Re: Web App Security and MSIE Settings

Hello Edo,

why do you need impersonation?

yes check with fiddler - what exactly is returned from the app...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Dominick,

The IUSR account has no access to this virtual directory. We are using
impersonation and we have disabled anonymous login, so I uderstand we
don't need to give access to that account. Am I wrong?

Slightly better means we have fewer authentication dialogs.

I'll give a try to the tools you mention.

Thanx.

Ed.

"Dominick Baier [DevelopMentor]" wrote:

Hello Edo,

how about the IUSR account - does he have read ACLs?

what does slightly better mean??

turn on auditing for logon events (secpol.msc) and have a look there
use www.fiddlertool.com to have a look at the auth handshake

maybe this gives you more pointers..

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Dominick,

Thank you very much for your response.

The users already have read access to web content: I have an
"Intranet users" domain group which contains the "Authenticated
Users" group. The "Intranet users" group have read access to the
virtual directory.

We access the server using the netbios name, like this:

http://myserver/myapp

We have slightly better results when we use a fq dns name:

http://myserver.mydomain.local/myapp

Any ideas about this last condition?

Thanx again,

Ed.

"Dominick Baier [DevelopMentor]" wrote:

Hello Edo,

make sure every user of the application has at least read ACLs to
the web content files

how do you access the server ? using the netbios oder fully
qualified dns name?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi All,

In an AD mixed mode environment, MSIE clients running on WinXP
have problems accessing ASP .NET applications hosted in a Win 2003
server (the virtual dir is configured for integrated security):
they get random authentication dialogs.

I found out disabling the "Integrated Security" check box in MSIE
solves the problem.

Shouldn't it be the other way around? I mean, AFAIK this option is
necessary to pass credentials to the web server, isn't it?

The same application in a Win 2000 server works ok for any client,
as Win 2000 clients against the Win 2003 server work fine, too.
What gives!

Any ideas?

Thanks in advance.

Ed.



.

Relevant Pages