Re: IIS 6.0 + Win 2003 + ISAPI

From: David Wang [Msft] (
Date: 08/10/04

Date: Tue, 10 Aug 2004 00:13:33 -0700

You've basically shown that since the application EXE runs on Windows Server
2003 but not over IIS, the problem is probably with permissions. Running
code via a console login has always been different than making a request to
a web server to execute that same code -- for one thing, user credentials
can be different due to configuration, privileges can be different, as well
as the user logon type and profile loaded. Basically, make sure the remote
authenticated user that is executing the ISAPI extension DLL is able to
write to where it needs.

You can use filemon from to empirically figure out the
user being denied access. Or you can figure it out by isolating out the
authentication protocol used for the request and whether your ISAPI uses the
impersonated or process identity.

Thus, the question is not one of "the same method which works with IIS5 does
not work with IIS6". The process identity (amongst many other things) has
changed between IIS5 and IIS6 for security reasons, so things no longer
"magically" work. Access Denied is simply a sign for you to now do
something that needed to be done before, such as:
1. Determine the actual user credential running the ISAPI and is it secure.
Giving IUSR lots of access (because it "works") is bad idea for security,
for example.
2. Securely use the API necessary in the ISAPI DLL
3. Correctly ACL the resources on the system to give user in #1 access

This posting is provided "AS IS" with no warranties, and confers no rights.
"qswami" <> wrote in message
What specific permissions do I need to create a file in
Win 2003 server, by a ISAPI extension running on IIS 6.0.
In our application we would create a temporary file to
hold some important information, and place it inside one
of the Subdirectories where the ISAPI extension is
present. The temporary file creation could not happen for
whatever reason in Win 2003 / IIS6.
The same method which works with
Win 2000 +  IIS 5.0 when run as an ISAPI
extension. However, if  the subdirectory with the
temporary file running successfully in Win 2000 is copied
to Win 2003 server,  from then on, it works fine.
Also, the same application, when run as *Exe* in Win
2003,  is able to create the required temporary file.
The original issue is with the Win 2003 server permissions
or the IIS settings ?
Any suggestions are welcome