RE: Access denied ( From one site to another, that is in another server)

From: Bassel Tabbara [MSFT] (basselt@online.microsoft.com)
Date: 01/21/03

• Next message: Stefano: "SSL and redirect"
• Previous message: Stefano: "Security leak"
• In reply to: Gabriela De Feo: "Access denied ( From one site to another, that is in another server)"
• Next in thread: Gabriela De Feo: "Re: Access denied ( From one site to another, that is in another server)"
• Reply: Gabriela De Feo: "Re: Access denied ( From one site to another, that is in another server)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: basselt@online.microsoft.com (Bassel Tabbara [MSFT])
Date: Tue, 21 Jan 2003 18:15:28 GMT

Hello Gabriela,
You are running into a delegation issue here. Delegation is the next step
up from impersonation. Rather than just being able to access local
resources on behalf of the client, delegation supports the accessing of
remote resources on behalf of the client. When you are trying to access
from a one server to get to another server, the account credentials must be
passed along so you can access the document on the second server.

When users browse to an ASP.NET Web site, they request that some code run
on the server. All processes run within the security context of a specific
account. By default, ASPNET engines runs under aspnet account. This account
has access to the IIS server computer but is not allowed to access shared
folders on other computers. Therefore, you must configure the IIS computer
so that it uses an account other than the aspnet account.

After IIS is set to run under another account, you must give that account
permission to all of the files and folders that are needed to use the
remote Access database.

The following article describes thoroughly the steps needed to allow you to
access the remote resource.
810572 HOW TO: Setup an IIS / ASP.NET Delegation Scenario
http://support.microsoft.com/?id=810572

306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158
The section entitled as "Impersonate the Authenticating User in Code" might
be beneficial to you.

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
| Subject: Access denied ( From one site to another, that is in another
server)
| Date: Tue, 21 Jan 2003 13:24:40 -0300
| Lines: 72
| MIME-Version: 1.0
| Content-Type: multipart/alternative;
| boundary="----=_NextPart_000_002C_01C2C150.7458DB40"
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| Message-ID: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 200.80.152.106
| Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
| Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3707
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Both web site have Integrated Windows Authentication.
| If I try to connect from my site to another that is in another server I
get "Access denied".
| If the second site is in the same server, I can conect correctly.
| Note: The second site is not in a Dotnet Framework
| The code is as follows:
| sURL = "http://srv01/projectserver/LgnIntAu.asp"
| Dim oXMLDocument As XmlDocument
| oXMLDocument = New XmlDocument()
| oXMLDocument.Load(sURL)
| Please Help me !!!!!
| Thanks
|

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

• Next message: Stefano: "SSL and redirect"
• Previous message: Stefano: "Security leak"
• In reply to: Gabriela De Feo: "Access denied ( From one site to another, that is in another server)"
• Next in thread: Gabriela De Feo: "Re: Access denied ( From one site to another, that is in another server)"
• Reply: Gabriela De Feo: "Re: Access denied ( From one site to another, that is in another server)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Windows (Trusted) Authentication and SQL Server ... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Creating SID Manaully ... server that are specific to that class. ... though LDAP). ... account to ACL local resources like files or folders? ... current account request system works on the honor system. ... (microsoft.public.windows.server.active_directory) Re: Using NT Authentication with Linked Server ... You are running into a double hop (or delegation) scenario. ... User trying to connect to SQL Server is not sensitive and can be ... how to register SPNs for your SQL Service account). ... Use sp_addlinkedsrvlogin on the first linked server (server B in your ... (microsoft.public.sqlserver.security) Re: Windows (Trusted) Authentication and SQL Server ... The account whose credentials are being delegated must be a domain account ... The computer on which the delegation takes place ... Server) does not need to be marked as trusted. ... in to play is when an IE client connects to a web server. ... (microsoft.public.dotnet.framework.aspnet.security) Re: EFS and Delegation ... computer account and that is the easiest way to disable that server for EFS ... I have never tried that myself as a way to prevent a user from creating EFS ... account to not be able to be trusted for delegation does no longer matter. ... (microsoft.public.windows.server.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint