 |
|
|
|
Next: Limit per user connections
|
| Author |
Message |
External
Since: Feb 12, 2004
Posts: 4
|
(Msg. 1) Posted: Thu Feb 12, 2004 8:16 pm
Post subject: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?
Archived from groups: microsoft>public>inetserver>iis, others (more info?)
|
|
|
Hi,
I am currently test running an old ASP application on IIS 6.0 and I have a
question on what user identity is actually being used. I created a new
application pool with its own service identity account (let's call it
TestService, and added it to the IIS_WPG group) and assigned the web app to
use the app pool. I have also enabled anon access on the web app, using the
IUSR account. The web app, upon start up, a COM object connects to a
network server and d/ls files to a data directory. The data directory has
to have correct NTFS permissions for this to work.
Now... here are my tests.
1) I first set the NTFS permissions of the data directory to NOT allow
modify/write access to the TestService account and to allow modify/write
access to the IUSR account (I know I'm not supposed to, but this is just a
test). This did not work.
2) I then set the data directory to allow modify/write access to the
TestService account and the IUSR to only have read access. This worked.
etc...
What I basically found was that only the NTFS setting on the TestService
account mattered for this operation to succeed. But based on all I've read,
isn't it the authenticated user (in this case, the IUSR) that's supposed to
be impersonated, and all actions are performed as if it was the IUSR? In
this case, it doesn't even seem like the NTFS settings for IUSR matter at
all. I even removed IUSR from the NTFS permissions completely and it still
worked. Does anyone know why?
This is an excerpt from a Microsoft document:
For ASP applications, the type of authentication that is used by the user
automatically determines impersonation behavior. Because the impersonation
behavior is automatic, no configuration is required.
The impersonation behavior in an ASP application is as follows:
· If an anonymous user makes a request, the thread token is based on
the user account that is configured as the anonymous user identity (by
default, this is the IUSR_machinename user account).
· If an authenticated user makes a request, the thread token is
based on the authenticated account of the user.
Thanks if anyone can explain this to me. |
|
| Back to top |
|
 | |
External
Since: Aug 25, 2003
Posts: 2419
|
(Msg. 2) Posted: Fri Feb 13, 2004 12:27 am
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
ASP itself uses the impersonated identity - we verify that on IIS6. Custom
code that ASP runs, like your COM object, could be doing something else.
Actions done by the custom code, like connect to a network server and d/l
files, is completely subject to its behavior, not ASP's. It could cooperate
with ASP's behavior, but it doesn't have to.
Is the COM object configured to use the impersonated (IUSR) or process
(TestService) identity?
For example, a COM object could be calling RevertToSelf(), which in older
IIS gives it access to LocalSystem (in low isolation) or IWAM (in
medium/high isolation). It will now be using "TestService" identity.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"C K" <blah DeleteThis @blah.com> wrote in message
news:c0h85j$m3h$1@newstree.wise.edt.ericsson.se...
Hi,
I am currently test running an old ASP application on IIS 6.0 and I have a
question on what user identity is actually being used. I created a new
application pool with its own service identity account (let's call it
TestService, and added it to the IIS_WPG group) and assigned the web app to
use the app pool. I have also enabled anon access on the web app, using the
IUSR account. The web app, upon start up, a COM object connects to a
network server and d/ls files to a data directory. The data directory has
to have correct NTFS permissions for this to work.
Now... here are my tests.
1) I first set the NTFS permissions of the data directory to NOT allow
modify/write access to the TestService account and to allow modify/write
access to the IUSR account (I know I'm not supposed to, but this is just a
test). This did not work.
2) I then set the data directory to allow modify/write access to the
TestService account and the IUSR to only have read access. This worked.
etc...
What I basically found was that only the NTFS setting on the TestService
account mattered for this operation to succeed. But based on all I've read,
isn't it the authenticated user (in this case, the IUSR) that's supposed to
be impersonated, and all actions are performed as if it was the IUSR? In
this case, it doesn't even seem like the NTFS settings for IUSR matter at
all. I even removed IUSR from the NTFS permissions completely and it still
worked. Does anyone know why?
This is an excerpt from a Microsoft document:
For ASP applications, the type of authentication that is used by the user
automatically determines impersonation behavior. Because the impersonation
behavior is automatic, no configuration is required.
The impersonation behavior in an ASP application is as follows:
· If an anonymous user makes a request, the thread token is based on
the user account that is configured as the anonymous user identity (by
default, this is the IUSR_machinename user account).
· If an authenticated user makes a request, the thread token is
based on the authenticated account of the user.
Thanks if anyone can explain this to me. |
|
| Back to top |
|
| |
External
Since: Feb 03, 2004
Posts: 423
|
(Msg. 3) Posted: Fri Feb 13, 2004 1:26 pm
Post subject: RE: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: microsoft>public>inetserver>iis (more info?)
|
|
|
Hi C K,
As I know, in this kind of scenarios, both process identifier(i.e
TestService) and thread indentifier(IUSR_machinename) need have write
permission on the upload folder. I have tested some similar web
applications as yours - using com dll in ASP pages to upload files
and the result was coincident.
I doubt if the behavior you met is caused by IIS caches IUSR
account's token. By default, IIS refreshes this kind of cache every
15 mins:
152526 Changing the Default Interval for User Tokens in IIS
http://support.microsoft.com/?id=152526
Recycle the site's application pool or use iisreset to restart IIS to
test. Also, only enable anonymous access on this site to prevent the
possiblity of IE auto finishing integreted auth with IIS. Will the
behavior persist?
Have a nice day,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Feb 12, 2004
Posts: 4
|
(Msg. 4) Posted: Fri Feb 13, 2004 2:00 pm
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hi,
It is actually not an upload application. When the web application first
starts up, it will launch a COM object method that connects to a remote
server and then sync some information to its local store. This local store
is in the form of some memory mapped files that are located in a data
directory. That is what I find strange. I had thought that either the IUSR
would need the write privileges or that both the IUSR and the TestService
account would need write, but it is actually only the TestService account
that matters.
What actually happens is this: If everything works, the memory mapped files
are created and have the correct data. If I do not give the TestService
account modify/write privileges, then the memory mapped files are created in
the directory, but they have no data in them. The routines to retrieve the
data are in a statically linked dll that I do not maintain, so I do not know
what kind of things it is doing. I just know that generally it connects to
a remote server and retrieves data.
In this case, I do not believe it has to do with the chaching of the user
tokens because after each NTFS permission change, I do an iisreset. I also
have only anonymous authentication enabled as well -- no other auth is
enabled.
Thanks.
""WenJun Zhang[msft]"" <v-wzhang.RemoveThis@online.microsoft.com> wrote in message
news:OfEZtvh8DHA.1988@cpmsftngxa07.phx.gbl...
> Hi C K,
>
> As I know, in this kind of scenarios, both process identifier(i.e
> TestService) and thread indentifier(IUSR_machinename) need have write
> permission on the upload folder. I have tested some similar web
> applications as yours - using com dll in ASP pages to upload files
> and the result was coincident.
>
> I doubt if the behavior you met is caused by IIS caches IUSR
> account's token. By default, IIS refreshes this kind of cache every
> 15 mins:
> 152526 Changing the Default Interval for User Tokens in IIS
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=152526</font" target="_blank">http://support.microsoft.com/?id=152526</font</a>>
>
> Recycle the site's application pool or use iisreset to restart IIS to
> test. Also, only enable anonymous access on this site to prevent the
> possiblity of IE auto finishing integreted auth with IIS. Will the
> behavior persist?
>
> Have a nice day,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
<font color=purple> > Get Secure! - <a style='text-decoration: underline;' href="http://www.microsoft.com/security</font" target="_blank">www.microsoft.com/security</font</a>>
><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Dec 23, 2003
Posts: 905
|
(Msg. 5) Posted: Fri Feb 13, 2004 9:39 pm
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: microsoft>public>inetserver>iis, others (more info?)
|
|
|
Wow, now you make me confuse 
what other ACLs you have for the data folder ?
AFAIK, your 'testservice' is process identity to execute the w3wp.exe
and the 'iusr' user identity for actual access.
have you try filemon (sysinternals.com) and actually trace down the 'user'
that writting the content.
--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...
"C K" <blah.RemoveThis@blah.com> wrote in message
news:c0h85j$m3h$1@newstree.wise.edt.ericsson.se...
> Hi,
>
> I am currently test running an old ASP application on IIS 6.0 and I have a
> question on what user identity is actually being used. I created a new
> application pool with its own service identity account (let's call it
> TestService, and added it to the IIS_WPG group) and assigned the web app
to
> use the app pool. I have also enabled anon access on the web app, using
the
> IUSR account. The web app, upon start up, a COM object connects to a
> network server and d/ls files to a data directory. The data directory has
> to have correct NTFS permissions for this to work.
>
> Now... here are my tests.
>
> 1) I first set the NTFS permissions of the data directory to NOT allow
> modify/write access to the TestService account and to allow modify/write
> access to the IUSR account (I know I'm not supposed to, but this is just a
> test). This did not work.
>
> 2) I then set the data directory to allow modify/write access to the
> TestService account and the IUSR to only have read access. This worked.
>
> etc...
>
> What I basically found was that only the NTFS setting on the TestService
> account mattered for this operation to succeed. But based on all I've
read,
> isn't it the authenticated user (in this case, the IUSR) that's supposed
to
> be impersonated, and all actions are performed as if it was the IUSR? In
> this case, it doesn't even seem like the NTFS settings for IUSR matter at
> all. I even removed IUSR from the NTFS permissions completely and it
still
> worked. Does anyone know why?
>
> This is an excerpt from a Microsoft document:
> For ASP applications, the type of authentication that is used by the user
> automatically determines impersonation behavior. Because the impersonation
> behavior is automatic, no configuration is required.
>
> The impersonation behavior in an ASP application is as follows:
>
> ? If an anonymous user makes a request, the thread token is based
on
> the user account that is configured as the anonymous user identity (by
> default, this is the IUSR_machinename user account).
>
> ? If an authenticated user makes a request, the thread token is
> based on the authenticated account of the user.
>
>
>
>
>
>
>
> Thanks if anyone can explain this to me.
>
>
><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Feb 12, 2004
Posts: 4
|
(Msg. 6) Posted: Fri Feb 13, 2004 9:39 pm
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hi Bernard,
The only two ACLs I have is 1) Administrators Group (full control) 2) The
TestService account. I have removed all inheritance for this folder so it
is only those two ACLs in effect.
I have also just tried using filemon to see what is causing the problem and
I do see some ACCESS DENIED messages when the TestService account does not
have write access. However, filemon does not show the user identity, it
only shows the process name w3wp.exe. However, it must be the TestService
account because when I give it write access to the folder, everything works
ok.
In my other response, I mentioned that the routines to retrieve the data
from a remote server are in a statically linked dll (which I do not
maintain). I believe it connects to the remote server via named pipe. But
all this shouldn't matter right? Because it is getting the ACCESS DENIED on
the file system due to insufficient NTFS permission.
Any ideas?
Thanks.
"Bernard" <qbernard.TakeThisOut@hotmail.com.discuss> wrote in message
news:#zjca2h8DHA.488@TK2MSFTNGP12.phx.gbl...
> Wow, now you make me confuse
> what other ACLs you have for the data folder ?
>
> AFAIK, your 'testservice' is process identity to execute the w3wp.exe
> and the 'iusr' user identity for actual access.
>
> have you try filemon (sysinternals.com) and actually trace down the 'user'
> that writting the content.
>
> --
> Regards,
> Bernard Cheah
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/</font" target="_blank">http://support.microsoft.com/</font</a>>
> Please respond to newsgroups only ...
>
>
> "C K" <blah.TakeThisOut@blah.com> wrote in message
> news:c0h85j$m3h$1@newstree.wise.edt.ericsson.se...
> > Hi,
> >
> > I am currently test running an old ASP application on IIS 6.0 and I have
a
> > question on what user identity is actually being used. I created a new
> > application pool with its own service identity account (let's call it
> > TestService, and added it to the IIS_WPG group) and assigned the web app
> to
> > use the app pool. I have also enabled anon access on the web app, using
> the
> > IUSR account. The web app, upon start up, a COM object connects to a
> > network server and d/ls files to a data directory. The data directory
has
> > to have correct NTFS permissions for this to work.
> >
> > Now... here are my tests.
> >
> > 1) I first set the NTFS permissions of the data directory to NOT allow
> > modify/write access to the TestService account and to allow modify/write
> > access to the IUSR account (I know I'm not supposed to, but this is just
a
> > test). This did not work.
> >
> > 2) I then set the data directory to allow modify/write access to the
> > TestService account and the IUSR to only have read access. This worked.
> >
> > etc...
> >
> > What I basically found was that only the NTFS setting on the TestService
> > account mattered for this operation to succeed. But based on all I've
> read,
> > isn't it the authenticated user (in this case, the IUSR) that's supposed
> to
> > be impersonated, and all actions are performed as if it was the IUSR?
In
> > this case, it doesn't even seem like the NTFS settings for IUSR matter
at
> > all. I even removed IUSR from the NTFS permissions completely and it
> still
> > worked. Does anyone know why?
> >
> > This is an excerpt from a Microsoft document:
> > For ASP applications, the type of authentication that is used by the
user
> > automatically determines impersonation behavior. Because the
impersonation
> > behavior is automatic, no configuration is required.
> >
> > The impersonation behavior in an ASP application is as follows:
> >
> > ? If an anonymous user makes a request, the thread token is based
> on
> > the user account that is configured as the anonymous user identity (by
> > default, this is the IUSR_machinename user account).
> >
> > ? If an authenticated user makes a request, the thread token is
> > based on the authenticated account of the user.
> >
> >
> >
> >
> >
> >
> >
> > Thanks if anyone can explain this to me.
> >
> >
> >
>
><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Aug 25, 2003
Posts: 2419
|
(Msg. 7) Posted: Sat Feb 14, 2004 4:16 am
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: microsoft>public>inetserver>iis (more info?)
|
|
|
ASP itself uses the impersonated identity, as described by documentation and
verified through testing. Custom code that ASP runs, like your COM object,
could be doing something else. Actions done by the custom code, like connect
to a network server and d/l files, is completely subject to its behavior,
not ASP's. It could cooperate with ASP's behavior, but it doesn't have to.
Is the COM object configured to use the impersonated (IUSR) or process
(TestService) identity? Do you know?
For example, a COM object could be calling RevertToSelf(), which in older
IIS gives it access to LocalSystem (in low isolation) or IWAM (in
medium/high isolation). It will now be using "TestService" identity.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"C K" <blah DeleteThis @blah.com> wrote in message
news:c0j6gt$moo$1@newstree.wise.edt.ericsson.se...
Hi,
It is actually not an upload application. When the web application first
starts up, it will launch a COM object method that connects to a remote
server and then sync some information to its local store. This local store
is in the form of some memory mapped files that are located in a data
directory. That is what I find strange. I had thought that either the IUSR
would need the write privileges or that both the IUSR and the TestService
account would need write, but it is actually only the TestService account
that matters.
What actually happens is this: If everything works, the memory mapped files
are created and have the correct data. If I do not give the TestService
account modify/write privileges, then the memory mapped files are created in
the directory, but they have no data in them. The routines to retrieve the
data are in a statically linked dll that I do not maintain, so I do not know
what kind of things it is doing. I just know that generally it connects to
a remote server and retrieves data.
In this case, I do not believe it has to do with the chaching of the user
tokens because after each NTFS permission change, I do an iisreset. I also
have only anonymous authentication enabled as well -- no other auth is
enabled.
Thanks.
""WenJun Zhang[msft]"" <v-wzhang DeleteThis @online.microsoft.com> wrote in message
news:OfEZtvh8DHA.1988@cpmsftngxa07.phx.gbl...
> Hi C K,
>
> As I know, in this kind of scenarios, both process identifier(i.e
> TestService) and thread indentifier(IUSR_machinename) need have write
> permission on the upload folder. I have tested some similar web
> applications as yours - using com dll in ASP pages to upload files
> and the result was coincident.
>
> I doubt if the behavior you met is caused by IIS caches IUSR
> account's token. By default, IIS refreshes this kind of cache every
> 15 mins:
> 152526 Changing the Default Interval for User Tokens in IIS
<font color=purple> > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=152526</font" target="_blank">http://support.microsoft.com/?id=152526</font</a>>
>
> Recycle the site's application pool or use iisreset to restart IIS to
> test. Also, only enable anonymous access on this site to prevent the
> possiblity of IE auto finishing integreted auth with IIS. Will the
> behavior persist?
>
> Have a nice day,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
<font color=purple> > Get Secure! - <a style='text-decoration: underline;' href="http://www.microsoft.com/security</font" target="_blank">www.microsoft.com/security</font</a>>
><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Dec 23, 2003
Posts: 905
|
(Msg. 8) Posted: Mon Feb 16, 2004 12:46 am
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: microsoft>public>inetserver>iis, others (more info?)
|
|
|
I don't see your other response in the thread.
now, as david pointed out do you change the security settings in your com
object ?
--
Regards,
Bernard Cheah
<a style='text-decoration: underline;' href="http://support.microsoft.com/" target="_blank">http://support.microsoft.com/</a>
Please respond to newsgroups only ...
"C K" <blah.DeleteThis@blah.com> wrote in message
news:c0j713$n0e$1@newstree.wise.edt.ericsson.se...
> Hi Bernard,
>
> The only two ACLs I have is 1) Administrators Group (full control) 2)
The
> TestService account. I have removed all inheritance for this folder so it
> is only those two ACLs in effect.
>
> I have also just tried using filemon to see what is causing the problem
and
> I do see some ACCESS DENIED messages when the TestService account does not
> have write access. However, filemon does not show the user identity, it
> only shows the process name w3wp.exe. However, it must be the TestService
> account because when I give it write access to the folder, everything
works
> ok.
>
> In my other response, I mentioned that the routines to retrieve the data
> from a remote server are in a statically linked dll (which I do not
> maintain). I believe it connects to the remote server via named pipe.
But
> all this shouldn't matter right? Because it is getting the ACCESS DENIED
on
> the file system due to insufficient NTFS permission.
>
> Any ideas?
>
> Thanks.
>
>
>
> "Bernard" <qbernard.DeleteThis@hotmail.com.discuss> wrote in message
> news:#zjca2h8DHA.488@TK2MSFTNGP12.phx.gbl...
> > Wow, now you make me confuse
> > what other ACLs you have for the data folder ?
> >
> > AFAIK, your 'testservice' is process identity to execute the w3wp.exe
> > and the 'iusr' user identity for actual access.
> >
> > have you try filemon (sysinternals.com) and actually trace down the
'user'
> > that writting the content.
> >
> > --
> > Regards,
> > Bernard Cheah
<font color=green> > > <a style='text-decoration: underline;' href="http://support.microsoft.com/</font" target="_blank">http://support.microsoft.com/</font</a>>
> > Please respond to newsgroups only ...
> >
> >
> > "C K" <blah.DeleteThis@blah.com> wrote in message
> > news:c0h85j$m3h$1@newstree.wise.edt.ericsson.se...
> > > Hi,
> > >
> > > I am currently test running an old ASP application on IIS 6.0 and I
have
> a
> > > question on what user identity is actually being used. I created a
new
> > > application pool with its own service identity account (let's call it
> > > TestService, and added it to the IIS_WPG group) and assigned the web
app
> > to
> > > use the app pool. I have also enabled anon access on the web app,
using
> > the
> > > IUSR account. The web app, upon start up, a COM object connects to a
> > > network server and d/ls files to a data directory. The data directory
> has
> > > to have correct NTFS permissions for this to work.
> > >
> > > Now... here are my tests.
> > >
> > > 1) I first set the NTFS permissions of the data directory to NOT
allow
> > > modify/write access to the TestService account and to allow
modify/write
> > > access to the IUSR account (I know I'm not supposed to, but this is
just
> a
> > > test). This did not work.
> > >
> > > 2) I then set the data directory to allow modify/write access to the
> > > TestService account and the IUSR to only have read access. This
worked.
> > >
> > > etc...
> > >
> > > What I basically found was that only the NTFS setting on the
TestService
> > > account mattered for this operation to succeed. But based on all I've
> > read,
> > > isn't it the authenticated user (in this case, the IUSR) that's
supposed
> > to
> > > be impersonated, and all actions are performed as if it was the IUSR?
> In
> > > this case, it doesn't even seem like the NTFS settings for IUSR matter
> at
> > > all. I even removed IUSR from the NTFS permissions completely and it
> > still
> > > worked. Does anyone know why?
> > >
> > > This is an excerpt from a Microsoft document:
> > > For ASP applications, the type of authentication that is used by the
> user
> > > automatically determines impersonation behavior. Because the
> impersonation
> > > behavior is automatic, no configuration is required.
> > >
> > > The impersonation behavior in an ASP application is as follows:
> > >
> > > ? If an anonymous user makes a request, the thread token is
based
> > on
> > > the user account that is configured as the anonymous user identity (by
> > > default, this is the IUSR_machinename user account).
> > >
> > > ? If an authenticated user makes a request, the thread token is
> > > based on the authenticated account of the user.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Thanks if anyone can explain this to me.
> > >
> > >
> > >
> >
> >
>
><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Feb 03, 2004
Posts: 423
|
(Msg. 9) Posted: Mon Feb 16, 2004 9:11 am
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: microsoft>public>inetserver>iis (more info?)
|
|
|
Enable auditing on the folder may help you find some clues on this
issue. Please remove write permission from your TestService account
again and perform the following steps to enable auditting:
1) Open you this folder's properties dialog. In Security
tab->Advanced->Auditing, add %Machine%\IUSR and %Machine%\TestService
account and select all the Successful/Failed events.
2) Go to administrative tools->Local Security Settings->Local
Policies->Audit Policy, enable all kinds of audits.
3) Then open event viewer, clear and save as current Security log.
Browse to the problem page to reproduce the access denied error.
Refesh Security log and there should be some events with more
detailed info.
Any findings or results, please update here.
Have a nice day,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Feb 12, 2004
Posts: 4
|
(Msg. 10) Posted: Mon Feb 16, 2004 9:08 pm
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hi David,
The COM object is an apartment model COM object (created with ATL) that is
created in the global.asa and assigned to session scope with the
<OBJECT RUNAT=Server SCOPE=Session ...>
command. (I do know that it is not recommended for apartment COM objects to
be assigned to session scope, but that is how the object was designed...
would this have any effect on impersonation identities?) Otherwise, the
COM object is not part of any MTS/COM+ package where you can configure the
identity it is running under.
As far as I know, the COM is not doing anything explicitly to specify any
change in privileges or security access rights. It is just performing what
is needed to be done, which is connecting to the remote server, d/ling the
data, and creating the memory mapped files in the data directory.
However, you mentioned that the COM actions are "completely subject to its
behavior, not ASP's"... But isn't the COM object running under the
impersonated account? In IIS 6.0, is that (by default) the IUSR account or
is it the applicaiton pool identity account?
Thanks.
"David Wang [Msft]" <someone RemoveThis @online.microsoft.com> wrote in message
news:uKGZuyt8DHA.2412@TK2MSFTNGP09.phx.gbl...
> ASP itself uses the impersonated identity, as described by documentation
and
> verified through testing. Custom code that ASP runs, like your COM object,
> could be doing something else. Actions done by the custom code, like
connect
> to a network server and d/l files, is completely subject to its behavior,
> not ASP's. It could cooperate with ASP's behavior, but it doesn't have
to.
>
> Is the COM object configured to use the impersonated (IUSR) or process
> (TestService) identity? Do you know?
>
> For example, a COM object could be calling RevertToSelf(), which in older
> IIS gives it access to LocalSystem (in low isolation) or IWAM (in
> medium/high isolation). It will now be using "TestService" identity.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "C K" <blah RemoveThis @blah.com> wrote in message
> news:c0j6gt$moo$1@newstree.wise.edt.ericsson.se...
> Hi,
>
> It is actually not an upload application. When the web application first
> starts up, it will launch a COM object method that connects to a remote
> server and then sync some information to its local store. This local
store
> is in the form of some memory mapped files that are located in a data
> directory. That is what I find strange. I had thought that either the
IUSR
> would need the write privileges or that both the IUSR and the TestService
> account would need write, but it is actually only the TestService account
> that matters.
>
> What actually happens is this: If everything works, the memory mapped
files
> are created and have the correct data. If I do not give the TestService
> account modify/write privileges, then the memory mapped files are created
in
> the directory, but they have no data in them. The routines to retrieve
the
> data are in a statically linked dll that I do not maintain, so I do not
know
> what kind of things it is doing. I just know that generally it connects
to
> a remote server and retrieves data.
>
> In this case, I do not believe it has to do with the chaching of the user
> tokens because after each NTFS permission change, I do an iisreset. I
also
> have only anonymous authentication enabled as well -- no other auth is
> enabled.
>
> Thanks.
>
>
> ""WenJun Zhang[msft]"" <v-wzhang RemoveThis @online.microsoft.com> wrote in message
> news:OfEZtvh8DHA.1988@cpmsftngxa07.phx.gbl...
> > Hi C K,
> >
> > As I know, in this kind of scenarios, both process identifier(i.e
> > TestService) and thread indentifier(IUSR_machinename) need have write
> > permission on the upload folder. I have tested some similar web
> > applications as yours - using com dll in ASP pages to upload files
> > and the result was coincident.
> >
> > I doubt if the behavior you met is caused by IIS caches IUSR
> > account's token. By default, IIS refreshes this kind of cache every
> > 15 mins:
> > 152526 Changing the Default Interval for User Tokens in IIS
<font color=green> > > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=152526</font" target="_blank">http://support.microsoft.com/?id=152526</font</a>>
> >
> > Recycle the site's application pool or use iisreset to restart IIS to
> > test. Also, only enable anonymous access on this site to prevent the
> > possiblity of IE auto finishing integreted auth with IIS. Will the
> > behavior persist?
> >
> > Have a nice day,
> >
> > WenJun Zhang
> > Microsoft Online Support
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
<font color=green> > > Get Secure! - <a style='text-decoration: underline;' href="http://www.microsoft.com/security</font" target="_blank">www.microsoft.com/security</font</a>>
> >
>
>
><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
External
Since: Aug 25, 2003
Posts: 2419
|
(Msg. 11) Posted: Wed Feb 18, 2004 5:24 pm
Post subject: Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
> However, you mentioned that the COM actions are "completely subject to
> its behavior, not ASP's"... But isn't the COM object running under the
> impersonated account? In IIS 6.0, is that (by default) the IUSR account
or
> is it the applicaiton pool identity account?
The COM object can be running under the impersonated account, but any Win32
code can change the user token with which it executes any action. For
example, even if IIS launched the COM object with the impersonated user, the
COM object can call RevertToSelf() immediately and start executing as the
process identity.
HOW DO YOU KNOW THAT IT DID NOT DO THIS???
It is arbitrary code, as I note, so it can have arbitrary behavior -- and
you CANNOT assume anything about the identity it uses or how it works unless
you have its source code or accurate documentation. As a result, it is
incorrect for you to apply what documentation says about ASP's behavior to
any components that it runs -- the component MAY cooperate with ASP's
behavior, but it doesn't have to.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"C K" <blah DeleteThis @blah.com> wrote in message
news:c0rsmu$mrk$1@newstree.wise.edt.ericsson.se...
Hi David,
The COM object is an apartment model COM object (created with ATL) that is
created in the global.asa and assigned to session scope with the
<OBJECT RUNAT=Server SCOPE=Session ...>
command. (I do know that it is not recommended for apartment COM objects to
be assigned to session scope, but that is how the object was designed...
would this have any effect on impersonation identities?) Otherwise, the
COM object is not part of any MTS/COM+ package where you can configure the
identity it is running under.
As far as I know, the COM is not doing anything explicitly to specify any
change in privileges or security access rights. It is just performing what
is needed to be done, which is connecting to the remote server, d/ling the
data, and creating the memory mapped files in the data directory.
However, you mentioned that the COM actions are "completely subject to its
behavior, not ASP's"... But isn't the COM object running under the
impersonated account? In IIS 6.0, is that (by default) the IUSR account or
is it the applicaiton pool identity account?
Thanks.
"David Wang [Msft]" <someone DeleteThis @online.microsoft.com> wrote in message
news:uKGZuyt8DHA.2412@TK2MSFTNGP09.phx.gbl...
> ASP itself uses the impersonated identity, as described by documentation
and
> verified through testing. Custom code that ASP runs, like your COM object,
> could be doing something else. Actions done by the custom code, like
connect
> to a network server and d/l files, is completely subject to its behavior,
> not ASP's. It could cooperate with ASP's behavior, but it doesn't have
to.
>
> Is the COM object configured to use the impersonated (IUSR) or process
> (TestService) identity? Do you know?
>
> For example, a COM object could be calling RevertToSelf(), which in older
> IIS gives it access to LocalSystem (in low isolation) or IWAM (in
> medium/high isolation). It will now be using "TestService" identity.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "C K" <blah DeleteThis @blah.com> wrote in message
> news:c0j6gt$moo$1@newstree.wise.edt.ericsson.se...
> Hi,
>
> It is actually not an upload application. When the web application first
> starts up, it will launch a COM object method that connects to a remote
> server and then sync some information to its local store. This local
store
> is in the form of some memory mapped files that are located in a data
> directory. That is what I find strange. I had thought that either the
IUSR
> would need the write privileges or that both the IUSR and the TestService
> account would need write, but it is actually only the TestService account
> that matters.
>
> What actually happens is this: If everything works, the memory mapped
files
> are created and have the correct data. If I do not give the TestService
> account modify/write privileges, then the memory mapped files are created
in
> the directory, but they have no data in them. The routines to retrieve
the
> data are in a statically linked dll that I do not maintain, so I do not
know
> what kind of things it is doing. I just know that generally it connects
to
> a remote server and retrieves data.
>
> In this case, I do not believe it has to do with the chaching of the user
> tokens because after each NTFS permission change, I do an iisreset. I
also
> have only anonymous authentication enabled as well -- no other auth is
> enabled.
>
> Thanks.
>
>
> ""WenJun Zhang[msft]"" <v-wzhang DeleteThis @online.microsoft.com> wrote in message
> news:OfEZtvh8DHA.1988@cpmsftngxa07.phx.gbl...
> > Hi C K,
> >
> > As I know, in this kind of scenarios, both process identifier(i.e
> > TestService) and thread indentifier(IUSR_machinename) need have write
> > permission on the upload folder. I have tested some similar web
> > applications as yours - using com dll in ASP pages to upload files
> > and the result was coincident.
> >
> > I doubt if the behavior you met is caused by IIS caches IUSR
> > account's token. By default, IIS refreshes this kind of cache every
> > 15 mins:
> > 152526 Changing the Default Interval for User Tokens in IIS
<font color=green> > > <a style='text-decoration: underline;' href="http://support.microsoft.com/?id=152526</font" target="_blank">http://support.microsoft.com/?id=152526</font</a>>
> >
> > Recycle the site's application pool or use iisreset to restart IIS to
> > test. Also, only enable anonymous access on this site to prevent the
> > possiblity of IE auto finishing integreted auth with IIS. Will the
> > behavior persist?
> >
> > Have a nice day,
> >
> > WenJun Zhang
> > Microsoft Online Support
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
<font color=green> > > Get Secure! - <a style='text-decoration: underline;' href="http://www.microsoft.com/security</font" target="_blank">www.microsoft.com/security</font</a>>
> >
>
>
><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: IIS 6 ASP: Which Process Identity Is It Using? App Pool or.. |
|
| Back to top |
|
| |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
