I'm looking for an article that would explain the request processing that
goes on in IIS 6.0. For example, when a request is received, it starts a new
process by running w3wp.exe and it is started with the identity specified in
the Application Pool settings. But then if you request a file, the file is
requested with the identity of either the anonymous user specified in the
Directory Security configuration of the virtual directory, or with the user's
Windows identity if Windows Authentication is checked (and the resource is
not accessible to the anonymous user). The result is that you need to grant
permission to BOTH the identity running w3wp.exe AND the identity in the
HTTPContext object.

I've found bits and pieces of this explained by various documents, but I'm
wondering if there is a single document that explains all this from start to
finish.

Thanks!

[quoted text, click to view]

Are you talking about ASP.NET? Does this do it?
http://support.microsoft.com/default.aspx?scid=kb;en-us;317012

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS

Hi Chris,

Tom has suggested a very good article on this topic in ASP.net.
Furthermore, I'd also suggest the article "Web Site Authentication" in IIS
online help contains all the information about the IIS6 authentications.

In addiation, some articles on the IIS authentication will also be helpful:
158229 INFO: Security Ramifications for IIS Applications
http://support.microsoft.com/?id=158229

174775 How Windows NT Challenge/Response Works
http://support.microsoft.com/?id=174775

About Authentication
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2
000/en/server/iis/htm/core/iiabasc.htm

Please feel free to let me know if you have any further question on this
matter.

Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
It is my pleasure to be of assistance.

These are some good articles and I've saved them as bookmarks for reference.
However, what I'm really looking for is a step-by-step walkthrough of a
request that highlights when identities are used. For example, when the
worker process is initiated, it is started with the identity configured in
the Application Pool. But then at some point, the HTTPContext gets assigned
an identity and I'm not sure exactly where in the process that happens.

I know from testing that if I have the Network Service configured in the
application pool and the Internet Guest Account configured in the directory
security, I need to grant both of those Windows accounts Read permissions to
the files or I will get a security error. But why?

A step-by-step explanation of how pages are served that includes different
security configurations such as:

* Anonymous
* Windows authentication
* Basic authentication
* ASP.Net impersonation as configured through the web.config settings

An article on this would help me to get a clear understanding of how this
works, and make sure that I configure the minimum security required to get an
application to work.

Thanks,
Chris

[quoted text, click to view]