Permission problems with IIS 6.0

From: Kalyan Sunkavalli (kalyank_at_talisma.com)
Date: 04/29/04 

Date: 28 Apr 2004 23:54:49 -0700

Hello,

We have an application that involves client making calls to ISAPI dll
on an IIS Server which then connects to a Database through an
application server. We were running this on IIS 5.0 and it used to
work fine with the different components installed on either the same
or different machines.

We are now testing it on IIS 6.0 in Win2003 and have run into some
issues. The details of our installation are as follows:
1. Our application server and the DB server are both on the same
Win2000 machine.
2. Our IIS server which connects to the above is on a Win2003 machine.
3. We are running IIS in the 6.0 mode
4. We have created a new application pool thats runs using "Local
System"
5. Our virtual directories are run in this new application pool.
6. We have enabled both anonymous access (the anonymous user uses the
IUSR_<ComputerName> account) and integrated windows authentication.
7. We have given the IUSR_<ComputerName> account permissions over the
files and folders which are going to be accessed.
8. The application server is run as a DCOM service with anonymous
access enabled.

With the above configuration our application doesn't run. The calls
made from the IIS server to the application server fail with an
E_ACCESSDENIED error.

We have figured out a work around. By creating an new account on both
the IIS server as well as the application server with the same user
name and password our application works. The new user is by default
created in the Users group and we found that by removing this user
from the users group and by shifting him to the Guests group also
works fine.

We have also noticed that with the IUSR_<ComputerName> account when
our clients make a call to the IIS Server there seems to be some NTLM
authorization. Sometimes a dialog is popped up asking for credentials
and on supplying the same it works. But soemtimes this dialog does not
happen and the NTLM authorization is handled internally and fails.

We also made sure that there is no mismatch in the IUSR_<ComputerName>
account passwords in the IIS metabase and the OS.

Has anyone here had similar problems? Why is this happening and is
there any extra set of permissions that we need the
IUSR_<ComputerName> account so that it runs?

Thanks,
Kalyan Sunkavalli

Relevant Pages

  • Re: Troubleshoot Security Issues
    ... I forgot to mention that my IIS server hasn't been rebooted since ... so I guess the only thing left is delegation... ... > running under the Localsystem account. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HTTP Access to SSAS with anonymous even possible?
    ... anonymous is not possible unless IIS and SSAS are on the same box. ... instead of using the IUSR_Machine account, use a valid user domain account. ... to the IIS server. ... So the IIS server is sending it's IUSR_MACHINENAME ...
    (microsoft.public.sqlserver.olap)
  • Re: Getting attacked on port(s) 53, 139, 445 & 1433???
    ... the traffic is originating from your IIS server, ... If you can confirm that the traffic is really coming from your IIS server, ... Note that successful IIS buffer overflow attacks don't show up in the IIS ... > these ports is because these ports are the only ones ...
    (microsoft.public.inetserver.iis.security)
  • Re: Socket programming in asp.net ?
    ... about the client itself is often complex. ... server, and your client machines will more than likely be behind NATs, ... this data received from IIS server machine. ... socket programming concepts in c# will be ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Permission problems with IIS 6.0
    ... > We have an application that involves client making calls to ISAPI dll ... > application server. ... > made from the IIS server to the application server fail with an ... > account passwords in the IIS metabase and the OS. ...
    (microsoft.public.security)