin
user, the ASP page can also steal money from that user. To the computer,
both acts are the same -- re-use the user's identity to talk to another
server as the user to perform some authorization action -- so do you want
double hop to be legal or illegal?

You have to use an authentication protocol that supports "delegation" --
allowing the server to use their identity on their behalf to do something.
Basic authentication is implicit delegation since it passes
username/password to the server so it can do this. Kerberos also supports
delegation but needs Active Directory and configuration.

IIS5 only supports delegation if Kerberos is used everywhere. IIS6 and
Windows Server 2003 introduce protocol transitioning, which only requires
Kerberos between IIS6 and the backend servers -- the authentication protocol
between the web browser and IIS6 can be anything, including Integrated
authentication.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Paul J. Landry" <PaulJLandry@discussions.microsoft.com> wrote in message
news:2564B32A-50CE-4600-BAD4-D1EB292030EA@microsoft.com...
Hi Tom.

Yeah, Basic works.  But *I'd* really like to use Windows Intrgrated!  Is
there any way to get that to work?

I got some code from MSDN that is supposed to allow ASP to impersonate a
user, but from what I see, a username and password has to be passed to the
script. (And I don't think Windows Integrated lets me see the user's
password)
And it also doesn't seem to work....   :-(

Thoughts?

-Pauli

[ Post a follow-up to this message ]