|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Anonymous access not workingWe have a .NET application running on Windows 2003/IIS 6.0. I set up the application pool account with the network service account and have allow anonymous set for the web site. It is using the iusr machine account. In order for us to access data from our SQL Server we impersonate the ASPNET with a domain account so we can use windows authentication between the 2 servers. The problem is that when we try to access the web site, we are prompted with a challenge response. Even if I remove the impersonate=true from the web.config, we still get prompted for user id and password. What am I missing? Thanks -- Mike Gasperino Sr. Software Developer office: 919-807-2310 **************************************************************************** E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law "NCGS.Ch.132" and may be disclosed to third parties **************************************************************************** Does the IIS_WPG (or Network Sevice, or whatever account ASP.NET is
configured to impersonate) have appropriate NTFS permissions to the actual files on the server's hard disk? Cheers Ken Show quoteHide quote "Mike" <ann***@tkd.net> wrote in message news:%238CNr$paFHA.1152@tk2msftngp13.phx.gbl... : All, : : We have a .NET application running on Windows 2003/IIS 6.0. I set up the : application pool account with the network service account and have allow : anonymous set for the web site. It is using the iusr machine account. In : order for us to access data from our SQL Server we impersonate the ASPNET : with a domain account so we can use windows authentication between the 2 : servers. : : The problem is that when we try to access the web site, we are prompted with : a challenge response. Even if I remove the impersonate=true from the : web.config, we still get prompted for user id and password. : : What am I missing? : : Thanks : -- : Mike Gasperino : Sr. Software Developer : office: 919-807-2310 : : **************************************************************************** : E-mail correspondence to and from this address may be subject to the North : Carolina Public Records Law "NCGS.Ch.132" and may be disclosed to third : parties : **************************************************************************** : : Yes, based on the patterns and practices on how to set up a custom account
to run as ASP.NET. I added my custom account to the IIS_WPG group and applied the permissions to that group. In order to have anonymous access, who should be in that group besides my custom account? Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message news:uyx367waFHA.3364@TK2MSFTNGP09.phx.gbl... > Does the IIS_WPG (or Network Sevice, or whatever account ASP.NET is > configured to impersonate) have appropriate NTFS permissions to the actual > files on the server's hard disk? > > Cheers > Ken > > -- > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Mike" <ann***@tkd.net> wrote in message > news:%238CNr$paFHA.1152@tk2msftngp13.phx.gbl... > : All, > : > : We have a .NET application running on Windows 2003/IIS 6.0. I set up the > : application pool account with the network service account and have allow > : anonymous set for the web site. It is using the iusr machine account. In > : order for us to access data from our SQL Server we impersonate the > ASPNET > : with a domain account so we can use windows authentication between the 2 > : servers. > : > : The problem is that when we try to access the web site, we are prompted > with > : a challenge response. Even if I remove the impersonate=true from the > : web.config, we still get prompted for user id and password. > : > : What am I missing? > : > : Thanks > : -- > : Mike Gasperino > : Sr. Software Developer > : office: 919-807-2310 > : > : > **************************************************************************** > : E-mail correspondence to and from this address may be subject to the > North > : Carolina Public Records Law "NCGS.Ch.132" and may be disclosed to third > : parties > : > **************************************************************************** > : > : > > Make sure you only have "Anonymous" set as the Auth for the VDir
(folder/file) you're accessing. Make sure you add R(ead) access to the anonymous account onto the file system where the VDir (folder/file) resides. Do not add the anonymous account to the IIS_WPG. This group is for Worker Process (AppPools) accounts, and not for Anonymous accounts. Make sure the account with which you've set the impersonate also has R(ead) access to the physical file system. Microsoft's ASP.NET documentation is sometimes outdated regarding ASP.NET settings when it comes to Win2003/IIS6. While in WinXP/IIS5.1 non-ASP.NET code runs on inetinfo.exe, ASP.NET code runs in aspnet_wp.exe. The account with which the only worker process (aspnet_wp.exe) runs is set in machine.config. In IIS6, all non-ASP.NET and ASP.NET code run inside the same process(es) (w3wp.exe). The account with which the worker processes (w3wp.exe) run is not set in machine.config, but in the AppPools node ... better yet, its set on the metabase.xml file because Application Pools are now a part of IIS and not only part of ASP.NET. The ASPNET account on IIS6, does not "exist" anymore just like it existed in IIS5.1. In WinXP/IIS5.1, this account is normally used by inetinfo.exe to launch the aspnet_wp.exe process. Clearly, in Win2003/IIS6 tihs has changed significantly as explained above. Some settings in machine.config are no longer part of the overall picture when running ASP.NET in IIS6. Tiago Halm Show quoteHide quote "Mike" <ann***@tkd.net> wrote in message news:%23mk%23ix2aFHA.464@TK2MSFTNGP15.phx.gbl... > Yes, based on the patterns and practices on how to set up a custom account > to run as ASP.NET. I added my custom account to the IIS_WPG group and > applied the permissions to that group. In order to have anonymous access, > who should be in that group besides my custom account? > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > news:uyx367waFHA.3364@TK2MSFTNGP09.phx.gbl... > > Does the IIS_WPG (or Network Sevice, or whatever account ASP.NET is > > configured to impersonate) have appropriate NTFS permissions to the actual > > files on the server's hard disk? > > > > Cheers > > Ken > > > > -- > > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ > > Web: www.adopenstatic.com > > > > > > "Mike" <ann***@tkd.net> wrote in message > > news:%238CNr$paFHA.1152@tk2msftngp13.phx.gbl... > > : All, > > : > > : We have a .NET application running on Windows 2003/IIS 6.0. I set up the > > : application pool account with the network service account and have allow > > : anonymous set for the web site. It is using the iusr machine account. In > > : order for us to access data from our SQL Server we impersonate the > > ASPNET > > : with a domain account so we can use windows authentication between the 2 > > : servers. > > : > > : The problem is that when we try to access the web site, we are prompted > > with > > : a challenge response. Even if I remove the impersonate=true from the > > : web.config, we still get prompted for user id and password. > > : > > : What am I missing? > > : > > : Thanks > > : -- > > : Mike Gasperino > > : Sr. Software Developer > > : office: 919-807-2310 > > : > > : > > **************************************************************************** > > : E-mail correspondence to and from this address may be subject to the > > North > > : Carolina Public Records Law "NCGS.Ch.132" and may be disclosed to third > > : parties > > : > > **************************************************************************** > > : > > : > > > > > >  
Other interesting topics
Permission denied when writing to eventlog from global.asa
Secure website (cookie/session) secure site - multiple users w/ 1 user account? 401 errors filling logfile Making unique URL - internal and external IIS 6 and % characters in a URL Your opinion on SSL and common URL to access site from internal and external IP address and domain name restrictions not available?. SSL for FTP Application Identity |
|||||||||||||||||||||||
