Re: ASP.NET Impersonation Works, ASP Classic doesn't

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/07/04 

Date: Fri, 7 May 2004 06:04:18 -0700

> 8. In IIS, made the changes to the web app to all anonymous and changed
> the anonymous user to the above webuser from the AD, using the now
> synchronized password.
and that account was granted logon rights on the IIS box ? such
as by adding it to the machine local Users group ??? in general
there are other User Rights the backend account(s) also need . . . 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Mark Lybrand" <markyesme@yahoo.com> wrote in message
news:OaIe8V7MEHA.3208@TK2MSFTNGP10.phx.gbl...
>
> Thanks for the quick response.
>
> I must be the thickest person on the face of the earth, but that ASPFAQ
> article did not appear to directly address my issue (but would have been
> a big help in the first phase of the issue).
>
> Maybe I can further clarify what I have successfully accomplished and
> what I haven't.
>
> 1. On Win2k, IIS5.
> 2. This machine is part of our organization's Active Directory.  Let's
> call the organization "department"
> 3. I had our network folks create a user in the AD; let's call him
> "webuser".
> 4. Also had the administrator of the Novell server in question create a
> user called "webuser" and gave that user full rights to resources in
> question.
> 5. Passwords were synchronized in both the AD and on the Novell server.
> 6. Added user, picked from AD, to the Administrators group on Win2k box.
> 7. Set up share through Gateway Services for NetWare (to establish the
> necessary connection between this box and the Novell box).
> 8. In IIS, made the changes to the web app to all anonymous and changed
> the anonymous user to the above webuser from the AD, using the now
> synchronized password.
> 9. Changed connection string in ASP page to use the fully qualified UNC.
> 10. Successfully connected and processed page!!!
> 11. Didn't want webuser in Administrators group (too many rights).  So
> placed him in a group with fewer rights on the Win2k box.
> 12. Failure.  Checked to make sure that that group had access to
> Inetpub/wwwroot/applcition.  Failure (but the ASP.NET test version began
> working again at this point)
> 13. Changed connection string to point to another box (Win2k, to make
> sure the whole Novell thing is not the issue).  No dice.  But the
> ASP.NET version still works (Oh, BTW, first thing I do with every
> failure is to start and stop IIS, in case that is an issue).
>
> I had expected the ASP.NET version to break too, but it kept working....
> So, I am assuming that there is some other folder that is being accessed
> by IIS alone when establishing the connection, that ASP.NET bypasses
> (hence the breakage when groups are changed). It's unforunate, because
> the ASP.NET error message would have been infinitely more useful than
> the ASP message.  Am I on the right track?  What folders should I be
> looking at?  Am I just refusing to see the solution that I have already
> been shown?
>
> Thanks again for your willingness to help.
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

Relevant Pages