Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?
From: C K (blah_at_blah.com)
Date: 02/17/04
- Next message: mwoplock: "Re: Issues with IIS6 and .Net"
- Previous message: Michael Noto [MSFT]: "RE: Won't copy files from Win Xp Pro installation disc"
- In reply to: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Next in thread: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 16 Feb 2004 18:08:41 -0800
Hi David,
The COM object is an apartment model COM object (created with ATL) that is
created in the global.asa and assigned to session scope with the
<OBJECT RUNAT=Server SCOPE=Session ...>
command. (I do know that it is not recommended for apartment COM objects to
be assigned to session scope, but that is how the object was designed...
would this have any effect on impersonation identities?) Otherwise, the
COM object is not part of any MTS/COM+ package where you can configure the
identity it is running under.
As far as I know, the COM is not doing anything explicitly to specify any
change in privileges or security access rights. It is just performing what
is needed to be done, which is connecting to the remote server, d/ling the
data, and creating the memory mapped files in the data directory.
However, you mentioned that the COM actions are "completely subject to its
behavior, not ASP's"... But isn't the COM object running under the
impersonated account? In IIS 6.0, is that (by default) the IUSR account or
is it the applicaiton pool identity account?
Thanks.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uKGZuyt8DHA.2412@TK2MSFTNGP09.phx.gbl...
> ASP itself uses the impersonated identity, as described by documentation
and
> verified through testing. Custom code that ASP runs, like your COM object,
> could be doing something else. Actions done by the custom code, like
connect
> to a network server and d/l files, is completely subject to its behavior,
> not ASP's. It could cooperate with ASP's behavior, but it doesn't have
to.
>
> Is the COM object configured to use the impersonated (IUSR) or process
> (TestService) identity? Do you know?
>
> For example, a COM object could be calling RevertToSelf(), which in older
> IIS gives it access to LocalSystem (in low isolation) or IWAM (in
> medium/high isolation). It will now be using "TestService" identity.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "C K" <blah@blah.com> wrote in message
> news:c0j6gt$moo$1@newstree.wise.edt.ericsson.se...
> Hi,
>
> It is actually not an upload application. When the web application first
> starts up, it will launch a COM object method that connects to a remote
> server and then sync some information to its local store. This local
store
> is in the form of some memory mapped files that are located in a data
> directory. That is what I find strange. I had thought that either the
IUSR
> would need the write privileges or that both the IUSR and the TestService
> account would need write, but it is actually only the TestService account
> that matters.
>
> What actually happens is this: If everything works, the memory mapped
files
> are created and have the correct data. If I do not give the TestService
> account modify/write privileges, then the memory mapped files are created
in
> the directory, but they have no data in them. The routines to retrieve
the
> data are in a statically linked dll that I do not maintain, so I do not
know
> what kind of things it is doing. I just know that generally it connects
to
> a remote server and retrieves data.
>
> In this case, I do not believe it has to do with the chaching of the user
> tokens because after each NTFS permission change, I do an iisreset. I
also
> have only anonymous authentication enabled as well -- no other auth is
> enabled.
>
> Thanks.
>
>
> ""WenJun Zhang[msft]"" <v-wzhang@online.microsoft.com> wrote in message
> news:OfEZtvh8DHA.1988@cpmsftngxa07.phx.gbl...
> > Hi C K,
> >
> > As I know, in this kind of scenarios, both process identifier(i.e
> > TestService) and thread indentifier(IUSR_machinename) need have write
> > permission on the upload folder. I have tested some similar web
> > applications as yours - using com dll in ASP pages to upload files
> > and the result was coincident.
> >
> > I doubt if the behavior you met is caused by IIS caches IUSR
> > account's token. By default, IIS refreshes this kind of cache every
> > 15 mins:
> > 152526 Changing the Default Interval for User Tokens in IIS
> > http://support.microsoft.com/?id=152526
> >
> > Recycle the site's application pool or use iisreset to restart IIS to
> > test. Also, only enable anonymous access on this site to prevent the
> > possiblity of IE auto finishing integreted auth with IIS. Will the
> > behavior persist?
> >
> > Have a nice day,
> >
> > WenJun Zhang
> > Microsoft Online Support
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > Get Secure! - www.microsoft.com/security
> >
>
>
>
- Next message: mwoplock: "Re: Issues with IIS6 and .Net"
- Previous message: Michael Noto [MSFT]: "RE: Won't copy files from Win Xp Pro installation disc"
- In reply to: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Next in thread: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Reply: David Wang [Msft]: "Re: IIS 6 ASP: Which Process Identity Is It Using? App Pool or Anon?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
