The information in this article applies to:
SUMMARYAccessing files on a computer other than your Internet Information Server (IIS) server from an Internet Server API (ISAPI) extension, Active Server Pages (ASP) page, or Common Gateway Interface (CGI) application can be problematic. This article lists the issues involved and some possible ways for getting this to work. MORE INFORMATION
Although this article is written mainly in the context of accessing files
on network shares, the same concepts apply to named pipe connections as
well. Named pipes are often used for SQL Server connections as well as for
remote procedure call (RPC) and distributed component object model (DCOM)
communications. In particular, if you connect to a SQL Server across the
network that is configured to use Windows NT Integrated Security, you will
often not be able to connect because of the issues outlined in this
article. RPC and DCOM may also use other communication mechanisms that
have similar network authentication schemes. Therefore the concepts in
this article can apply to a wide variety of network communications
mechanisms that might be used from your IIS applications.
Whether or not access to network resources is allowed is dependent on the kind of impersonation token under which the request is being processed. Network tokens are NOT allowed to access network resources (it is called a "Network" token because this kind of token is traditionally created by a server when authenticating a user across the network, to allow the server to use a network token to act as a network client and access another server is called "delegation" and is considered a possible security hole). Interactive tokens are traditionally used when authenticating a local user on the computer. Interactive tokens are allowed to access resources across the network. A third type of token that IIS can support is a Batch token. This is designed to provide a security context under which batch jobs run. Batch tokens have network access. IIS has the concept of a Clear Text logon. The name is due to the fact that IIS has access to both the username and password in clear text. You can control whether a Clear Text logon creates a Network, Interactive, or Batch token by setting the LogonMethod property in the metabase. By default, Clear Text logons get an Interactive token and have access to network resources. The LogonMethod can be configured at the server, site, virtual directory, directory, or file level. Anonymous access impersonates the account configured as the anonymous user for the request. By default, IIS has a single anonymous user account called IUSR_<machinename> which is impersonated when handling a non- authenticated request. By default IIS 4.0 has a configurable feature called "Enable Automatic Password Synchronization" which uses a security sub-authority to create the token. Tokens created in this manner are network tokens which will NOT have access to other computers on the network. If you disable Automatic Password Synchronization, IIS creates the token in the same manner as the Clear Text logon mentioned previously. Automatic Password Synchronization is only available for accounts that are located on the same computer as IIS. Therefore, if you change your anonymous account to a domain account, you will not be able to use Automatic Password Synchronization and you will get a clear text logon. The exception is if you install IIS on your Primary Domain Controller, in which case, the domain accounts are on the local computer. The anonymous account and the Automatic Password Synchronization option can be configured at the server, site, virtual directory, directory, or file level. Having the proper type of token is the first step in accessing a resource on the network. You must also be impersonating an account that has access to the resource across the network. The IUSR_<machinename> account that IIS creates for anonymous requests exists only on the local computer by default. Even if you disable Automatic Password Synchronization so that you can get an Interactive token capable of accessing network resources, the IUSR_<machinename> account typically will not have access to most network resources because it will be an account that is unrecognized on other computers. If you wish to access network resources with anonymous requests, it is suggested that you replace the default account with an account in a domain on your network that can be recognized by all computers. If you happened to have installed IIS on a Domain Controller then the IUSR_<machinename> account is a domain account and should be recognized by other computers on the network without taking further action. Following are ways to avoid problems when accessing network resources from your IIS application:
Make sure that you do not use drive letters mapped to network shares. Not only are there only 26 potential driver letters to choose from, but trying to use a drive letter that was mapped in a different security context can cause problems. Instead you should always use Universal Naming Convention (UNC) names to access resources. The format should look something like the following: \\MyServer\filesharename\directoryname\filenameThe information in this article pertains only to Internet Information Server 4.0. In Internet Information Server 5.0 (shipping with Windows 2000) there will be significant changes in regards to new authentication types and capabilities. Although most of the concepts in this article still apply to IIS 5.0, the details on the sorts of impersonation tokens generated with certain authentication schemes in this article apply strictly to IIS 4.0. If you are having problems trying to determine what sort of logon is occurring on your IIS server to handle requests, you can turn on auditing for Logons and Logoffs to help you do this. In the User Manager navigate to Policies, point to Audit, choose the Audit These Events option and then select the Logon and Logoff options. Event Log entries will be added under the Security Log. You can determine the kind of logon by looking at the event details under the Logon Type: 2=Interactive REFERENCES
For additional information about network security, please see the
following
article(s) in the Microsoft Knowledge Base: Q124184 Service Running as System Account Fails Accessing Network Q180362 INFO: Services and Redirected Drives Q158229 INFO: Security Ramifications for IIS Applications Additional query words: kbdse
Keywords : iissecurity iisapi |
Last Reviewed: August 8, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |