| Groups | Blog | Home |
dotnet web services : User Security?
Hello,
I have created a web service name "TestWS" and published it to my SBS2003 server that uses IIS6 as a web server. I have set NO anonymous access to TestWS virtual directory and I have created a simple user account from the User template with the name of "MyUser". Problem is that I can't login to \TestWS\Service1.asmx with MyUser account unless I give that user Administrator permission. How can I login to my \TestWS\Service1.asmx with "MyUser" account without giving it Administrator permissions? Thanks in advanced, Asaf
Hello Asaf,
Thank you for posting in the MSDN newsgroup. From your description, you're developing an ASP.NET webservice which hosted in IIS. Recently, you've publshed it onto a SBS 2003 server (IIS6), and configure it to deny anonymous access. However, you found that you can not make a custom user (newly created one) successfully access the webservice, correct? As for this issue, I would like to confirm some further things in your application and the problem environment: 1. What's the authentication type setting in your webservice's IIS virtual directory, is it basic or intergrated windows? Also, what's the webservice application's application pool identity in IIS. 2. What's the authentication setting you configured for your ASP.NET webservice application in the web.config , also have you used impersonate in your webservice (through the <identity impersonate=xxx /> element in web.config) ? 3. Currently how are you accessing the webservice(through webbrowser or client proxy code in client application built through .net framework)? 4. What's the error message or detaile behavior you get when you failed to access the webservice through your custom non-admin account? When you access webservice in IIS (deny anonymous access), the webbrowser (IE) will help you supply user credential to the service, while when we use code proxy to programmtically call webservice memthods, we need to programmaticaly set the credential (if we don't want to use the default security context of the client program). Also, at server-side, whether the ASP.NET appliation is impersonated also affect the appliation's behavior since when ASP.NET is configured as impersonate=true, it will use the client authenticated user identity(from IIS) to access any restriected resource which may cause error when that user doesn't have sufficient permission. Anyway, please feel free to let me know if you have any other finding or there is anything I've missed here. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ==================================================
Hello Steven,
Thanks for your reply. 1. The authentication is "Integrated Windows Authentication". 2. Application Pool Identity is set to "Predefined" on "Network Service". 3. At web.config file only "<authentication mode="Windows" />" is set for authentication. 4. Currently I am trying to access the web service thru IE6. 5. The error I receive when trying to access from IE6 is: Access is denied. Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources. Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access. 6. When I am setting the user to be a part of *Administrator* group I am able to access successfully to the web service. Kind Regards, Asaf [quoted text, click to view] "Steven Cheng[MSFT]" wrote:
> Hello Asaf, > > Thank you for posting in the MSDN newsgroup. > > From your description, you're developing an ASP.NET webservice which hosted > in IIS. Recently, you've publshed it onto a SBS 2003 server (IIS6), and > configure it to deny anonymous access. However, you found that you can not > make a custom user (newly created one) successfully access the webservice, > correct? > > As for this issue, I would like to confirm some further things in your > application and the problem environment: > > 1. What's the authentication type setting in your webservice's IIS virtual > directory, is it basic or intergrated windows? Also, what's the webservice > application's application pool identity in IIS. > > 2. What's the authentication setting you configured for your ASP.NET > webservice application in the web.config , also have you used impersonate > in your webservice (through the <identity impersonate=xxx /> element in > web.config) ? > > 3. Currently how are you accessing the webservice(through webbrowser or > client proxy code in client application built through .net framework)? > > 4. What's the error message or detaile behavior you get when you failed to > access the webservice through your custom non-admin account? > > When you access webservice in IIS (deny anonymous access), the webbrowser > (IE) will help you supply user credential to the service, while when we use > code proxy to programmtically call webservice memthods, we need to > programmaticaly set the credential (if we don't want to use the default > security context of the client program). Also, at server-side, whether > the ASP.NET appliation is impersonated also affect the appliation's > behavior since when ASP.NET is configured as impersonate=true, it will use > the client authenticated user identity(from IIS) to access any restriected > resource which may cause error when that user doesn't have sufficient > permission. > > Anyway, please feel free to let me know if you have any other finding or > there is anything I've missed here. > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > > ================================================== > > Get notification to my posts through email? Please refer to > > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial > > response from the community or a Microsoft Support Engineer within 1 > business day is > > acceptable. Please note that each follow up response may take approximately > 2 business days > > as the support professional working with you may need further investigation > to reach the > > most efficient resolution. The offering is not appropriate for situations > that require > > urgent, real-time or phone-based interactions or complex project analysis > and dump analysis > > issues. Issues of this nature are best handled working with a dedicated > Microsoft Support > > Engineer by contacting Microsoft Customer Support Services (CSS) at > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > >
Thanks for your quick response Asaf,
Now I get that you're using the IE browser to visit the asmx page and the server gave you 401.3 error when the custom user try visiting the page. Based on my experience, this is a typical NTFS permission as the below message indicates: ========================= Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access. ========================= When you use "integrated windows authentication" and deny anonymous access in IIS, the client will be forced to provide a valid user identity(recognizable at server). And this identity will be forwarded from IIS to ASP.NET runtime, if the ASP.NET application is using "Windows" authentication(in web.config), it will use is security identity (from IIS) as the HttpContext.Current.User.Identity, also ASP.NET by default will perform NTFS file permision checking against this security identity for the file (aspx or asmx ) the client is requesting... Therefore, the problem here is whether that custom account has sufficient permission(NTFS) to access that asmx file(read permission is enough). Based on my local test, if your web application is created under the IIS default site (under c:\inetpub\wwwroot), the machine\users group should have the read permission to it automatically. Is your webservice application's folder put in an external directory/drive on the server machine? Anyway, you can check your webservice application's directory's NTFS security setting (grant the custom account sufficient permision to your webservice's application dir or that certain asmx file). Hope this helps. If there is anything unclear or if you still meet any problem, please feel free to let me know. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |