Re: Networks file access in ASP blocks parameters of a POST for IIS 5

From: Thomas Deml [MS] (thomad@online.microsoft.com)
Date: 09/27/02


From: "Thomas Deml [MS]" <thomad@online.microsoft.com>
Date: Fri, 27 Sep 2002 14:27:31 -0700


Michael,

if you use Windows authentication IIS impersonates you. The impersonated
token only has rights on the IIS box. It doesn't have outbound credentials.
Outbound credentials would be a security problem because the IIS admin would
be able to use this credentials to act on behalf of the authenticated client
on the network. There is not much we can do until IIS 6.0 in Windows.NET.
Windows.NET supports constrained delegation, but this is another story.

You can change the authentication method to basic and it would work. The
reason is that you send username/password to the IIS box and IIS does a
local logon (which results in an access token that can be used for outbound
connections).

But there are many disadvantages to basic authentication:
1) the annoying dialog-box on the client side
2) username and password are transfered in clear text over the wire
3) the username and password are arrive at the IIS box and the owner of the
IIS box can do whatever he wants with them.

You have to make the tradeoff between security and functionality.

Here is an idea:
I'm assuming you are using ASP. ASP accesses resources always as the
impersonated (authenticated) user. Impersonation basically means that the OS
slapps a token onto the executing thread. You can easily revert to the base
thread context by calling the RevertToSelf() API.

The base thread context for IIS 4/5/5.1 is LocalSystem (NetworkService in
6.0) if you execute your app in low isolation mode and IWAM_<machinename> in
medium and high isolation mode. These two accounts should be able to access
the network.

So by simply invoking a small COM object that calls RevertToSelf you can
execute the rest of your ASP page under the base context.

Be warned: This is not recommended in low isolation mode! LocalSystem is god
on the local machine and can do everything.

Hope this helps.

Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corp.

"Michel Marchand" <volvo@m.com> wrote in message
news:799f01c264b2$a83c5e00$2ae2c90a@phx.gbl...
> Server is Windows 2K sp3 in a Windows NT domain.
>
> We have an ASP page that must access files on two servers
> of the domain so we had to follow the instructions in
> article
>
> http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q197964
>
> It works well but our first page which has a FORM-POST
> with an input field (file name) is not sent to the second
> page. We receive an empty value and as soon as we check
> the Integrated Windows authentification in the File
> Security tab in IIS for the second asp file we receive the
> field value form the POST but we cannot access the network
> ressources. We uncheck the Integrated Windows
> authentification and we can access the network but we do
> not receive the parameter of the POST?
>
> This is very strange. The work around is to put the field
> value in a session variable or a cookie but I don't
> understand why it behaves like that.
>
> Note that we cannot reproduce that on Windows NT server -
> it works well.