Re: What would prevent an ISAPI extension from opening a socket on IIS 6?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/09/04

  • Next message: David Wang [Msft]: "Re: IIS 6.0 NT Authorization problem, slow response" 
    Date: Mon, 8 Nov 2004 21:09:41 -0800

    Yeah, I can't think of anything else to check. I'm curious about the user
    identity that is executing the ISAPI Filter code and looking through
    secpol.msc to see if any privileges are missing relative to your working
    ones. 

    -- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Cordes" <David_Cordes@hotmail.com> wrote in message
news:c462028e.0411081028.6dd0be49@posting.google.com...
They are two ISAPI Filters each made by different company that makes a
network connection.  Both fail when they try to make that network
connection only on one customer's machine.  They both work on my
machine and many other customers' machines.
I am collecting the customer's application pool settings to see
whether they are in isolation mode and if not which identity they are
using.
However, I am not sure how a user account can be configured in such a
way as to make opening any network connection impossible.  Other
accounts can make network connections.  Did you have a particular
setting in mind?  I looked through the local security policy settings
for "Security Options" and confirmed that "Network access" settings
made sense when compared to my machine.
    --- David
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
> Are you talking about an ISAPI Extension or an ISAPI Filter?
>
> ISAPI Filter on IIS6 would be running as process identity, which is either
> LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6
> Worker Process Isolation Mode.
>
> ISAPI Extension would be the impersonated identity, which is either the
> configured anonymous user if anonymous authentication, or likely to be the
> logged in browser user for any other authentication type.
>
> I'm not certain if Windows Server 2003 has decided to deny certain user
> identities access to Networking.  Are you saying that the Winsock call
works
> on your Windows Server 2003 but not your customer's?
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "David Cordes" <David_Cordes@hotmail.com> wrote in message
> news:c462028e.0411051531.5f7064a@posting.google.com...
> Problem
> =-=-=-=-
> I am working with a customer who has installed IIS 6.  They have
> installed two different products that communicate with other servers
> through ISAPI Filters.  In both products the ISAPI filters work
> correctly until they try to obtain a socket.
>
> Both of these programs are trying to communicate to different server
> process on the same machine with 127.0.0.1 as the address.  Both
> server processes show every indication of working.
>
> I suspect there is an IIS or Windows Server 2003 setting I am missing.
>
> Technical Details
> =-=--==-=--=-==-=-
> One of the products is Open Source so I was able to determine the
> exact line that gets called:
>
> socket(AF_INET, SOCK_STREAM, 0);
>
> The WinSock2 API using WSAGetLastError() indicates that permission is
> denied.
>
> The customer can use other programs (such as telnet) to obtain a
> socket, open a connection to the local server process.  The problem
> appears only to occur when running within IIS 6 with the IUSR account.
>
> Already Checked:
> =-=-=-=-=-=-=-=-
> - TCP/IP Filterting on the adaptor turned off.
> - Local security policy has not applied any of the ip policies and all
> network access user settings are identical to those on my Windows
> Server 2003 machine.
> - Customer indicates that no firewalls are running on this machine and
> since I am connecting via 127.0.0.1 an external firewall should not
> have any bearing here I would expect.  I also do not suspect a
> firewall, firewalls usually block communications but do not prevent a
> socket from even being obtained from the OS.
>
> Any suggestions are appreciated.  Thank you.
  • Next message: David Wang [Msft]: "Re: IIS 6.0 NT Authorization problem, slow response"

    Relevant Pages

    • Re: Basic Authentication fails with Error 401.2 where Integrated s
      ... culprits whenever IIS is not behaving the way it should. ... It sounds like the ISAPI Filter is doing one standard Custom ... back a HTML page that POSTs the username/password back to the server. ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
      (microsoft.public.inetserver.iis.security)
    • Re: SSL blues
      ... ISAPI Filter for Web Trends enabled. ... I didn't see an IIS5 compatibility mode, but I did find "Isolation mode: ... > and it too returned the "Cannot find server or DNS error". ...
      (microsoft.public.inetserver.iis.security)
    • Re: What would prevent an ISAPI extension from opening a socket on IIS 6?
      ... Both fail when they try to make that network ... I looked through the local security policy settings ... >> Are you talking about an ISAPI Extension or an ISAPI Filter? ... >> on your Windows Server 2003 but not your customer's? ...
      (microsoft.public.inetserver.iis.security)
    • Re: What would prevent an ISAPI extension from opening a socket on IIS 6?
      ... Are you talking about an ISAPI Extension or an ISAPI Filter? ... I'm not certain if Windows Server 2003 has decided to deny certain user ... Customer indicates that no firewalls are running on this machine and ...
      (microsoft.public.inetserver.iis.security)
    • Re: Network drives - slow initial access
      ... Just to clarify the actual fix in this case, it was within Network control ... To think of all the settings I've changed on the server in the last month! ... And does this happen if an admin logs onto a workstation, ...
      (microsoft.public.windows.server.sbs)