Re: IIS 6.0 CGI pipe broken...

From: Hoch (Hoch_at_fightspammers.com)
Date: 11/21/03


Date: Fri, 21 Nov 2003 22:01:21 +0100

David,

Again, thank you for your help! :-)

But still no luck...

> When you changed the group membership of IUSR, can you restart IIS to be
> certain the change sticks before trying the request again?

Done. We still get the error giving IUSR administrator permissions and
restarting IIS.

> Is your CGI configured to use the process or impersonated identity
> (separate configuration from AppPool Identity)? By default, it should be
> impersonating (like IUSR for anonymous access).

We have the CGI app pool set to Local System. If we impersonate we have
to use an account from the IIS_WPG that, if I'm not wrong, has less
permissions than Local System.

> Can you check on the ACLs of the database Client EXE and ensure that they
> are valid for access by the identity that runs the CGI?

We gave System, Network service and local service full access permissions
to
the folders where the windows exe and the CGI are located and to all the
files
contained in that folder and we still get the error.

We also have set the windows and system32 folders read and execute
permissions
for IUSR. It allready had System permissions so Local System should be able
to execute wathever dll it needs?

> Does the CGI report/log the errors that it gets from the database Client?

No but it displays an error that means that it can't access its ini file.
In fact it reads the ini file once and then it stops with this error.
With Apache it reads maybe 10 or 15 times the ini file before giving a
correct
answer to the server. This is what we see when we monitor file acces an
named pipes acces with Filemon.

There is a setting in the metabase, CreateCGIWithNewConsole, that maybe
could help? Although we are not using this with our IIS 4 setup.

TIA!

Hoch.



Relevant Pages

  • Re: How to modify program files in Vista?
    ... create it within HKLM and change the permissions. ... the INI file to all users. ... What "corporate security" applications do you know that will do ... But I doubt that it is truly global state; more likely it is per-user ...
    (microsoft.public.vc.mfc)
  • Re: Event ID 10010 DCOM error on SBS 2008
    ... One of the steps, outlined below, mentions "Local System" permissions ... Local Lunch and Local Activation permissions. ... check your install for Local System in those permission lists? ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 10010 DCOM error on SBS 2008
    ... I don't have an SBS 08 nearby to compare permissions. ... I don't think you're likely to have any issues with adding Local System, especially if you've seen that documented. ... Local Lunch and Local Activation permissions. ... of you check your install for Local System in those permission lists? ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 10010 DCOM error on SBS 2008
    ... One of the steps, outlined below, mentions "Local System" permissions ... Local Lunch and Local Activation permissions. ... of you check your install for Local System in those permission lists? ...
    (microsoft.public.windows.server.sbs)
  • Re: SQL Server Service User Account
    ... "Local System" is actually worse than a custom local administrative account because it has even more permissions initially (of course, any administrator can grant themselves the same permissions because, well, they're *administrators*). ... For example, it no longer matters if you've set up your SQL Server to use Windows authentication or encryption, because the compromised service can be used to read the data files or system memory directly. ...
    (microsoft.public.sqlserver.server)