Re: authentication and impersonation question
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Jul 2006 22:17:08 +0000 (UTC)
Hi,
yeah that can be confusing:
For asp.net applications:
1) when asp.net impersonation is not set, authentication by IIS
happens
first (if anonymous access is enabled then identity is the IUSR_
account),
but any resource access (read/write for files etc) is done by the
asp.net
process account (the IIS application pool process account for IIS 6,
network
service). This means NTFS permissions need to be set for that asp.net
process (or IIS app pool process) account to control access to
resources.
True/false? correct me if/where wrong?
Control access is too much. You need read/read execute/list folder contents for the worker process
In addition the FileAuthorizationModule checks if read access is allowed on the requested resource for the client (either the auth client or IUSR).
2) when asp.net impersonation *is* set, authentication by IIS happens
first (if anonymous access is enabled then identity is the IUSR_
account), and any resource access (read/write for files etc) is done
by the IIS account, IUSR_ if anonymous. This means NTFS permissions
need to be set for that IUSR_ account to control access to resources.
True/false? correct me if/where wrong?
I don't think I have this straight yet.
right. Again read/rx/lfc is enough.
.
- Follow-Ups:
- References:
- Prev by Date: authentication and impersonation question
- Next by Date: Re: authentication and impersonation question
- Previous by thread: authentication and impersonation question
- Next by thread: Re: authentication and impersonation question
- Index(es):
Relevant Pages
|
