Application Pooling, Authorization and DefaultCredentials

• Previous message: Jonathan Maltz [MS-MVP]: "Re: IIS 6 testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 26 Feb 2004 19:43:49 -0600

I ran into a peculiar problem at work the other day. I had written a simple
MSI installer in VS.NET to transfer a Web Service from my development
machine to a test server box. The test server box runs Windows 2003 and IIS
6.0.

I inadvertantly to use the same name for the virtual directory where it
installed that was in use by another Web Service, and in the process
overwrote two of the files, the Global.asax and Web.config files for the
other Web Service.

This wasn't a big deal, we had the original code backed up on another
machine, and we were able to copy the files over quickly.

But, as a result, we now have a very serious problem with authorization
errors that affects all of our Web Applications running on the default
virtual web site.

We noticed immediately that we could no longer browse Web Services by
right-clicking on asmx files within the IIS Manager without having the
server ask us to authenticate using Windows credentials. We checked the
permissions on the IUSR_<server> user and everything appeared to be fine.
We even tried adding Everybody and granting it full access permissions just
to be sure we weren't missing anything. The problem persisted.

One of the developers suggested that we create a new virtual site listening
at a different port, and try to recreate all the virtual directories. Sure
enough, that seemed to solve the problem. We could access the Web Services
from within IE by browsing the asmx files and we wouldn't get asked to
authenticate.

However, when I went to run a test harness application I run off of a
separate machine, I discovered that all of our web requests would fail with
a HTTP 401 Unauthorized error. Eventually I discovered that if I set the
Credentials property of the Web Service proxy classes we created for the
test harness to DefaultCredentials, we would not get the 401 Unauthorized
error.

We haven't been able to determine what settings may have been altered when I
ran the MSI installer, but a local Microsoft consultant suggested it may
have something to do with the permissions granted to the Built-in Network
Service user that the default Application Pool runs under in IIS 6.0. I
checked that user's permissions and it appears to be properly set, so I
suspect that there may be some other settings that we're missing here.

The good news is that we're able to access the Web Services, provided with
set the Credentials property of the proxy class in all our applications, but
since we are able to run the same exact Web Services on other boxes without
this requirement, we'd really like to understand what may be causing this
problem, and how to correct it.

I should probably note that the installer I created in VS.NET is the same as
other ones we used to install other applications on the same Win 2003 server
in the past; the only difference was that I inadvertanly tried to use the
same virtual directory for another existing Web Service. I don't quite see
why this would cause a problem with all the Web Applications running on the
same virtual server, but obviously it can.

Thanks,
Rob

• Previous message: Jonathan Maltz [MS-MVP]: "Re: IIS 6 testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]