Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 02/13/04
- Next message: Bernard: "Re: SSL Certificate"
- Previous message: Bernard: "Re: How to name a SSL domain?"
- In reply to: C K: "IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Next in thread: C K: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: C K: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 13 Feb 2004 18:39:03 +0800
Wow, now you make me confuse :)
what other ACLs you have for the data folder ?
AFAIK, your 'testservice' is process identity to execute the w3wp.exe
and the 'iusr' user identity for actual access.
have you try filemon (sysinternals.com) and actually trace down the 'user'
that writting the content.
-- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "C K" <blah@blah.com> wrote in message news:c0h85j$m3h$1@newstree.wise.edt.ericsson.se... > Hi, > > I am currently test running an old ASP application on IIS 6.0 and I have a > question on what user identity is actually being used. I created a new > application pool with its own service identity account (let's call it > TestService, and added it to the IIS_WPG group) and assigned the web app to > use the app pool. I have also enabled anon access on the web app, using the > IUSR account. The web app, upon start up, a COM object connects to a > network server and d/ls files to a data directory. The data directory has > to have correct NTFS permissions for this to work. > > Now... here are my tests. > > 1) I first set the NTFS permissions of the data directory to NOT allow > modify/write access to the TestService account and to allow modify/write > access to the IUSR account (I know I'm not supposed to, but this is just a > test). This did not work. > > 2) I then set the data directory to allow modify/write access to the > TestService account and the IUSR to only have read access. This worked. > > etc... > > What I basically found was that only the NTFS setting on the TestService > account mattered for this operation to succeed. But based on all I've read, > isn't it the authenticated user (in this case, the IUSR) that's supposed to > be impersonated, and all actions are performed as if it was the IUSR? In > this case, it doesn't even seem like the NTFS settings for IUSR matter at > all. I even removed IUSR from the NTFS permissions completely and it still > worked. Does anyone know why? > > This is an excerpt from a Microsoft document: > For ASP applications, the type of authentication that is used by the user > automatically determines impersonation behavior. Because the impersonation > behavior is automatic, no configuration is required. > > The impersonation behavior in an ASP application is as follows: > > ? If an anonymous user makes a request, the thread token is based on > the user account that is configured as the anonymous user identity (by > default, this is the IUSR_machinename user account). > > ? If an authenticated user makes a request, the thread token is > based on the authenticated account of the user. > > > > > > > > Thanks if anyone can explain this to me. > > >
- Next message: Bernard: "Re: SSL Certificate"
- Previous message: Bernard: "Re: How to name a SSL domain?"
- In reply to: C K: "IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Next in thread: C K: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: C K: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
