|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
from Windows2000 (IIS5) to Windows2003 (IIS6)The application is a pair of ISAPI dlls running under IIS which in turn call
some COM components, etc... They are set as high isolation in the IIS admin settings. This issue I saw when setting up our stuff on Server2003 is that I would get a windows login prompt while hitting the ISAPI site with an http POST. I think I got around the login prompt by allowing the anonymous internet user higher access levels. This was just to get our development environment running. This is probably not the recommend way to avoid the login prompt. I do not know which settings are allowed or not allowed in production environments to meet security compliance, etc. This login prompt does not occur in production with the settings on Windows 2000 (IIS5) Any suggestions... On Oct 4, 7:21 am, Mike <M***@discussions.microsoft.com> wrote:
Show quoteHide quote > The application is a pair of ISAPI dlls running under IIS which in turn call IIS6 and COM+ on Windows Server 2003 runs with far fewer privileges> some COM components, etc... > They are set as high isolation in the IIS admin settings. This issue I saw > when setting up our stuff on > Server2003 is that I would get a windows login prompt while hitting the > ISAPI site with an http POST. > I think I got around the login prompt by allowing the anonymous internet > user higher access levels. This was just to get our development > environment running. This is probably not the recommend way to avoid the > login prompt. I do not know which > settings are allowed or not allowed in production environments to meet > security compliance, etc. > This login prompt does not occur in production with the settings on Windows > 2000 (IIS5) > > Any suggestions... than IIS5 and COM+ on Windows 2000 Server. This security change, while breaking to your ISAPI, is by-design. Unfortunately, while you say you don't know which settings are needed to meet security compliance in production, no one else can help you with this task that you must do, so you will have to figure out what privileges your ISAPI DLLs require. Of course, you can take the easy way out and just elevate anonymous user's privileges, but if your server gets hacked because of it, it's all your responsibility since you chose that configuration. I can only try to help you understand what you must figure out and some of the steps. The reason you get the login prompt is because your ISAPI DLL is failing to do *something* due to insufficient privileges and causes a 401 to be returned. This, in turn, causes the browser to pop up the windows login prompt which keeps coming back no matter what user credential you put in. I can't tell you what "something" that your ISAPI fails to accomplish due to insufficient privileges, nor what privileges are required. However, I can tell you that you will have to do one of the following to figure it out: 1. Go through your ISAPI DLL's design specification to determine the privileges it needs to do what it wants 2. Debug through the ISAPI DLL binary to determine which line of code is failing and what privileges that line of code needs //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // 
Other interesting topics
Client certificate beginners help!
IUSR_myserver and deny write Why doesn't ASP.NET 2.0 use the Network Service account Multiple SSLs on the same IIs server Microsoft Update Allow only url forwarding source IP Security problems in non domain environment Updating a web server Web Folders and Integrated Authentication IIS 5.0 and disabling the indexing service. |
|||||||||||||||||||||||
