Re: Problems with authenticated users accessing asp's

From: Joe Iano (jiano_at__removethis_amphioncom.com)
Date: 05/25/05 

Date: Wed, 25 May 2005 13:56:13 -0700

We have a separate directory for log files. The asp user account has ntfs
modify permissions. But in IIS we have disabled anonymous access to this
directory, so the asp user cannot browse there. Only administrative users
can log in and view log files. We also have directory browsing enabled in
IIS for this directory.

"Gavin" <gavin@dont.spam.me.com> wrote in message
news:00A48739-6B05-4D77-9068-1E83ED19CDA5@microsoft.com...
> As far as I can tell, I don't have a web.config, so I would guess I don't
> have impersonation turned on.
>
> As a test, I've granted write access on the file and directory to
> 'telem\domain users' and it all springs to life, so it would seem as if
the
> write is being executed as the authenticated user. The simplest solution
> seems to be to move the log file to a directory where I don't mind
granting
> write access. Is this the best solution? Any risks?
>
> Regards
> Gavin
>
>
> "Duane Laflotte" wrote:
>
> > Good question. So unless impersonation is turned on in the
web.config
> > then if you are doing any external IO from .Net (read/write files etc)
as
> > the ASPNET user (or more accurately as the user that is running the
ASPNET
> > worker process). So even if the site is NT auth and the user logs in,
the
> > actual file access for read and write is as the aspnet account.
> > (Its always a neat demo to deny a user access to a file that is being
read
> > with the System.IO classes and then see that user log into the web
> > application and still get access to that file proving this point.)
> >
> > However, there is a difference in the account that runs the
processes
> > between Windows 2003 and the rest of the .Net running OS's. 2003
actually
> > uses a lower privilege no net access account where as windows 2000 would
use
> > the normal ASPNET account. So this may be where you are seeing the
> > difference.
> >
> > Hope this Helps,
> >
> > --
> > Duane Laflotte
> > MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I
> > dlaflotte@criticalsites.com
> > http://www.criticalsites.com/dlaflotte
> >
> > "Gavin" <gavin@dont.spam.me.com> wrote in message
> > news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com...
> > >
> > > I have IIS serving static content and asp's from IIS6 on Win2003
Server.
> > The
> > > site uses Integrated Security with the server on a 2003 server domain.
> > > Clients are on a different domain and enter login information in the
> > browser
> > > pop-up.
> > > The behaviour I get is as follows ..
> > >
> > > - All domain users can access html files.
> > > - A user I've added to the Administrators group on the web server can
use
> > > the site without trouble - all other users are given a 500 response to
> > > attempts to access asp's and in the log file I get a permission denied
> > error.
> > >
> > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp
> > > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109
HTTP/1.1
> > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
xxx.xxx.19.25:2002
> > > 500 0 0 409
> > >
> > > - If I drop the site back to anonymous login all works fine.
> > >
> > > There is obviously a simple setting I'm missing, and am hopping
someone
> > will
> > > be able to point me at it.
> > > I've tried adding 'telem\Domain Users' (where telem is the webserver's
> > > domain)to a number of the local security settings (including 'Access
this
> > > computer from the network'). Is there a definitive list of which are
> > required
> > > - I've added 'telem\Domain Users' to all entries that have
> > 'IUSR_servername'
> > > and even 'IIS_WPG' out of desperation. Any other thoughts?
> > >
> > > Regards
> > > Gavin
> > >
> >
> >
> >

Relevant Pages

  • Re: Client named on the network same as Server
    ... One user, one account. ... and always attempt to salvage log files. ... I also think that they had multiple machines that were using administrator ... I am certain SBS 2003 is strong enough not to allow a client with the ...
    (microsoft.public.windows.server.sbs)
  • Re: password expiration
    ... Changing the password for this account would mean ... > numbers of unauthorised downloads (you do monitor your log files, ... I sell and install software that does that for intelligently. ...
    (comp.security.misc)
  • Re: password expiration
    ... Changing the password for this account would mean ... > numbers of unauthorised downloads (you do monitor your log files, ... I sell and install software that does that for intelligently. ...
    (comp.security.misc)
  • Re: Unable to create the log file for site
    ... I changed the schedule of moving the IISlogs to run weekly vice ... once the log files are moved in the weekly schedule. ... >> Administrators and system have FC and the Inet anonymous account has read. ...
    (microsoft.public.inetserver.iis)
  • Re: Problem with connect computer wizard
    ... Make sure the Windows XP client is pointing to the SBS 2003 server as ... Please collect the IIS metabase and the latest IIS log files further ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)