Few Questions in regards Intranet Security.

From: kavans (ricks_in@yahoo.com)
Date: 02/07/03

From: "kavans" <ricks_in@yahoo.com>
Date: Fri, 7 Feb 2003 01:51:24 -0800

Hi - I am going through MS provided security document and
reading the part "Intranet Security: ASP.NET to SQL

It recommends followin config:

For Authentication:

1. Use Integrated Windows Auth at IIS.
2. Use Windows Auth at ASP.NET (With Impersonation = False)

For Authorization:

1. Use NTFS Permissions at IIS.
2. File Auth (.NET Roles ) at ASP.NET.

Also it says, ASP.NET FileAuthorizationModule provides ACL
checks against the original caller for ASP.NET files types
that are mapped to IIS to the aspnet_isapi.dll.

My Question 1 - What does above statement means? Is this
check made by ASP.NET by itself? If yes, When does it

My Question 2 - Is this check made only for web site files
which are mapped in IIS or for resources accessed by those
files too?

My Question 3 - What NTFS permissions does IIS makes here
and on what files and resources??

There is also a question in document:

Question - Why can't I enable impersonation for the web
application and secure resources accessed by the web
application using ACL's configured against the original

Answer - If you enable impersonation, the impersonated
security context will not have network credentials
(assuming delegation is not enabled and you are using
integrated windows authentication)

My Question 4 - Why the impersonated security context will
not have network credentials ??

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
  • Re: Authentication Problem - Help
    ... I just had similar - and I strongly suspect it's NT security. ... > implies impersonate the LOGON user specified by IIS ... > expired process is shutdown and a new process is ...
  • Re: Cannot Default Domain?
    ... API is not using the server's domain in its operations. ... > of the authentication protocol you use and is outside of IIS control. ... IIS calls security API calls which understand the blob and does its ...
  • Re: IIS file system writes across domains
    ... the process should be running under the context of the IIS ... Have the remote server turn on file auditing and check the security event ... > Integrated Windows Authentication which in my opinion means that the ...
  • Re: impersonating a user
    ... > authentication is what determines the context of the thread. ... > applications, IIS will read the HTTP, and when anonymous is selected IIS ... > Local System account (which is the default account for Services that are ... > impersonation and authentication very clearly. ...