|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
file security/authenticationOK, I thought I had tackled this before a while a ago but forgot what I
did... I am running IIS6 on a W2K3 server. for most of my site I have Anonymous access authorized. I have one file that I want to use the local system ACLs to authenticate with... I have turned off Anonymous access, I have Integrated Authentication turned on. I have removed IUSR_XXXX from the local ACL's. If I use my IE to access the file, the audit log shows a failure for IUSR vice the actual user.... This is on an internal INTRANET, How can I tweak the system so that the actual user's credintials are used to verify file permissions. Thansk Carl OK, so I must be missing something, or just do not get
what "vice the actual user . . . " means. So, what you have done is not effecting what you want? You did ACL the restricted part with a grant to the account(s) that should have access ? Ideally this is with a group from the domain that is also either in the IIS's Users group or is granted network logon user right. -- Show quoteHide quoteRoger Abell Microsoft MVP (Windows Server : Security) "Carl Hilton" <some***@microsoft.com> wrote in message news:ewSAGBvlGHA.3588@TK2MSFTNGP02.phx.gbl... > OK, I thought I had tackled this before a while a ago but forgot what I > did... > > I am running IIS6 on a W2K3 server. for most of my site I have Anonymous > access authorized. I have one file that I want to use the local system > ACLs to authenticate with... I have turned off Anonymous access, I have > Integrated Authentication turned on. I have removed IUSR_XXXX from the > local ACL's. If I use my IE to access the file, the audit log shows a > failure for IUSR vice the actual user.... > > This is on an internal INTRANET, > > How can I tweak the system so that the actual user's credintials are used > to verify file permissions. > > Thansk > Carl > > I have, granted permissions to this file to domain users. I had thought that
if ANONYMOUS access is turned off in IIS for an object and I authenticated using INTEGRATED WINDOWS AUTHENTICATION, then the users credentials would be passed to the object prior to access. Show quoteHide quote "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:eE3PNA1lGHA.3732@TK2MSFTNGP05.phx.gbl... > OK, so I must be missing something, or just do not get > what "vice the actual user . . . " means. > So, what you have done is not effecting what you want? > You did ACL the restricted part with a grant to the account(s) > that should have access ? Ideally this is with a group from > the domain that is also either in the IIS's Users group or is > granted network logon user right. > > -- > Roger Abell > Microsoft MVP (Windows Server : Security) > > "Carl Hilton" <some***@microsoft.com> wrote in message > news:ewSAGBvlGHA.3588@TK2MSFTNGP02.phx.gbl... >> OK, I thought I had tackled this before a while a ago but forgot what I >> did... >> >> I am running IIS6 on a W2K3 server. for most of my site I have Anonymous >> access authorized. I have one file that I want to use the local system >> ACLs to authenticate with... I have turned off Anonymous access, I have >> Integrated Authentication turned on. I have removed IUSR_XXXX from the >> local ACL's. If I use my IE to access the file, the audit log shows a >> failure for IUSR vice the actual user.... >> >> This is on an internal INTRANET, >> >> How can I tweak the system so that the actual user's credintials are used >> to verify file permissions. >> >> Thansk >> Carl >> >> > > "Carl Hilton" <some***@microsoft.com> wrote in message Well, they are, so to speak . . . access to the object is checkednews:%23TOWVZRmGHA.4696@TK2MSFTNGP05.phx.gbl... >I have, granted permissions to this file to domain users. I had thought >that if ANONYMOUS access is turned off in IIS for an object and I >authenticated using INTEGRATED WINDOWS AUTHENTICATION, then the users >credentials would be passed to the object prior to access. > against the token of the process thread that is attempting access. Upon the access failure by IUsr there should be attempt to get credentials that will allow, which may cause login prompt at client if IE is not configured to do this under the covers. You said you see in the logs failure for IUsr, but you have not stated what it is that does happen (saving indicating it does not work as hoped) Show quoteHide quote > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:eE3PNA1lGHA.3732@TK2MSFTNGP05.phx.gbl... >> OK, so I must be missing something, or just do not get >> what "vice the actual user . . . " means. >> So, what you have done is not effecting what you want? >> You did ACL the restricted part with a grant to the account(s) >> that should have access ? Ideally this is with a group from >> the domain that is also either in the IIS's Users group or is >> granted network logon user right. >> >> -- >> Roger Abell >> Microsoft MVP (Windows Server : Security) >> >> "Carl Hilton" <some***@microsoft.com> wrote in message >> news:ewSAGBvlGHA.3588@TK2MSFTNGP02.phx.gbl... >>> OK, I thought I had tackled this before a while a ago but forgot what I >>> did... >>> >>> I am running IIS6 on a W2K3 server. for most of my site I have Anonymous >>> access authorized. I have one file that I want to use the local system >>> ACLs to authenticate with... I have turned off Anonymous access, I have >>> Integrated Authentication turned on. I have removed IUSR_XXXX from the >>> local ACL's. If I use my IE to access the file, the audit log shows a >>> failure for IUSR vice the actual user.... >>> >>> This is on an internal INTRANET, >>> >>> How can I tweak the system so that the actual user's credintials are >>> used to verify file permissions. >>> >>> Thansk >>> Carl >>> >>> >> >> > > 
Other interesting topics
II6.0 ISAPI & MIME types
Keeping a particular intruder out System Stored Procedures Securing static files workgroup vs domain recommendation MS Incident Response Plan Stop HTTP Access Security Tab Missing On Specific File Extensions - 2003 Mirror ftp sites and user accounts in IIS Windows Server Hardeing |
|||||||||||||||||||||||
