Re: IIS 6.0 + Win 2003 + ISAPI
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/10/04
- Next message: Andreas Boehm: "access to unc paths"
- Previous message: Ken Schaefer: "Re: Re: Digest Authentication Prompting Twice"
- In reply to: qswami: "IIS 6.0 + Win 2003 + ISAPI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Aug 2004 00:13:33 -0700
You've basically shown that since the application EXE runs on Windows Server
2003 but not over IIS, the problem is probably with permissions. Running
code via a console login has always been different than making a request to
a web server to execute that same code -- for one thing, user credentials
can be different due to configuration, privileges can be different, as well
as the user logon type and profile loaded. Basically, make sure the remote
authenticated user that is executing the ISAPI extension DLL is able to
write to where it needs.
You can use filemon from www.sysinternals.com to empirically figure out the
user being denied access. Or you can figure it out by isolating out the
authentication protocol used for the request and whether your ISAPI uses the
impersonated or process identity.
Thus, the question is not one of "the same method which works with IIS5 does
not work with IIS6". The process identity (amongst many other things) has
changed between IIS5 and IIS6 for security reasons, so things no longer
"magically" work. Access Denied is simply a sign for you to now do
something that needed to be done before, such as:
1. Determine the actual user credential running the ISAPI and is it secure.
Giving IUSR lots of access (because it "works") is bad idea for security,
for example.
2. Securely use the API necessary in the ISAPI DLL
3. Correctly ACL the resources on the system to give user in #1 access
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "qswami" <anonymous@discussions.microsoft.com> wrote in message news:26c501c47dcd$4d8f4860$a501280a@phx.gbl... What specific permissions do I need to create a file in Win 2003 server, by a ISAPI extension running on IIS 6.0. In our application we would create a temporary file to hold some important information, and place it inside one of the Subdirectories where the ISAPI extension is present. The temporary file creation could not happen for whatever reason in Win 2003 / IIS6. The same method which works with Win 2000 + IIS 5.0 when run as an ISAPI extension. However, if the subdirectory with the temporary file running successfully in Win 2000 is copied to Win 2003 server, from then on, it works fine. Also, the same application, when run as *Exe* in Win 2003, is able to create the required temporary file. The original issue is with the Win 2003 server permissions or the IIS settings ? Any suggestions are welcome Thanks, Swami
- Next message: Andreas Boehm: "access to unc paths"
- Previous message: Ken Schaefer: "Re: Re: Digest Authentication Prompting Twice"
- In reply to: qswami: "IIS 6.0 + Win 2003 + ISAPI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
