|
|
You're in the
iis security
group:What would prevent an ISAPI extension from opening a socket on IIS 6?
iis security:
Problem
=-=-=-=- I am working with a customer who has installed IIS 6. They have installed two different products that communicate with other servers through ISAPI Filters. In both products the ISAPI filters work correctly until they try to obtain a socket. Both of these programs are trying to communicate to different server process on the same machine with 127.0.0.1 as the address. Both server processes show every indication of working. I suspect there is an IIS or Windows Server 2003 setting I am missing. Technical Details =-=--==-=--=-==-=- One of the products is Open Source so I was able to determine the exact line that gets called: socket(AF_INET, SOCK_STREAM, 0); The WinSock2 API using WSAGetLastError() indicates that permission is denied. The customer can use other programs (such as telnet) to obtain a socket, open a connection to the local server process. The problem appears only to occur when running within IIS 6 with the IUSR account. Already Checked: =-=-=-=-=-=-=-=- - TCP/IP Filterting on the adaptor turned off. - Local security policy has not applied any of the ip policies and all network access user settings are identical to those on my Windows Server 2003 machine. - Customer indicates that no firewalls are running on this machine and since I am connecting via 127.0.0.1 an external firewall should not have any bearing here I would expect. I also do not suspect a firewall, firewalls usually block communications but do not prevent a socket from even being obtained from the OS.
Are you talking about an ISAPI Extension or an ISAPI Filter?
ISAPI Filter on IIS6 would be running as process identity, which is either LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6 Worker Process Isolation Mode. ISAPI Extension would be the impersonated identity, which is either the configured anonymous user if anonymous authentication, or likely to be the logged in browser user for any other authentication type. I'm not certain if Windows Server 2003 has decided to deny certain user identities access to Networking. Are you saying that the Winsock call works on your Windows Server 2003 but not your customer's? -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "David Cordes" <David_Cordes@hotmail.com> wrote in message Problemnews:c462028e.0411051531.5f7064a@posting.google.com... =-=-=-=- I am working with a customer who has installed IIS 6. They have installed two different products that communicate with other servers through ISAPI Filters. In both products the ISAPI filters work correctly until they try to obtain a socket. Both of these programs are trying to communicate to different server process on the same machine with 127.0.0.1 as the address. Both server processes show every indication of working. I suspect there is an IIS or Windows Server 2003 setting I am missing. Technical Details =-=--==-=--=-==-=- One of the products is Open Source so I was able to determine the exact line that gets called: socket(AF_INET, SOCK_STREAM, 0); The WinSock2 API using WSAGetLastError() indicates that permission is denied. The customer can use other programs (such as telnet) to obtain a socket, open a connection to the local server process. The problem appears only to occur when running within IIS 6 with the IUSR account. Already Checked: =-=-=-=-=-=-=-=- - TCP/IP Filterting on the adaptor turned off. - Local security policy has not applied any of the ip policies and all network access user settings are identical to those on my Windows Server 2003 machine. - Customer indicates that no firewalls are running on this machine and since I am connecting via 127.0.0.1 an external firewall should not have any bearing here I would expect. I also do not suspect a firewall, firewalls usually block communications but do not prevent a socket from even being obtained from the OS. Any suggestions are appreciated. Thank you.
They are two ISAPI Filters each made by different company that makes a
network connection. Both fail when they try to make that network connection only on one customer's machine. They both work on my machine and many other customers' machines. I am collecting the customer's application pool settings to see whether they are in isolation mode and if not which identity they are using. However, I am not sure how a user account can be configured in such a way as to make opening any network connection impossible. Other accounts can make network connections. Did you have a particular setting in mind? I looked through the local security policy settings for "Security Options" and confirmed that "Network access" settings made sense when compared to my machine. --- David [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>...
> Are you talking about an ISAPI Extension or an ISAPI Filter? > > ISAPI Filter on IIS6 would be running as process identity, which is either > LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6 > Worker Process Isolation Mode. > > ISAPI Extension would be the impersonated identity, which is either the > configured anonymous user if anonymous authentication, or likely to be the > logged in browser user for any other authentication type. > > I'm not certain if Windows Server 2003 has decided to deny certain user > identities access to Networking. Are you saying that the Winsock call works > on your Windows Server 2003 but not your customer's? > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "David Cordes" <David_Cordes@hotmail.com> wrote in message > news:c462028e.0411051531.5f7064a@posting.google.com... > Problem > =-=-=-=- > I am working with a customer who has installed IIS 6. They have > installed two different products that communicate with other servers > through ISAPI Filters. In both products the ISAPI filters work > correctly until they try to obtain a socket. > > Both of these programs are trying to communicate to different server > process on the same machine with 127.0.0.1 as the address. Both > server processes show every indication of working. > > I suspect there is an IIS or Windows Server 2003 setting I am missing. > > Technical Details > =-=--==-=--=-==-=- > One of the products is Open Source so I was able to determine the > exact line that gets called: > > socket(AF_INET, SOCK_STREAM, 0); > > The WinSock2 API using WSAGetLastError() indicates that permission is > denied. > > The customer can use other programs (such as telnet) to obtain a > socket, open a connection to the local server process. The problem > appears only to occur when running within IIS 6 with the IUSR account. > > Already Checked: > =-=-=-=-=-=-=-=- > - TCP/IP Filterting on the adaptor turned off. > - Local security policy has not applied any of the ip policies and all > network access user settings are identical to those on my Windows > Server 2003 machine. > - Customer indicates that no firewalls are running on this machine and > since I am connecting via 127.0.0.1 an external firewall should not > have any bearing here I would expect. I also do not suspect a > firewall, firewalls usually block communications but do not prevent a > socket from even being obtained from the OS. >
Yeah, I can't think of anything else to check. I'm curious about the user
identity that is executing the ISAPI Filter code and looking through secpol.msc to see if any privileges are missing relative to your working ones. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "David Cordes" <David_Cordes@hotmail.com> wrote in message They are two ISAPI Filters each made by different company that makes anews:c462028e.0411081028.6dd0be49@posting.google.com... network connection. Both fail when they try to make that network connection only on one customer's machine. They both work on my machine and many other customers' machines. I am collecting the customer's application pool settings to see whether they are in isolation mode and if not which identity they are using. However, I am not sure how a user account can be configured in such a way as to make opening any network connection impossible. Other accounts can make network connections. Did you have a particular setting in mind? I looked through the local security policy settings for "Security Options" and confirmed that "Network access" settings made sense when compared to my machine. --- David [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>... > Are you talking about an ISAPI Extension or an ISAPI Filter? > > ISAPI Filter on IIS6 would be running as process identity, which is either > LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6 > Worker Process Isolation Mode. > > ISAPI Extension would be the impersonated identity, which is either the > configured anonymous user if anonymous authentication, or likely to be the > logged in browser user for any other authentication type. > > I'm not certain if Windows Server 2003 has decided to deny certain user > identities access to Networking. Are you saying that the Winsock call works > on your Windows Server 2003 but not your customer's? > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "David Cordes" <David_Cordes@hotmail.com> wrote in message > news:c462028e.0411051531.5f7064a@posting.google.com... > Problem > =-=-=-=- > I am working with a customer who has installed IIS 6. They have > installed two different products that communicate with other servers > through ISAPI Filters. In both products the ISAPI filters work > correctly until they try to obtain a socket. > > Both of these programs are trying to communicate to different server > process on the same machine with 127.0.0.1 as the address. Both > server processes show every indication of working. > > I suspect there is an IIS or Windows Server 2003 setting I am missing. > > Technical Details > =-=--==-=--=-==-=- > One of the products is Open Source so I was able to determine the > exact line that gets called: > > socket(AF_INET, SOCK_STREAM, 0); > > The WinSock2 API using WSAGetLastError() indicates that permission is > denied. > > The customer can use other programs (such as telnet) to obtain a > socket, open a connection to the local server process. The problem > appears only to occur when running within IIS 6 with the IUSR account. > > Already Checked: > =-=-=-=-=-=-=-=- > - TCP/IP Filterting on the adaptor turned off. > - Local security policy has not applied any of the ip policies and all > network access user settings are identical to those on my Windows > Server 2003 machine. > - Customer indicates that no firewalls are running on this machine and > since I am connecting via 127.0.0.1 an external firewall should not > have any bearing here I would expect. I also do not suspect a > firewall, firewalls usually block communications but do not prevent a > socket from even being obtained from the OS. > > Any suggestions are appreciated. Thank you.
Sadly we may never find out :-) The customer tried a re-installation
of IIS which didn't work, but then re-installed the OS and the problem vanished. --- David [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<ujYfVvhxEHA.3968@TK2MSFTNGP10.phx.gbl>...
> Yeah, I can't think of anything else to check. I'm curious about the user > identity that is executing the ISAPI Filter code and looking through > secpol.msc to see if any privileges are missing relative to your working > ones. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "David Cordes" <David_Cordes@hotmail.com> wrote in message > news:c462028e.0411081028.6dd0be49@posting.google.com... > They are two ISAPI Filters each made by different company that makes a > network connection. Both fail when they try to make that network > connection only on one customer's machine. They both work on my > machine and many other customers' machines. > > I am collecting the customer's application pool settings to see > whether they are in isolation mode and if not which identity they are > using. > > However, I am not sure how a user account can be configured in such a > way as to make opening any network connection impossible. Other > accounts can make network connections. Did you have a particular > setting in mind? I looked through the local security policy settings > for "Security Options" and confirmed that "Network access" settings > made sense when compared to my machine. > > --- David > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>... > > Are you talking about an ISAPI Extension or an ISAPI Filter? > > > > ISAPI Filter on IIS6 would be running as process identity, which is either > > LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6 > > Worker Process Isolation Mode. > > > > ISAPI Extension would be the impersonated identity, which is either the > > configured anonymous user if anonymous authentication, or likely to be the > > logged in browser user for any other authentication type. > > > > I'm not certain if Windows Server 2003 has decided to deny certain user > > identities access to Networking. Are you saying that the Winsock call > works > > on your Windows Server 2003 but not your customer's? > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "David Cordes" <David_Cordes@hotmail.com> wrote in message > > news:c462028e.0411051531.5f7064a@posting.google.com... > > Problem > > =-=-=-=- > > I am working with a customer who has installed IIS 6. They have > > installed two different products that communicate with other servers > > through ISAPI Filters. In both products the ISAPI filters work > > correctly until they try to obtain a socket. > > > > Both of these programs are trying to communicate to different server > > process on the same machine with 127.0.0.1 as the address. Both > > server processes show every indication of working. > > > > I suspect there is an IIS or Windows Server 2003 setting I am missing. > > > > Technical Details > > =-=--==-=--=-==-=- > > One of the products is Open Source so I was able to determine the > > exact line that gets called: > > > > socket(AF_INET, SOCK_STREAM, 0); > > > > The WinSock2 API using WSAGetLastError() indicates that permission is > > denied. > > > > The customer can use other programs (such as telnet) to obtain a > > socket, open a connection to the local server process. The problem > > appears only to occur when running within IIS 6 with the IUSR account. > > > > Already Checked: > > =-=-=-=-=-=-=-=- > > - TCP/IP Filterting on the adaptor turned off. > > - Local security policy has not applied any of the ip policies and all > > network access user settings are identical to those on my Windows > > Server 2003 machine. > > - Customer indicates that no firewalls are running on this machine and > > since I am connecting via 127.0.0.1 an external firewall should not > > have any bearing here I would expect. I also do not suspect a > > firewall, firewalls usually block communications but do not prevent a > > socket from even being obtained from the OS. > >
Well, I'm happy that the problem was "solved", though I tend to like knowing
why it worked vs the fact it did. Though I totally understand from a business perspective, one values the fact that something works and not necessarily why/how. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "David Cordes" <David_Cordes@hotmail.com> wrote in message Sadly we may never find out :-) The customer tried a re-installationnews:c462028e.0411091543.f45c743@posting.google.com... of IIS which didn't work, but then re-installed the OS and the problem vanished. --- David [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<ujYfVvhxEHA.3968@TK2MSFTNGP10.phx.gbl>... > Yeah, I can't think of anything else to check. I'm curious about the user > identity that is executing the ISAPI Filter code and looking through > secpol.msc to see if any privileges are missing relative to your working > ones. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "David Cordes" <David_Cordes@hotmail.com> wrote in message > news:c462028e.0411081028.6dd0be49@posting.google.com... > They are two ISAPI Filters each made by different company that makes a > network connection. Both fail when they try to make that network > connection only on one customer's machine. They both work on my > machine and many other customers' machines. > > I am collecting the customer's application pool settings to see > whether they are in isolation mode and if not which identity they are > using. > > However, I am not sure how a user account can be configured in such a > way as to make opening any network connection impossible. Other > accounts can make network connections. Did you have a particular > setting in mind? I looked through the local security policy settings > for "Security Options" and confirmed that "Network access" settings > made sense when compared to my machine. > > --- David > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:<#26MP28wEHA.1296@TK2MSFTNGP10.phx.gbl>... > > Are you talking about an ISAPI Extension or an ISAPI Filter? > > > > ISAPI Filter on IIS6 would be running as process identity, which is either > > LocalSystem in IIS5 Compatibility Mode or the AppPool Identity in IIS6 > > Worker Process Isolation Mode. > > > > ISAPI Extension would be the impersonated identity, which is either the > > configured anonymous user if anonymous authentication, or likely to be the > > logged in browser user for any other authentication type. > > > > I'm not certain if Windows Server 2003 has decided to deny certain user > > identities access to Networking. Are you saying that the Winsock call > works > > on your Windows Server 2003 but not your customer's? > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "David Cordes" <David_Cordes@hotmail.com> wrote in message > > news:c462028e.0411051531.5f7064a@posting.google.com... > > Problem > > =-=-=-=- > > I am working with a customer who has installed IIS 6. They have > > installed two different products that communicate with other servers > > through ISAPI Filters. In both products the ISAPI filters work > > correctly until they try to obtain a socket. > > > > Both of these programs are trying to communicate to different server > > process on the same machine with 127.0.0.1 as the address. Both > > server processes show every indication of working. > > > > I suspect there is an IIS or Windows Server 2003 setting I am missing. > > > > Technical Details > > =-=--==-=--=-==-=- > > One of the products is Open Source so I was able to determine the > > exact line that gets called: > > > > socket(AF_INET, SOCK_STREAM, 0); > > > > The WinSock2 API using WSAGetLastError() indicates that permission is > > denied. > > > > The customer can use other programs (such as telnet) to obtain a > > socket, open a connection to the local server process. The problem > > appears only to occur when running within IIS 6 with the IUSR account. > > > > Already Checked: > > =-=-=-=-=-=-=-=- > > - TCP/IP Filterting on the adaptor turned off. > > - Local security policy has not applied any of the ip policies and all > > network access user settings are identical to those on my Windows > > Server 2003 machine. > > - Customer indicates that no firewalls are running on this machine and > > since I am connecting via 127.0.0.1 an external firewall should not > > have any bearing here I would expect. I also do not suspect a > > firewall, firewalls usually block communications but do not prevent a > > socket from even being obtained from the OS. > > > > Any suggestions are appreciated. Thank you.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |