"Tony D" <To***@discussions.microsoft.com> wrote in message
news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com...
> Hi,
>
> Theoretical, architecture-type question here:
> -=-
> If one wants to have an Asp.Net app programmatically create new VirDir's,
> how should you implement this?  Open the doors wide-open to the ASPNET
> user
> account?  (not!)
>
> Some Background:
> -=-
> We have an Asp.Net app that we ported from Asp/VB6.  It allowed anonymous
> IIS users to create new web-sites on-the-fly.  Obviously, our app ensures
> that only users who are registered and correctly logged-in can do this.
> My
> point is that as far as IIS is concerned, users are anonymous.
>
> In the old Asp/VB6 world, this worked because the Asp pages would call the
> COM+ components, which impersonated as a local machine account.  We
> ensured
> the local machine account had enough permissions to:
> - access the appropriate part(s) of the file system to make the new
> web-site
> - access the approprate part(s) of the IIS metabase
>
> Correct me if I'm wrong, but the way I understand impersonation works in
> .Net isn't the same: it will only work if you use Windows Authentication
> under IIS, and will then only impersonate the logged-in user.  In our app,
> we
> can't use Windows Authentication.
>
> We can make the new .Net code work if we allow the ASPNET user access to
> the
> resources I described above, but we would like a better solution.  My
> thought
> is to have the Aspx page create an MSMQ message, asking to create the new
> VirDir.  We already have a daemon process written in C# that monitors
> MSMQ,
> and it runs with LOCALSYSTEM privs, so it could get the job done.
>
> What is Microsoft's recommendation on this?
>
> --
> - Tony D

"Jason Brown [MSFT]" wrote:

> The queue idea is a good one, but possibly overkill. You could run the
> individual script or virtual directory under the context of a different user
> account, but you'd need to be careful of who can access it, by requiring
> authentication and locking down the script with NTFS.
>
> I'd also recommend you take care and backup before changes, and have a
> protocol sorted out for rolling back changes, just in case.
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Tony D" <To***@discussions.microsoft.com> wrote in message
> news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com...
> > Hi,
> >
> > Theoretical, architecture-type question here:
> > -=-
> > If one wants to have an Asp.Net app programmatically create new VirDir's,
> > how should you implement this?  Open the doors wide-open to the ASPNET
> > user
> > account?  (not!)
> >
> > Some Background:
> > -=-
> > We have an Asp.Net app that we ported from Asp/VB6.  It allowed anonymous
> > IIS users to create new web-sites on-the-fly.  Obviously, our app ensures
> > that only users who are registered and correctly logged-in can do this.
> > My
> > point is that as far as IIS is concerned, users are anonymous.
> >
> > In the old Asp/VB6 world, this worked because the Asp pages would call the
> > COM+ components, which impersonated as a local machine account.  We
> > ensured
> > the local machine account had enough permissions to:
> > - access the appropriate part(s) of the file system to make the new
> > web-site
> > - access the approprate part(s) of the IIS metabase
> >
> > Correct me if I'm wrong, but the way I understand impersonation works in
> > .Net isn't the same: it will only work if you use Windows Authentication
> > under IIS, and will then only impersonate the logged-in user.  In our app,
> > we
> > can't use Windows Authentication.
> >
> > We can make the new .Net code work if we allow the ASPNET user access to
> > the
> > resources I described above, but we would like a better solution.  My
> > thought
> > is to have the Aspx page create an MSMQ message, asking to create the new
> > VirDir.  We already have a daemon process written in C# that monitors
> > MSMQ,
> > and it runs with LOCALSYSTEM privs, so it could get the job done.
> >
> > What is Microsoft's recommendation on this?
> >
> > --
> > - Tony D
>
>
>

"Tony D" <To***@discussions.microsoft.com> wrote in message
news:EEBEF54A-9781-4718-98C8-018375692864@microsoft.com...
> Thank you for your answer.
>
> Could you please give an example of how to run a Virtual Directory under a
> different user context?
>
> I know that the constructor for System.DirectoryServices.DirectoryEntry
> takes an AuthenticationType parameter.  Is this what you mean?
>
> - Tony
>
>
> "Jason Brown [MSFT]" wrote:
>
>> The queue idea is a good one, but possibly overkill. You could run the
>> individual script or virtual directory under the context of a different
>> user
>> account, but you'd need to be careful of who can access it, by requiring
>> authentication and locking down the script with NTFS.
>>
>> I'd also recommend you take care and backup before changes, and have a
>> protocol sorted out for rolling back changes, just in case.
>>
>>
>> --
>> Jason Brown
>> Microsoft GTSC, IIS
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "Tony D" <To***@discussions.microsoft.com> wrote in message
>> news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com...
>> > Hi,
>> >
>> > Theoretical, architecture-type question here:
>> > -=-
>> > If one wants to have an Asp.Net app programmatically create new
>> > VirDir's,
>> > how should you implement this?  Open the doors wide-open to the ASPNET
>> > user
>> > account?  (not!)
>> >
>> > Some Background:
>> > -=-
>> > We have an Asp.Net app that we ported from Asp/VB6.  It allowed
>> > anonymous
>> > IIS users to create new web-sites on-the-fly.  Obviously, our app
>> > ensures
>> > that only users who are registered and correctly logged-in can do this.
>> > My
>> > point is that as far as IIS is concerned, users are anonymous.
>> >
>> > In the old Asp/VB6 world, this worked because the Asp pages would call
>> > the
>> > COM+ components, which impersonated as a local machine account.  We
>> > ensured
>> > the local machine account had enough permissions to:
>> > - access the appropriate part(s) of the file system to make the new
>> > web-site
>> > - access the approprate part(s) of the IIS metabase
>> >
>> > Correct me if I'm wrong, but the way I understand impersonation works
>> > in
>> > .Net isn't the same: it will only work if you use Windows
>> > Authentication
>> > under IIS, and will then only impersonate the logged-in user.  In our
>> > app,
>> > we
>> > can't use Windows Authentication.
>> >
>> > We can make the new .Net code work if we allow the ASPNET user access
>> > to
>> > the
>> > resources I described above, but we would like a better solution.  My
>> > thought
>> > is to have the Aspx page create an MSMQ message, asking to create the
>> > new
>> > VirDir.  We already have a daemon process written in C# that monitors
>> > MSMQ,
>> > and it runs with LOCALSYSTEM privs, so it could get the job done.
>> >
>> > What is Microsoft's recommendation on this?
>> >
>> > --
>> > - Tony D
>>
>>
>>