Re: Service Account replaced by IUSR ??
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Jun 2007 09:57:25 -0500
It looks like the IIS anonymous user is being impersonated for some reason
here. That should be the only reason why that user would get used at all.
Can you see any reason how that might have happened? Is anonymous enabled
in the application at all?
Out of curiosity, why are you enabling for delegation if you don't plan to
delegate? Based on what I read below, it sounds like you just want to use
the fixed process account for accessing remote resources, so delegation
should not matter. As such, you should also able to avoid impersonation as
well since you would generally only impersonate if you need to delegate or
access local resources with the security context of the authenticated user.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Erwin@ODS" <erwin@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%23GzsZGasHHA.3736@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Could anyone help me with this.
I am testing a .Net 2 application that creates a user in AD. It also has
to create a shared folder on a remote server.
I'm testing this on a Windows SBS 2003 machine, taking the same server as
"remote" server, by using the UNC path when creating the directory.
Now, in order to avoid impersonation I did the following :
- create a service account, register it in AD using the setspn.exe tool
described in article
http://msdn2.microsoft.com/en-us/library/ms998358.aspx.
- giving the service account administrator rights (only for testing
purposes, this will be graded down in production)
- checking the "trust account for delegation" option in the account
- create a separate application pool in IIS 6 only for this application.
- setting the identity for this AppPool to the newly created user
So far, everything works fine, and I succeed in creating the user in AD.
But the application breaks down when I want to create the folder, for the
reason that the app doesn't have access rights to the folder.
It will only work when I use impersonation :
- either to the specially created service account
- or to the web user, if he has administrator rights.
But the whole idea of creating a service account was to avoid
impersonation !
I decided to audit the parent directory in which the user directories
should be created. And this is what I got as event (I snipped some lines
for briefness) :
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: IUSR_MYSERVER
Domain: IQS
Logon Type: 8
Logon Process: Advapi Authentication Package: Negotiate
Workstation Name: MYSERVER
Caller User Name: adtester
What boggles my mind is that the user is still IUSR_MYSERVER in stead of
the specially created service account "adtester" !
Do you have any idea what's going on here or am I missing something ?
Thanks !
.
- Follow-Ups:
- Re: Service Account replaced by IUSR ??
- From: Erwin@ODS
- Re: Service Account replaced by IUSR ??
- References:
- Service Account replaced by IUSR ??
- From: Erwin@ODS
- Service Account replaced by IUSR ??
- Prev by Date: Service Account replaced by IUSR ??
- Next by Date: Re: Service Account replaced by IUSR ??
- Previous by thread: Service Account replaced by IUSR ??
- Next by thread: Re: Service Account replaced by IUSR ??
- Index(es):
Relevant Pages
|
|
