Re: Basic question on Windows Integrated Security

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/26/04 

Date: Fri, 26 Mar 2004 12:28:15 +1100

Hi,

This is going to be even more confusing... :-)

IUSR_<machinename> is not the default Web App Pool identity.
IUSR_<machinename> is used by IIS as the account to impersonate for requests
where the user has not provided any credentials. So, if I request
http://servername/somepage.htm then IIS needs to impersonate a user account
in order to read the file off the hard disk. This user account is
IUSR_<machienname> (by default),

Now, each web application/website runs inside a process called w3wp.exe
(there can be multiple w3wp.exe processes on the server, if you configure
many app pools - eg to isolate your applications from each other for
stability purposes). The w3wp.exe process itself must have a user context
(called a process identity). Why? Well, even when the website is not
receiving any requests, w3wp.exe is still running, and it needs to run under
some kind of user account (everything in Windows does). This is the Web App
Pool identity, and is configurable via the Application Pools node in the IIS
Manager. The default process identity it NT AUTHORITY\Network Service.

Now, remember before how I said IIS impersonates IUSR_<machinename? Well, it
does, for all requests for static files, and all ASP files. But *not*
ASP.Net files (eg .aspx, .asmx etc). ASP.Net just uses the default Web App
Pool identity (by default). So, if you wanted to login to SQL Server, then:

a) you could change the default web app pool identity to a domain account.
Make sure the domain account is in the IIS_WPG group on the webserver (this
group is allocated the necessary minimum rights to function as a worker
process). In SQL Server, in the "Security->Logins" node, you add
Domain\UserAccount as a permitted login, and configure whatever database
accesses you need

b) if you also have ASP pages etc, then you might want to configure the IIS
anonymous user account (IUSR_<machinename)) to also be this domain account.
To have ASP.Net use the IUSR account instead of the worker process identity,
set <identity impersonate="true"> in your web.config. Then you can leave the
Worker Process identity alone.

c) SPNs, delegation etc are only required when the user authenticates to
IIS. When the user authenticates using Digest or IWA authetentication, IIS
*does not have the user's password*. All is has is a token from the Domain
Controller verifying the user's identity. The token does not have privileges
to logon to other network resources. To do that, you need to configure
delegation, and SPNs (if required) (see the thread above this one for a
whole bunch of links).

Cheers
Ken

"Timo" <timo@anonymous.com> wrote in message
news:MPG.1acc9ccbd9761e5e9896e8@msnews.microsoft.com...
: Ken,
: Thanks for the clarifications. Beginning to see some light through
: the trees ;-)
:
: Is the default Web Application Pool process identity, like the
: IUSR_<machinename> account, local to the machine so that it too
: cannot be granted permissions on remote resources? If we were to
: specify a particular domain account (with requisite SQL
: permissions) as the Web Application Pool process identity, are we
: then required to create some sort of special relationship ("trust
: relationship?") between the SQL server and that domain account?
: I'm confused by the articles I've been reading and the advice I've
: been getting on this; some say to assign Service Principal Names
: and others say this is unnecessary. We're Win2003 with
: ActiveDirectory, IIS6, SQL2000.
:
: Thanks
: Timo
:
:
: In article <eiSgGdgEEHA.3424@tk2msftngp13.phx.gbl>,
: kenREMOVE@THISadOpenStatic.com writes...
: >Note: the IUSR_<machinename> account is, by default, local to the
webserver
: >and can't be assigned permissions to remote resources. You could change
this
: >to a domain account if you wanted to
: >
: >Note: ASP.Net does not use IUSR_<machinename> by default, unless you
: >configure <identity impersonate="true"> on IIS5, ASP.Net uses the
: >Machine\ASPNet account by default (you can change this in machine.config
for
: >example). In IIS6 ASP.Net uses the Web Application Pool process identity
: >(configurable via the IIS Manager).
: >
: >

Relevant Pages

  • Re: sharepoint - service not available
    ... resolved the issue by restarting the IIS service under the ... This issue may occur if the application pool for the virtual server is ... * The application pool account uses an incorrect password. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: sql server and asp.net problem
    ... it does mention IIS 6 on Windows 2003 Server and how ... > The application pool setting can help speicify an asp.net web application ... > SERVICE account which is in the IIS_WPG group. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: HowTo Purge Windows (Server 2003) logon session
    ... In our configuration we're using domain accounts as IIS application pool ... Our policy is that a developer doesn't need to know the application account ... When IIS starts, it creates a logon session (of type ...
    (microsoft.public.platformsdk.security)
  • Re: Running a script from an ASP page
    ... ProcessIdentity can be set in the IIS Manager UI. ... Identify the Application Pool your app runs in. ... anonymous user, you need to synchronize the username/password yourself. ... >>> or of the account given to the anonymous user to access cmd.exe. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Process.Start
    ... and set your web site to use this application pool (in the ... IIS settings for the virtual directory). ... > The web app is running on Windows 2003. ... >> Your web app is probably running under the system account, ...
    (microsoft.public.dotnet.languages.csharp)