Re: IIS 6 / FrontPage Group Isolation
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 07/10/03
- Next message: Roger Abell [MVP]: "Re: URLScan and an EXE File"
- Previous message: David Wang [Msft]: "Re: URLSCAN makes pages with integrated authentication very slow"
- In reply to: Scott Muc: "IIS 6 / FrontPage Group Isolation"
- Next in thread: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Reply: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Jul 2003 23:17:39 -0700
Hi Scott,
I am not going to have a definite resolution for you.
You are on top of things. As reference for others
http://microsoft.com/technet/prodtechnol/sharepnt/proddocs/admindoc/owsj03.asp
appears to be the info from which Scott is working.
This is a rather recently provided handle on the FPSE default
ACLing behaviors, available only with FPSE2002 on W2k3.
My suggestion is to (again) retrace carefully your reg values
as it appears it is not finding the expected groups and so is
reverting to the Network/Interactive ACLing.
Can you use a website override of the global prefix and find
it to be effective (ie. on a test site can you get anonusergroup
to work, overriding the anonusergroupprefix value) ? How about
if you test this with a local group to rule out issues enumerating
the domain groups ?
AIUI the per-site group needs to have as members all accounts
that will have FPSE based authentication, such as authors.
I am not certain whether the IIS accounts are being always
carefully handled in the ACLing or need to be included (in other
words, is IUSR_ equivalent being separately provided for, as
with the Network/Interactive ACLing it was not in many places).
Now, just as a heads up, this solution does not address the
issue of write access being granted on FPSE internal directories
such as _vti_pvt, etc.
-- Roger "Scott Muc" <smuc@paconline.net> wrote in message news:01e001c3463c$398a1a80$a301280a@phx.gbl... > I am a sysadmin for a web-hosting company. We just > recently launched Windows 2003 and IIS 6. The one major > problem we are having is with locking down FrontPage. > I've read the article "Authenticating Users Seperately For > Each Virtual Server", but everytime I extend the > extensions for a website, the INTERACTIVE/NETWORK ACES > still get applied to the websites ACLS. I want to use the > groups DOMAIN\FPSE_W3SVC#. I've added the reg entry for > anonuserprefix and nomachinegroups and allowunc (websites > are stored on a remote file server using UNC shares). > > The only reason why I think those users are still being > used is because FrontPage doesn't see that the group for > that Virtual Server exists (and they do exist). Do any > users need to be part of these groups? For a feature that > web-hosts have been demanding for years, it seems odd that > there's so little documentation on this subject. > > Thanks > Scott Muc
- Next message: Roger Abell [MVP]: "Re: URLScan and an EXE File"
- Previous message: David Wang [Msft]: "Re: URLSCAN makes pages with integrated authentication very slow"
- In reply to: Scott Muc: "IIS 6 / FrontPage Group Isolation"
- Next in thread: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Reply: Scott Muc: "Re: IIS 6 / FrontPage Group Isolation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
