|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS/Windows Permissions/RightsI hope you can help me out! I've poseted a similar question on "inetserver.asp.general" a couple of days ago, but I think I'm gonna have better luck here since it's more of a security issue, than a programming issue... Here's the scenario: 2 Windows 2000 servers and one workstation. (Let's call them WebServer, FileServer and XPClient). All 3 computers are on the same domain. Both Servers are DC's. (I've also tried with 1 DC and 1 Member server) I've written some asp pages for my Intranet that allows me to see basic information aount user accounts. Included in that information is disk quota data such as QuotaLimit, QuotaUsed, etc. The web server (IIS5) is configured for "Integrated Windows Authentication" which appears to be working perfectly. In every instance, I connect using an Admin account. NTFS permissions on the web site make sure of that. If IE on WebServer connects to WebServer, IIS properly connects to \\FileServer\c$ and retrieves the quota information correctly. If IE running on either XPClient or FileServer connects to WebServer, IIS fails to retrieve the Quota Information for \\FileServer\c$. IIS returns an "Access Denied" error to the "QuotaObject.Initialize \\FileServer\c$\, true" statement I attempted to make IWAM_WebServer a member of the Administrators and Domain Admins global groups. No success Since the page loads perfectly when I connect from the web server, this indicates that the problem is not that the IIS server can't talk properly to the file server. Rather it seems to indicate that the user account IIS uses to retrieve the data is different if I'm using the server itself instead of a client. Any thoughts? -Pauli
Show quote
Hide quote
"Paul J. Landry" <PaulJLan***@discussions.microsoft.com> wrote in message Could be a double-hop delegation issue. What happens if you use Basic news:49095294-6DE0-46E4-9001-365587F1F742@microsoft.com... > HI Guys. > I hope you can help me out! > > I've poseted a similar question on "inetserver.asp.general" a couple of > days > ago, but I think I'm gonna have better luck here since it's more of a > security issue, than a programming issue... > > Here's the scenario: 2 Windows 2000 servers and one workstation. (Let's > call them WebServer, FileServer and XPClient). All 3 computers are on the > same domain. Both Servers are DC's. (I've also tried with 1 DC and 1 > Member > server) > > I've written some asp pages for my Intranet that allows me to see basic > information aount user accounts. Included in that information is disk > quota > data such as QuotaLimit, QuotaUsed, etc. > > The web server (IIS5) is configured for "Integrated Windows > Authentication" > which appears to be working perfectly. In every instance, I connect using > an > Admin account. NTFS permissions on the web site make sure of that. > > If IE on WebServer connects to WebServer, IIS properly connects to > \\FileServer\c$ and retrieves the quota information correctly. > > If IE running on either XPClient or FileServer connects to WebServer, IIS > fails to retrieve the Quota Information for \\FileServer\c$. IIS returns > an > "Access Denied" error to the "QuotaObject.Initialize \\FileServer\c$\, > true" > statement > > I attempted to make IWAM_WebServer a member of the Administrators and > Domain > Admins global groups. No success > > Since the page loads perfectly when I connect from the web server, this > indicates that the problem is not that the IIS server can't talk properly > to > the file server. Rather it seems to indicate that the user account IIS > uses > to retrieve the data is different if I'm using the server itself instead > of a > client. > > Any thoughts? authentication instead on Windows Integrated? -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS Hi Tom.
Yeah, Basic works. But *I'd* really like to use Windows Intrgrated! Is there any way to get that to work? I got some code from MSDN that is supposed to allow ASP to impersonate a user, but from what I see, a username and password has to be passed to the script. (And I don't think Windows Integrated lets me see the user's password) And it also doesn't seem to work.... :-( Thoughts? -Pauli Classic problem. Class solution -- not possible. NTLM does not support
double hop because that is a security vulnerability. Now, this looks like a classic problem that networking introduces, so why is this a security vulnerability? Let me give another example to clarify the underlying issue. Suppose your ASP page, when authenticated, connects to the user's bank using that identity, authorizes the withdraw of all their money and puts it into the crook's account. If the ASP page can access the FileServer as the remote authenticated admin user, the ASP page can also steal money from that user. To the computer, both acts are the same -- re-use the user's identity to talk to another server as the user to perform some authorization action -- so do you want double hop to be legal or illegal? You have to use an authentication protocol that supports "delegation" -- allowing the server to use their identity on their behalf to do something. Basic authentication is implicit delegation since it passes username/password to the server so it can do this. Kerberos also supports delegation but needs Active Directory and configuration. IIS5 only supports delegation if Kerberos is used everywhere. IIS6 and Windows Server 2003 introduce protocol transitioning, which only requires Kerberos between IIS6 and the backend servers -- the authentication protocol between the web browser and IIS6 can be anything, including Integrated authentication. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Paul J. Landry" <PaulJLan***@discussions.microsoft.com> wrote in message Yeah, Basic works. But *I'd* really like to use Windows Intrgrated! Isnews:2564B32A-50CE-4600-BAD4-D1EB292030EA@microsoft.com... Hi Tom. there any way to get that to work? I got some code from MSDN that is supposed to allow ASP to impersonate a user, but from what I see, a username and password has to be passed to the script. (And I don't think Windows Integrated lets me see the user's password) And it also doesn't seem to work.... :-( Thoughts? -Pauli 
Other interesting topics
Ideas on deferring authentication?
AUTHORIZATION with WINDOWS AUTHENTICATION -- HELP!! .net user not working IIS6 Is MBSchExt.xml a legitimate schema file ? SSL Site showing Page not found Classic ASP Page not running under IIS6.0 Removing IIS Passwords Installing root certificate & chain IIS and domain security IIS 6.0 Website requests authentication - anonymous is checked |
|||||||||||||||||||||||
