Re: ASP Authentication on IIS 6.0 Windows 2003 Server 32bit help please

On Nov 6, 11:27 pm, Victag <miketagg...@xxxxxxxxx> wrote:
Can anyone clarify for me how the different permissions come into play
when an ASP page is executed in IIS?  My goal is to have an intranet
site that requires a user to enter their domain account to access the
pages, but I would like the pages themselves to run using the
credentials of another account that has access to perform the tasks in
the ASP script code (access a database, run local cmd.exe commands).
So far I have made it work by creating a new application pool that
uses Local System and allowing anonymous access to the pages, which is
granted using a domain account that has access to the DB and is a
local admin.  Unfortunately this allows anyone access to the page. If
I change the page to require the user to logon, the query to the
remote database works fine, but users get access denied errors when
code runs to execute the wscript.shell objects .run method on the
local IIS server unless I also make their account a local admin on the
IIS server.  Obviously IIS is using thier credentials instead of the
ones provided for anonymous access.

In your web.config, impersonate=false should do the trick. But like
David Wang suggests, you will still have to do some authorization
based on the user identity, correct? Setting up the VDIR to require
authentication is good, but that will let anyone in. You can use
asp.net roles to protect each page based on a role and most people
find this solution satisfactory.

BTW, why do you want intranet users to have to enter their account?
You should use Windows Integrated Auth and allow the authentication to
be seemless unless you have some kind of kiosk scenario.

Another BTW, you should use Network Service instead of Local System
for your app pool identity.

HTH,
Dave
.

Relevant Pages

  • Re: Domain could not be contacted problem
    ... > can either make the process run under a domain account, ... > To impersonate a domain account, you generally do this by enabling ... > impersonating the authenticated user in IIS. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Domain could not be contacted problem
    ... > can either make the process run under a domain account, ... > To impersonate a domain account, you generally do this by enabling ... > impersonating the authenticated user in IIS. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?
    ... But isn't the COM object running under the ... The COM object can be running under the impersonated account, ... example, even if IIS launched the COM object with the impersonated user, the ... It will now be using "TestService" identity. ...
    (microsoft.public.inetserver.iis)