Re: Problem with IIS 5.0 App Protection Low (IIS 6.0 Local System diff
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/25/04
- Next message: WenJun Zhang[msft]: "RE: Integrated Windows Auth Problem"
- Previous message: Glenn Vassallo [MSFT]: "RE: need help:)"
- In reply to: GD: "RE: Problem with IIS 5.0 App Protection Low (IIS 6.0 Local System diff"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Aug 2004 20:33:14 -0700
The reason for this is because on IIS6 Worker Process Isolation Mode
(default), ASP.Net uses the IIS6 process model instead of its own. Hence,
since ASP.Net does not impersonate by default, it will run with the process
identity you configure in IIS6 Application Pool (i.e. Local System, in your
case) -- and ignore its <processModel> directive.
Meanwhile, on IIS5, ASP.Net uses its own process model, whose process
identity depends on the userName property in the <processModel> element in
machine.config. Thus, when you changed it to SYSTEM, it works.
If you ran ASP.Net on IIS6 in IIS5 Compatibility Mode, you will find the
same behavior (i.e. ASP.Net uses its own process model; Application Pools
have no effect).
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "GD" <GD@discussions.microsoft.com> wrote in message news:C20EA532-8EB0-4C6A-A8D3-F808D78E74BE@microsoft.com... We seems to have solved our problem by using the ASP config file settings. ---------------- Changed the userName to "SYSTEM" in <processModel> element in Machine.config, restart all the IIS process from the service control panel and now it works. See MSDN section "Authentication in ASP.NET: .NET Security Guidance" for details. ----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8< --------8<--------8<--------8<---- Application identities You are advised to run the ASP.NET application worker process (aspnet_wp.exe) using a specifically configured account, with weaker privileges than the default System account. This is for two main reasons. Firstly, if security is breached, the intruder does not have administrative access. Secondly, it allows Application Service Providers (ASPs) to run applications using weaker accounts, so hosted applications cannot compromise the integrity of the server computer or perform actions that require administrative privileges. To run the ASP worker process using a specified account, add a <processModel> element to the root configuration file (machine.config), located in the \WINNT\Microsoft.NET\Framework\Version\Config folder, as shown below: <system.web> <processModel enable="true" username="domain\user" password="pwd"/> </system.web> In addition to specifying a particular user account, you can also set the username attribute to one of two specially recognized values, "SYSTEM" and "MACHINE". In both cases, the password attribute must be set to "AutoGenerate", as specific credentials are not required. The "SYSTEM" setting (which is the default) runs the worker process using the System account, while "MACHINE" causes the worker process to run with a special account named with an ASPNET prefix. This account is similar to the IWAM_MACHINENAME account, used by IIS for running instances of dllhost.exe when hosting regular ASP applications. The ASPNET account is created during .NET installation. ----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8< --------8<--------8<--------8<---- Thanks anyways, GD
- Next message: WenJun Zhang[msft]: "RE: Integrated Windows Auth Problem"
- Previous message: Glenn Vassallo [MSFT]: "RE: need help:)"
- In reply to: GD: "RE: Problem with IIS 5.0 App Protection Low (IIS 6.0 Local System diff"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
