IIS 6 and system's object namespace
- From: "Roger Abell [MVP]" <mvpnospam@xxxxxxx>
- Date: Fri, 26 Oct 2007 14:19:54 -0700
This is perhaps a bit extreme, but I wonder if anyone might have a hint on
this.
I have to support multiuser/multiowner webs in multiple sites on IIS 6,
which is no problem, except that they also require FPSE/Sharepoint
extensions. As we know, those extensions are lame when it comes to ACLing
content.
So, I have been exploring a new route for content isolate in order to
contain content authors from one another's content and in order to contain
the backend accounts from the areas of other backend accounts on which the
extensions plug grants to Network and Interactive.
In order to break the effect of the excessive grants I am exploring use of
not granting Bypass traverse checking to any of the browsing accounts
(restricted access webs), the authoring accounts, or the backend accounts
(read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
accounts is no problem. I have in place NTFS failure audit for any failure
by any account on any partition (system and/or content), and am running
clean.
But once Bypass traverse is taken away from the iwam* accounts, when an app
pool needs to spin up it fails.
The eventlog trace of this is:
- a sequence of 5 attempts to start the pool, each failing and recording in
system log
Warning from source W3SVC, category none EventID 1009
Message text is:
A process serving application pool 'EnpubPool' terminated unexpectedly. The
process id was '3440'. The process exit code was '0xffffffff'.
- simultaneous with each of these 5 messages is a failure message in
Application log
Error from W3SVC-WP, category none, EventID 2269
Message text is:
The worker process failed to initialize the http.sys communication or the
w3svc communication layer and therefore could not be started. The data field
contains the error number.
The data is access denied code 80070005
- these are followed by one system log message
Error from W3SVC, category none, EventID 1002
Message text is:
Application pool 'EnpubPool' is being automatically disabled due to a series
of failures in the process(es) serving that application pool.
Again, there are no failures recorded at the NTFS level.
I have used Sysinternals WinObj to set a grant to the iwam* account group of
List + Read Control on \Device\Http in the object namespace, as there were
grants to only System and Administrators (which by the way included a
"Special" that the Advanced view in WinObj does not illuminate, and which I
was not able to grant to the iwam* group). There is a grant on both higher
objects nodes to Everyone.
If I grant Bypass traverse check to the iwam* group all is fine.
So, there is a grant, I had assumed in the Windows object namespace, that is
missing.
In fact, until this I was not aware that Bypass traverse governed access
checks on other than NTFS, but it quite apparently does.
Anyone with any ideas as to where the missing grant might be? or how to
trace into this to find it?
I am not sure that this new approach is less or more of a performance drag
than results from defining unique app pools for each web that is able to
dynamically alter serverside execution (the in IIS 5 parallel to which was
not too bad but IIS 6 is more heavyweight), and recognize that the excess
empowerment of the Interactive and Network grants is only mostly, not
totally, nullified.
But at this point I am just trying to find from where the access denial
arises when Bypass traverse checking is taken away for the iwam* account
group.
Thanks for reading all that, by the way.
Roger
.
- Follow-Ups:
- Re: IIS 6 and system's object namespace
- From: David Wang
- Re: IIS 6 and system's object namespace
- Prev by Date: Re: Upgrading from IIS 5.1 to IIS 6.0
- Next by Date: Re: IIS 6 and system's object namespace
- Previous by thread: Upgrading from IIS 5.1 to IIS 6.0
- Next by thread: Re: IIS 6 and system's object namespace
- Index(es):
Relevant Pages
|
