IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?
From: C K (blah_at_blah.com)
Date: 02/13/04
- Next message: boofhead: "IP Address Restriction for dynamic content"
- Previous message: cha Yang: ""Access Denied" When creating a certificate request (CSR)"
- Next in thread: Bernard: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: Bernard: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 12 Feb 2004 17:16:35 -0800
Hi,
I am currently test running an old ASP application on IIS 6.0 and I have a
question on what user identity is actually being used. I created a new
application pool with its own service identity account (let's call it
TestService, and added it to the IIS_WPG group) and assigned the web app to
use the app pool. I have also enabled anon access on the web app, using the
IUSR account. The web app, upon start up, a COM object connects to a
network server and d/ls files to a data directory. The data directory has
to have correct NTFS permissions for this to work.
Now... here are my tests.
1) I first set the NTFS permissions of the data directory to NOT allow
modify/write access to the TestService account and to allow modify/write
access to the IUSR account (I know I'm not supposed to, but this is just a
test). This did not work.
2) I then set the data directory to allow modify/write access to the
TestService account and the IUSR to only have read access. This worked.
etc...
What I basically found was that only the NTFS setting on the TestService
account mattered for this operation to succeed. But based on all I've read,
isn't it the authenticated user (in this case, the IUSR) that's supposed to
be impersonated, and all actions are performed as if it was the IUSR? In
this case, it doesn't even seem like the NTFS settings for IUSR matter at
all. I even removed IUSR from the NTFS permissions completely and it still
worked. Does anyone know why?
This is an excerpt from a Microsoft document:
For ASP applications, the type of authentication that is used by the user
automatically determines impersonation behavior. Because the impersonation
behavior is automatic, no configuration is required.
The impersonation behavior in an ASP application is as follows:
· If an anonymous user makes a request, the thread token is based on
the user account that is configured as the anonymous user identity (by
default, this is the IUSR_machinename user account).
· If an authenticated user makes a request, the thread token is
based on the authenticated account of the user.
Thanks if anyone can explain this to me.
- Next message: boofhead: "IP Address Restriction for dynamic content"
- Previous message: cha Yang: ""Access Denied" When creating a certificate request (CSR)"
- Next in thread: Bernard: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: Bernard: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
