Re: Basic question on Windows Integrated Security

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/25/04 

Date: Thu, 25 Mar 2004 12:19:50 +1100

Hi

There is no "integrated security" option in IIS. There is "Integrated
Windows Authentication". This governs communication between browser and
server.

There is an "integrated security" option for SQL Server (as opposed to Mixed
Mode, which also allows SQL Server Authentication).

If you want the IUSR_<machinename> account to be used to login to SQL
Server, then you nede to allow "Anonymous Authentication" in IIS. In this
case, IIS will impersonate the configured anonymous user account, rather
than having the user specify a Windows user account.

Note: the IUSR_<machinename> account is, by default, local to the webserver
and can't be assigned permissions to remote resources. You could change this
to a domain account if you wanted to

Note: ASP.Net does not use IUSR_<machinename> by default, unless you
configure <identity impersonate="true"> on IIS5, ASP.Net uses the
Machine\ASPNet account by default (you can change this in machine.config for
example). In IIS6 ASP.Net uses the Web Application Pool process identity
(configurable via the IIS Manager).

Cheers
Ken

"Timo" <timo@anonymous.com> wrote in message
news:MPG.1acbd74bc63f19e19896e7@msnews.microsoft.com...
: I've asked in another post a more detailed question about IIS6
: communicating with SQLServer 2000 when the two are on different
: servers, but it occurred to me that I may have a very basic
: misunderstanding about Windows Integrated Security in an internet
: scenario.
:
: When we allow anonymous access in IIS6, and specify which user
: will be the default user for anonymous access (e.g.
: IUSR_SERVERNAME) , I am assuming there we can still use Windows
: Integrated Security because the security model determines what
: IUSR_SERVERNAME can access on the domain, and that we can use
: Integrated Security EVEN IF the anonymous internet user is not
: browsing with Internet Explorer but with another browser such as
: Mozilla or Opera. Is my understanding not correct?
:
: In other words, when we select Integrated Security on the IIS
: properties dialog, is that with respect to communication between
: the IIS worker account and other resources on the domain, or is
: for communication between the remote browser-client and the IIS
: service itself?
:
: Thanks
: Timo
:

Relevant Pages

  • Re: Exchange 2003 Frontend Server not Passing to Backend (OWA)
    ... the certificate to establish an SSL link and then communication goes ... I can get to the backend fine if I go direct, ... SO the frontend server should have an M: ...
    (microsoft.public.exchange.admin)
  • Basic question on Windows Integrated Security
    ... I've asked in another post a more detailed question about IIS6 ... Integrated Security because the security model determines what ... when we select Integrated Security on the IIS ... for communication between the remote browser-client and the IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Integrated security in ASP.net
    ... What exactly do you mean "it's a problem with integrated security"? ... reinstalling anything is just a gamble. ... Is this a re-install of IIS and the .net Framework? ... :> If you are getting that error, then either IE can not reach the server ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Active Directory
    ... If you use integrated security on IIS and your users are ... loging on to your domain, ... >Active Directory of Server. ...
    (microsoft.public.dotnet.security)
  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)