Re: What would prevent an ISAPI extension from opening a socket on IIS 6?
From: David Cordes (David_Cordes_at_hotmail.com)
Date: 11/10/04
- Next message: Bernard: "Re: Trust a cert and cert purpose"
- Previous message: Wade A. Hilmo [MS]: "Re: DenyUrlSequences"
- In reply to: David Wang [Msft]: "Re: What would prevent an ISAPI extension from opening a socket on IIS 6?"
- Next in thread: David Wang [Msft]: "Re: What would prevent an ISAPI extension from opening a socket on IIS 6?"
- Reply: David Wang [Msft]: "Re: What would prevent an ISAPI extension from opening a socket on IIS 6?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 9 Nov 2004 15:43:08 -0800
Sadly we may never find out :-) The customer tried a re-installation
of IIS which didn't work, but then re-installed the OS and the problem
vanished.
--- David
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<ujYfVvhxEHA.3968@TK2MSFTNGP10.phx.gbl>...
> Yeah, I can't think of anything else to check. I'm curious about the user
> identity that is executing the ISAPI Filter code and looking through
> secpol.msc to see if any privileges are missing relative to your working
> ones.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "David Cordes" <David_Cordes@hotmail.com> wrote in message
> news:c462028e.0411081028.6dd0be49@posting.google.com...
> They are two ISAPI Filters each made by different company that makes a
> network connection. Both fail when they try to make that network
> connection only on one customer's machine. They both work on my
> machine and many other customers' machines.
>
> I am collecting the customer's application pool settings to see
> whether they are in isolation mode and if not which identity they are
> using.
>
> However, I am not sure how a user account can be configured in such a
> way as to make opening any network connection impossible. Other
> accounts can make network connections. Did you have a particular
> setting in mind? I looked through the local security policy settings
> for "Security Options" and confirmed that "Network access" settings
> made sense when compared to my machine.
>
> --- David
>
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
> > Are you talking about an ISAPI Extension or an ISAPI Filter?
> >
> > ISAPI Filter on IIS6 would be running as process identity, which is either
> > LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6
> > Worker Process Isolation Mode.
> >
> > ISAPI Extension would be the impersonated identity, which is either the
> > configured anonymous user if anonymous authentication, or likely to be the
> > logged in browser user for any other authentication type.
> >
> > I'm not certain if Windows Server 2003 has decided to deny certain user
> > identities access to Networking. Are you saying that the Winsock call
> works
> > on your Windows Server 2003 but not your customer's?
> >
> > --
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "David Cordes" <David_Cordes@hotmail.com> wrote in message
> > news:c462028e.0411051531.5f7064a@posting.google.com...
> > Problem
> > =-=-=-=-
> > I am working with a customer who has installed IIS 6. They have
> > installed two different products that communicate with other servers
> > through ISAPI Filters. In both products the ISAPI filters work
> > correctly until they try to obtain a socket.
> >
> > Both of these programs are trying to communicate to different server
> > process on the same machine with 127.0.0.1 as the address. Both
> > server processes show every indication of working.
> >
> > I suspect there is an IIS or Windows Server 2003 setting I am missing.
> >
> > Technical Details
> > =-=--==-=--=-==-=-
> > One of the products is Open Source so I was able to determine the
> > exact line that gets called:
> >
> > socket(AF_INET, SOCK_STREAM, 0);
> >
> > The WinSock2 API using WSAGetLastError() indicates that permission is
> > denied.
> >
> > The customer can use other programs (such as telnet) to obtain a
> > socket, open a connection to the local server process. The problem
> > appears only to occur when running within IIS 6 with the IUSR account.
> >
> > Already Checked:
> > =-=-=-=-=-=-=-=-
> > - TCP/IP Filterting on the adaptor turned off.
> > - Local security policy has not applied any of the ip policies and all
> > network access user settings are identical to those on my Windows
> > Server 2003 machine.
> > - Customer indicates that no firewalls are running on this machine and
> > since I am connecting via 127.0.0.1 an external firewall should not
> > have any bearing here I would expect. I also do not suspect a
> > firewall, firewalls usually block communications but do not prevent a
> > socket from even being obtained from the OS.
> >
> > Any suggestions are appreciated. Thank you.
- Next message: Bernard: "Re: Trust a cert and cert purpose"
- Previous message: Wade A. Hilmo [MS]: "Re: DenyUrlSequences"
- In reply to: David Wang [Msft]: "Re: What would prevent an ISAPI extension from opening a socket on IIS 6?"
- Next in thread: David Wang [Msft]: "Re: What would prevent an ISAPI extension from opening a socket on IIS 6?"
- Reply: David Wang [Msft]: "Re: What would prevent an ISAPI extension from opening a socket on IIS 6?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
