|
|
You're in the
iis security
group:IIS metabase permissions when creating new VirDir's
iis security:
Theoretical, architecture-type question here: -=- If one wants to have an Asp.Net app programmatically create new VirDir's, how should you implement this? Open the doors wide-open to the ASPNET user account? (not!) Some Background: -=- We have an Asp.Net app that we ported from Asp/VB6. It allowed anonymous IIS users to create new web-sites on-the-fly. Obviously, our app ensures that only users who are registered and correctly logged-in can do this. My point is that as far as IIS is concerned, users are anonymous. In the old Asp/VB6 world, this worked because the Asp pages would call the COM+ components, which impersonated as a local machine account. We ensured the local machine account had enough permissions to: - access the appropriate part(s) of the file system to make the new web-site - access the approprate part(s) of the IIS metabase Correct me if I'm wrong, but the way I understand impersonation works in ..Net isn't the same: it will only work if you use Windows Authentication under IIS, and will then only impersonate the logged-in user. In our app, we can't use Windows Authentication. We can make the new .Net code work if we allow the ASPNET user access to the resources I described above, but we would like a better solution. My thought is to have the Aspx page create an MSMQ message, asking to create the new VirDir. We already have a daemon process written in C# that monitors MSMQ, and it runs with LOCALSYSTEM privs, so it could get the job done. What is Microsoft's recommendation on this? --
The queue idea is a good one, but possibly overkill. You could run the
individual script or virtual directory under the context of a different user account, but you'd need to be careful of who can access it, by requiring authentication and locking down the script with NTFS. I'd also recommend you take care and backup before changes, and have a protocol sorted out for rolling back changes, just in case. -- Jason Brown Microsoft GTSC, IIS This posting is provided "AS IS" with no warranties, and confers no rights. [quoted text, click to view] "Tony D" <TonyD@discussions.microsoft.com> wrote in message news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com... > Hi, > > Theoretical, architecture-type question here: > -=- > If one wants to have an Asp.Net app programmatically create new VirDir's, > how should you implement this? Open the doors wide-open to the ASPNET > user > account? (not!) > > Some Background: > -=- > We have an Asp.Net app that we ported from Asp/VB6. It allowed anonymous > IIS users to create new web-sites on-the-fly. Obviously, our app ensures > that only users who are registered and correctly logged-in can do this. > My > point is that as far as IIS is concerned, users are anonymous. > > In the old Asp/VB6 world, this worked because the Asp pages would call the > COM+ components, which impersonated as a local machine account. We > ensured > the local machine account had enough permissions to: > - access the appropriate part(s) of the file system to make the new > web-site > - access the approprate part(s) of the IIS metabase > > Correct me if I'm wrong, but the way I understand impersonation works in > .Net isn't the same: it will only work if you use Windows Authentication > under IIS, and will then only impersonate the logged-in user. In our app, > we > can't use Windows Authentication. > > We can make the new .Net code work if we allow the ASPNET user access to > the > resources I described above, but we would like a better solution. My > thought > is to have the Aspx page create an MSMQ message, asking to create the new > VirDir. We already have a daemon process written in C# that monitors > MSMQ, > and it runs with LOCALSYSTEM privs, so it could get the job done. > > What is Microsoft's recommendation on this? > > -- > - Tony D
Thank you for your answer.
Could you please give an example of how to run a Virtual Directory under a different user context? I know that the constructor for System.DirectoryServices.DirectoryEntry takes an AuthenticationType parameter. Is this what you mean? - Tony [quoted text, click to view] "Jason Brown [MSFT]" wrote:
> The queue idea is a good one, but possibly overkill. You could run the > individual script or virtual directory under the context of a different user > account, but you'd need to be careful of who can access it, by requiring > authentication and locking down the script with NTFS. > > I'd also recommend you take care and backup before changes, and have a > protocol sorted out for rolling back changes, just in case. > > > -- > Jason Brown > Microsoft GTSC, IIS > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > "Tony D" <TonyD@discussions.microsoft.com> wrote in message > news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com... > > Hi, > > > > Theoretical, architecture-type question here: > > -=- > > If one wants to have an Asp.Net app programmatically create new VirDir's, > > how should you implement this? Open the doors wide-open to the ASPNET > > user > > account? (not!) > > > > Some Background: > > -=- > > We have an Asp.Net app that we ported from Asp/VB6. It allowed anonymous > > IIS users to create new web-sites on-the-fly. Obviously, our app ensures > > that only users who are registered and correctly logged-in can do this. > > My > > point is that as far as IIS is concerned, users are anonymous. > > > > In the old Asp/VB6 world, this worked because the Asp pages would call the > > COM+ components, which impersonated as a local machine account. We > > ensured > > the local machine account had enough permissions to: > > - access the appropriate part(s) of the file system to make the new > > web-site > > - access the approprate part(s) of the IIS metabase > > > > Correct me if I'm wrong, but the way I understand impersonation works in > > .Net isn't the same: it will only work if you use Windows Authentication > > under IIS, and will then only impersonate the logged-in user. In our app, > > we > > can't use Windows Authentication. > > > > We can make the new .Net code work if we allow the ASPNET user access to > > the > > resources I described above, but we would like a better solution. My > > thought > > is to have the Aspx page create an MSMQ message, asking to create the new > > VirDir. We already have a daemon process written in C# that monitors > > MSMQ, > > and it runs with LOCALSYSTEM privs, so it could get the job done. > > > > What is Microsoft's recommendation on this? > > > > -- > > - Tony D > >
Are you on IIS 6.0?
the way I'd probably do that would be to either lock down the file using IIS service manager and enable windows authentication - you then run it under the authenticated account (with impersonation enabled). You could also create a new application pool which runs under a priveleged account, then edit the VDir's properties in IIS service manager so that it runs under the priveleged app pool. -- Jason Brown Microsoft GTSC, IIS This posting is provided "AS IS" with no warranties, and confers no rights. [quoted text, click to view] "Tony D" <TonyD@discussions.microsoft.com> wrote in message news:EEBEF54A-9781-4718-98C8-018375692864@microsoft.com... > Thank you for your answer. > > Could you please give an example of how to run a Virtual Directory under a > different user context? > > I know that the constructor for System.DirectoryServices.DirectoryEntry > takes an AuthenticationType parameter. Is this what you mean? > > - Tony > > > "Jason Brown [MSFT]" wrote: > >> The queue idea is a good one, but possibly overkill. You could run the >> individual script or virtual directory under the context of a different >> user >> account, but you'd need to be careful of who can access it, by requiring >> authentication and locking down the script with NTFS. >> >> I'd also recommend you take care and backup before changes, and have a >> protocol sorted out for rolling back changes, just in case. >> >> >> -- >> Jason Brown >> Microsoft GTSC, IIS >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> >> "Tony D" <TonyD@discussions.microsoft.com> wrote in message >> news:168FB923-670E-4C0E-97F7-3E1250B962F4@microsoft.com... >> > Hi, >> > >> > Theoretical, architecture-type question here: >> > -=- >> > If one wants to have an Asp.Net app programmatically create new >> > VirDir's, >> > how should you implement this? Open the doors wide-open to the ASPNET >> > user >> > account? (not!) >> > >> > Some Background: >> > -=- >> > We have an Asp.Net app that we ported from Asp/VB6. It allowed >> > anonymous >> > IIS users to create new web-sites on-the-fly. Obviously, our app >> > ensures >> > that only users who are registered and correctly logged-in can do this. >> > My >> > point is that as far as IIS is concerned, users are anonymous. >> > >> > In the old Asp/VB6 world, this worked because the Asp pages would call >> > the >> > COM+ components, which impersonated as a local machine account. We >> > ensured >> > the local machine account had enough permissions to: >> > - access the appropriate part(s) of the file system to make the new >> > web-site >> > - access the approprate part(s) of the IIS metabase >> > >> > Correct me if I'm wrong, but the way I understand impersonation works >> > in >> > .Net isn't the same: it will only work if you use Windows >> > Authentication >> > under IIS, and will then only impersonate the logged-in user. In our >> > app, >> > we >> > can't use Windows Authentication. >> > >> > We can make the new .Net code work if we allow the ASPNET user access >> > to >> > the >> > resources I described above, but we would like a better solution. My >> > thought >> > is to have the Aspx page create an MSMQ message, asking to create the >> > new >> > VirDir. We already have a daemon process written in C# that monitors >> > MSMQ, >> > and it runs with LOCALSYSTEM privs, so it could get the job done. >> > >> > What is Microsoft's recommendation on this? >> > >> > -- >> > - Tony D >> >> >>
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |