Re: IIS Isolation Mode

From: Amol Naik (anonymous_at_discussions.microsoft.com)
Date: 12/12/03


Date: Thu, 11 Dec 2003 20:16:08 -0800

Hi,
    We create some files and read some files in the ISAPI. Does this have to do some thing out here? Please let me know if it is so.

Thanks and Rgds
Amol.
     
     ----- Wade A. Hilmo [MS] wrote: -----
     
     Hi Amol,
     
     From your description of the issue, it sounds like your ISAPI is doing
     something that requires local system privileges, and if it doesn't have it,
     it causes the worker process to terminate. This could either mean that it
     crashes, or it could mean that it exists the process hosting the ISAPI some
     other way.
     
     From an administrative standpoint, there is nothing that you can do, except
     to run it as local system. If you do this, you should consider creating an
     application pool specifically for that ISAPI in order to isolate it from
     other parts of the server that don't need local system.
     
     From an ISAPI developer point of view, you should code review and debug the
     ISAPI itself to see where its local system dependency is, and what it does
     in the case where it has insufficient privileges. Once you know what that
     dependency is, then you can determine if you can implement an administrative
     solution (ie. changing ACLs somewhere), or whether the ISAPI itself needs to
     be modified.
     
     As or the adsutil.vbs question, I don't know if they are the same. If you
     are really curious, you could diff them. Even if they are different, I
     would guess that the IIS 5 version will work correctly on IIS 6, since ADSI
     is compatible between the two. Note, though, that some IIS 6 ADSI things
     will not work on IIS 5, since changes were definitely made to ADSI itself to
     support new metadata stuff in IIS 6.
     
     I hope that this helps,
     -Wade A. Hilmo,
     -Microsoft
     
     "Amol Naik" <naik@india.hp.com> wrote in message
     news:FD8B8DA8-989C-47A6-BA24-ED724D5E155D@microsoft.com...
> HI,
> We have been building an application for IIS 5.0. But now we want to
     move to IIS 6.0. We tried to install using the same scripts that we had used
     for IIS 5.0. It seems to install fine.
>> There were some changes in the scripts that we have done .. like the
     virtual directory getting created in 5.0 in registry to the metabase.xml
     file using CREATE, SET commands of adsutil.vbs file.
>> Now we get the problem with "Service Unavailable".
>> I tried to search in some of the newsgroups and found that we can remove
     this by changing the DefAppPool security setting to local system. We want to
     avoid this due to security issues. Can you please help us with this.
>> Few points that came to my mind:
>> 1. Is there any issues using DllMain etc in the IIS API in 6.0. Some where
     I seem to read that there is some problem with the DllMain to be used in IIS
     6.0. If so please let us know. But we dont want to change this as well since
     we want the same binary to be used in both IIS 5.0 and IIS 6.0.
>> 2. "Run in IIS 5.0 Isolation Mode". This was one issue. We dont want to
     use this either since it again uses the Local System authentication.
>>> Any inputs on the same as to how to make this work will be great.
>>> One more important thing to be asked:
>> 1. Is there any significant change in the adsutil.vbs file from IIS 5.0 to
     IIS 6.0? Can we use the same file or do we need to use the one for IIS 6.0
     in the AdminScripts for the same???
>> This information is very urgent for us to proceed and commit on the same.
>> My email Id is naik@india.hp.com. Any one can contact me on this id!!!
>> Thanks in Advance.
>> Rgds
> Amol.
     
     
     



Relevant Pages

  • Re: IIS (or Isapi) adds Connection header to response
    ... I would never rely on a bug in a browser implementation as the means to get ... > I dont currently have access to the ISAPI code. ... available on any other IIS version. ... NTLM header since it is no longer useful. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISAPI vs. HTTPModule
    ... which parses the request and dispatches it to IIS in usermode. ... extension of the request is determined, and then sent to its handler. ... > ISAPI will not be able to access any .Net intrinsics/events. ...
    (microsoft.public.inetserver.iis)
  • Re: IIS Isolation Mode
    ... something that requires local system privileges, and if it doesn't have it, ... it causes the worker process to terminate. ... or it could mean that it exists the process hosting the ISAPI some ... would guess that the IIS 5 version will work correctly on IIS 6, ...
    (microsoft.public.inetserver.iis.security)
  • Re: .Net COM interop initialization question
    ... com interop will try to look for.config to initialize itself (though no ... one specified what would be or how the interaction with unmanaged code ... When you say ISAPI, do you mean something you wrote in C++ as an ISAPI ... IIS sits on top of COM+ (the MTS part primarily, where it has sat since IIS ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: IIS error with ISAPI and virtual directory to remote svr .. 40
    ... Web Server on machine B ... In particular, with some authentication protocols, your ISAPI ... Then immediately stop IIS. ... virtual directory it impersonates with 'user a''s account for security ...
    (microsoft.public.inetserver.iis)