Re: IUSR account replication outside Active Directory

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/30/03 

Date: Wed, 30 Apr 2003 12:36:21 +1000

On the file server, create a local account:

fileserver\IUSR_machineA
not
companyDomain\IUSR_machineA

: 3. Is it appropriate to include my web server in the Active Directory, or
I
: will compromise security?

You're already compromising "security" to an extent by allowing file share
access by the webserver to the file server...

What you should probably do is create some kind of replication job that will
push the data from the internal server to the external server, and have the
website run off this external data. Jet Replication Objects (JRO) might be
able to do this for you, or you could use MSDE or similar...

Cheers
Ken

"Fivos Adamidis" <afivos@adamco.gr> wrote in message
news:OSXe#ppDDHA.1604@TK2MSFTNGP10.phx.gbl...
: First of all, apologies in advance for any misconceptions due to my poor
: knowledge.
:
: My ASP pages, published in IIS 5.0 on MachineA (no AD), are trying to read
: throught DSN an Access 2002 database stored on a network share in a
win2000
: server (Machine B with AD).
:
: Despite my efforts I keep getting an 80004005 type error :
[Microsoft][ODBC
: Microsoft Access Driver] The Microsoft Jet database engine cannot open the
: file '(unknown)'. It is already opened exclusively by another user, or you
: need permission to view its data.
:
: It seems that the problem is that IUSR_MachineA does not have access
: permissions in the database path of MachineB. I know that I should
replicate
: the IUSR account in the file server of the database and give full
: permissions in the folder. However, when I try to create an IUSR_MachineA
: account in MachineB I cannot do it because MachineA is not in the Active
: Directory.
:
: In other words I can only have two accounts like this :
: MachineA\IUSR_MachineA (in the web server)
: CompanyDomain\IUSR_MachineA (in the file server)
:
: 1. Is it somehow possible to "see" the MachineA domain in AD and create
the
: account?
:
: 2. Can I change the web server's anonymous access account to one
: CompanyDomain account?
:
: 3. Is it appropriate to include my web server in the Active Directory, or
I
: will compromise security?
:
: 4. Any other suggestions to solve this problem?
:
:

Relevant Pages

  • IIS 6 Directory Services Mapping ACL Problems
    ... We are trying to configure certificate based logins using the ... When I authenticate on our web server with my certificate I my domain ... account username shows up in the web log. ... The files are stored on another server in the domain. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Access of images on file server
    ... Read this article on how to configure ACLs on a UNC setup. ... server access to the file server (though if the web server in the DMZ is ... able to access a file server not in the DMZ... ... User on both web server and file server, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Re-Post - "the trust relationship between this workstation and the
    ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... Client computer must use STRICTLY the INTERNAL DNS server which can ... Attr: subschemaSubentry ...
    (microsoft.public.windows.server.active_directory)
  • Re: Same question, still no answer!!!
    ... Sounds then like we are all paying for a feature set only large companies ... The "proxy server" pc is actually an older box stuffed ... Expectation #1) keep the ethernet more or less as is. ... The kids account would be ...
    (microsoft.public.windowsxp.basics)
  • Re: Re-Post - "the trust relationship between this workstation and the
    ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... This would be on the DNS server 172.20.100.2 ... Attr: subschemaSubentry ...
    (microsoft.public.windows.server.active_directory)