RE: impersonating a user

From: Scott Stahlman [MS] (scotstah@Onlinemicrosoft.com)
Date: 06/29/02 

From: scotstah@Onlinemicrosoft.com (Scott Stahlman [MS])
Date: Sat, 29 Jun 2002 14:29:07 GMT

In response to your question: Impersonating the user seems only to last
for the duration of the
thread or page access, whereas i would like to permanently have the
process run as the user, while still allowing anonymous access.

This can be done, security is a concern and testing is required. Threads
have to be authenticated in order to have access to the CPU. Their
authentication is what determines the context of the thread. In Static
applications, IIS will read the HTTP, and when anonymous is selected IIS
will , as you know, impersonate the IUSR_ account before attempting to
access the file. After the request is handled IIS reverts back to the
Local System account (which is the default account for Services that are
running).

You can set up your application to run in another context than IIS. If you
make a directory into an application (by clicking on CREATE on the Dir Tab)
and move it into High Security protection you will notice in the Component
Services Snap-In that you can choose the identity in which to run the
application (go to its properties). You can also choose the identity for
the Out Of Process Pooled likewise.

There is also a Windows API called CreateProcessAsUser which can be called
for CGI and VB applications.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q285879

So it can be done, however, you can create other unexpected problems. A
great resouce is the book Running Microsoft Internet Information Server 4.0
cowritten by my colleague Leonid Braginski. On page 433 he discusses
impersonation and authentication ( no code samples) very clearly. The book
was published my Microsoft Press. It's really enjoyable reading too I
might add!

JUNE 12th: A new Security patch is available for IIS 4.0 and 5.0. This
patch is not a cumulative patch.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-028.asp

Thanks,
Scott
IIS Support

This posting is provided AS IS with no warranties, and confers no rights.

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 5 Authentication problem- solved
    ... Tom Kaminski IIS MVP ... Can you log in using an administrator account, ... >> Subject: Re: IIS 5 Integrated Windows Authentication ... >> case there is no group, it is just the one server, ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 6 fails anonymous connection
    ... It sounded like you configured sub-authentication, which on prior IIS ... The reason that you have to have Integrated authentication enabled along ... so there is some sort of configuration problem specific to ... The resources must also be ACL'd for this user account or else you will get ...
    (microsoft.public.inetserver.iis.security)