iis security:
[quoted text, click to view] "CJM" <cjmnews04@newsgroups.nospam> wrote in message
news:e64y6AvpEHA.2104@TK2MSFTNGP10.phx.gbl...
>I have an ASP application, and for the first time I'm trying to use Windows
> Authentication.
>
> I have it working on my development machine (XP/IIS5.1), ie if I call the
> authentication page from my machine it *seems* to work.
>
> However, when I copied the pages to my development server, and tired call
> the page from machine it didn't - The LOGON_USER string was blank.
>
> If I look at the ALL_HTTP server variable I can see a 'HTTP_AUTHORIZATION'
> section on my machine, but not on the server; I'm guessing this is
> relevant
> in some way.
>
> I've just tried calling the page on my machine from the server it came up
> with a different error, which I suspect is a permissions issue, but the
> 'HTTP_AUTHORIZATION' section was present in ALL_HTTP.
>
> Why is the logged on user not detected by the IIS6 server?
Most likely because your web site allows anonymous access. IIS 6 Documentation http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/gs_authentication.asp HOW TO: Configure IIS Web Site Authentication in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;324274 HOW TO: Configure Internet Information Services Web Authentication in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;324276 -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iisfaq.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS http://www.tryiis.com
I have an ASP application, and for the first time I'm trying to use Windows
Authentication.
I have it working on my development machine (XP/IIS5.1), ie if I call the
authentication page from my machine it *seems* to work.
However, when I copied the pages to my development server, and tired call
the page from machine it didn't - The LOGON_USER string was blank.
If I look at the ALL_HTTP server variable I can see a 'HTTP_AUTHORIZATION'
section on my machine, but not on the server; I'm guessing this is relevant
in some way.
I've just tried calling the page on my machine from the server it came up
with a different error, which I suspect is a permissions issue, but the
'HTTP_AUTHORIZATION' section was present in ALL_HTTP.
Why is the logged on user not detected by the IIS6 server?
Thanks in advance.
Chris
[quoted text, click to view] "CJM" <cjmnews04@newsgroups.nospam> wrote in message
news:OLKIpawpEHA.800@TK2MSFTNGP14.phx.gbl...
> Tom,
>
> I've realised the problem I had still exists... of sorts.
>
> If I give the Everyone group read/execute access, the LOGON_USER is blank.
> If I remove the Everyone permissions, the LOGON_USER is populated
> correctly.
>
> I want all users to be able access the application, but only restricted
> users to be able to do special tasks, which include creating and modifying
> files on the server. Therefore, as understand it, I need to give Everyone
> read/execute permissions, and members of the restricted group have modify
> rights.
>
> So where am I going wrong?
Give everyone NTFS permissions, but remove anonymous access from the IIS MMC. -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iisfaq.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS http://www.tryiis.com
Tom,
While waiting for a response, I've had another look at the configuration.
Only IWA was ever enabled, but there were lots of inherited permissions that
were muddying the water, so I've removed them all - only members of a
particular domain now have [full] permissions.
I'm not sure why, but in doing this I seemed to have fixed the problem; I
know it doesnt make sense, but I can assure that only IWA was previously
enabled.
I have another problem now, but since I'm going to cross-post with an ASP
NG, I'm going to create a new post.
Thanks for your help.
Chris
Tom,
I've realised the problem I had still exists... of sorts.
If I give the Everyone group read/execute access, the LOGON_USER is blank.
If I remove the Everyone permissions, the LOGON_USER is populated correctly.
I want all users to be able access the application, but only restricted
users to be able to do special tasks, which include creating and modifying
files on the server. Therefore, as understand it, I need to give Everyone
read/execute permissions, and members of the restricted group have modify
rights.
So where am I going wrong?
Thanks
Chris
Hi Chris, I've replied in your another cross thread. Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
Don't see what you're looking for? Try a search.
|
