Re: What would prevent an ISAPI extension from opening a socket on IIS 6?

From: David Cordes (David_Cordes_at_hotmail.com)
Date: 11/08/04 

Date: 8 Nov 2004 10:28:42 -0800

They are two ISAPI Filters each made by different company that makes a
network connection. Both fail when they try to make that network
connection only on one customer's machine. They both work on my
machine and many other customers' machines.

I am collecting the customer's application pool settings to see
whether they are in isolation mode and if not which identity they are
using.

However, I am not sure how a user account can be configured in such a
way as to make opening any network connection impossible. Other
accounts can make network connections. Did you have a particular
setting in mind? I looked through the local security policy settings
for "Security Options" and confirmed that "Network access" settings
made sense when compared to my machine.

    --- David

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
> Are you talking about an ISAPI Extension or an ISAPI Filter?
>
> ISAPI Filter on IIS6 would be running as process identity, which is either
> LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6
> Worker Process Isolation Mode.
>
> ISAPI Extension would be the impersonated identity, which is either the
> configured anonymous user if anonymous authentication, or likely to be the
> logged in browser user for any other authentication type.
>
> I'm not certain if Windows Server 2003 has decided to deny certain user
> identities access to Networking. Are you saying that the Winsock call works
> on your Windows Server 2003 but not your customer's?
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "David Cordes" <David_Cordes@hotmail.com> wrote in message
> news:c462028e.0411051531.5f7064a@posting.google.com...
> Problem
> =-=-=-=-
> I am working with a customer who has installed IIS 6. They have
> installed two different products that communicate with other servers
> through ISAPI Filters. In both products the ISAPI filters work
> correctly until they try to obtain a socket.
>
> Both of these programs are trying to communicate to different server
> process on the same machine with 127.0.0.1 as the address. Both
> server processes show every indication of working.
>
> I suspect there is an IIS or Windows Server 2003 setting I am missing.
>
> Technical Details
> =-=--==-=--=-==-=-
> One of the products is Open Source so I was able to determine the
> exact line that gets called:
>
> socket(AF_INET, SOCK_STREAM, 0);
>
> The WinSock2 API using WSAGetLastError() indicates that permission is
> denied.
>
> The customer can use other programs (such as telnet) to obtain a
> socket, open a connection to the local server process. The problem
> appears only to occur when running within IIS 6 with the IUSR account.
>
> Already Checked:
> =-=-=-=-=-=-=-=-
> - TCP/IP Filterting on the adaptor turned off.
> - Local security policy has not applied any of the ip policies and all
> network access user settings are identical to those on my Windows
> Server 2003 machine.
> - Customer indicates that no firewalls are running on this machine and
> since I am connecting via 127.0.0.1 an external firewall should not
> have any bearing here I would expect. I also do not suspect a
> firewall, firewalls usually block communications but do not prevent a
> socket from even being obtained from the OS.
>
> Any suggestions are appreciated. Thank you.

Relevant Pages

  • Re: Losing access to a shared folder
    ... that something strange with the network connection is going on. ... Both shares are on the same file server. ... domain controllers as preferred and secondary dens servers. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: new 5.1 install network problem.
    ... I believe that the DNS timeout is a symptom rather than cause ... pinging the IP address of the DNS server. ... new 5.1 install network problem. ... > the network connection worked fine, ...
    (freebsd-questions)
  • Re: Group Policy Error
    ... I fixed the error by going into network connection and then advanced ... Failed To Open the group policy object. ... Suggest posting an ipconfig/all from the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot access network share
    ... How to Setup Windows, Network, VPN & Remote Access on ... Windows IP Configuration ... Network Connection ... that I cannot access is on a Windows 2003 Server. ...
    (microsoft.public.windows.server.networking)
  • Re: Computer does not recognize printer attached to another comput
    ... This was the very first thing I did when I thought of MOM being able to use ... I tried network connection 3 ways - using the XP cd, ... than just simply turn sharing on or off. ... use the Network Connection Wizard in All Programs> Accessories ...
    (microsoft.public.windowsxp.print_fax)