Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / IIS / IIS Security / March 2007

Tip: Looking for answers? Try searching our database.

The simplest case

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
guruperplexe - 21 Mar 2007 18:36 GMT
Hello everybody,
I spent some time reading this forum and Technet resources, still I can't
find the anwer to my VERY basic question :
I have a W2K domain, with an IIS6 intranet server. The asp code of the
intranet site has to access files located on a W2K3 server, same domain. The
user get an "access denied" (works fine if the same files are located on the
IIS server).
It seems I tried everything : using virtual directories, using Basic
authentication (I don't want it because it asks for credentials), changing
DefaultAppPool parameters ...
I am getting nervous. Is this not a REALLY basic problem ?!
Reply to this Message
David Wang - 21 Mar 2007 22:04 GMT
Yes, while this problem appears basic, but it is really Cross-Machine
Delegation, which is a very advanced security implication.

You will find that if you use Basic authentication or coordinate
Anonymous user logins that it works, but it fails if you use
Integrated Authentication.

The protocols which work by default are all insecure with regards to
delegation, which is a non-obvious security concept.

We can certainly go into more details as to why it fails with
Integrated Authentication by default and how to make it work, but
suffice to say, it is well documented. One easy way to explain the
concept is:

Suppose you go to an auto shop to get your car serviced. Instead of
asking you to sign for repair authorization, they asked for your SSN.
What do you do?

The insecure authentication protocols will simply hand over the SSN.
The secure authentication protocols say "no, I won't give you the SSN
unless you go through validation that you safeguard and absolutely
require my SSN".

Now, with a W2K domain, the only way to make Integrated Authentication
work is to use Kerberos. With WS03 domain, you have many more options.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

On Mar 21, 10:36 am, guruperplexe
<guruperpl...@discussions.microsoft.com> wrote:
> Hello everybody,
> I spent some time reading this forum and Technet resources, still I can't
[quoted text clipped - 7 lines]
> DefaultAppPool parameters ...
> I am getting nervous. Is this not a REALLY basic problem ?!
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.