Re: IIS5, non-anonymous access and process ownership
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 07/20/04
- Next message: Ken Schaefer: "Re: IIS 6 authentication across all trusted domains?"
- Previous message: Ken Schaefer: "Re: XP and IIS"
- In reply to: chris harrison: "Re: IIS5, non-anonymous access and process ownership"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 20 Jul 2004 22:20:49 +1000
"chris harrison" <news@lowfield.com> wrote in message
news:40fcf45c$0$58821$bed64819@news.gradwell.net...
> Ken Schaefer wrote:
>
> > I think this is correct:
> >
> > The actual process identity for dllhost.exe is IWAM_<computername> - you
can
> > set this in COM+
>
> The DLL is not registered in COM+ (and we'd prefer it didn't have to
> be). The config *used* to be such that the process identity for DLLHOST
> was the authenticated user.
I'm not talking about your .dll. I'm talking about IIS. IIS out-of-process
web applications (those that are set as medium or high isolation) are hosted
in COM+
The process identity for the web application host (which is dllhost.exe) is
IWAM_<machinename>. This is set in COM+ (you can use the Component Services
MMC snapin to change this if you want).
Your DLL doesn't run in its own process (as far as I can tell), so it'll get
loaded inside the dllhost.exe that is servicing the IIS web application.
> > However, the actual thread that is used to access things has an identity
> > that IIS impersonates. If you enable anonymous auth, this would be
> > IUSR_<machinename>. If you enable Basic Auth, then this would be the
> > authenticated user. If you are using Integrated Authentication, then it
may
> > be the authenticated user (for local resources), and it may be the
process
> > identity or machine identity for remote resources unless you enable
> > delegation
>
> Sorry, I'm not sure I'm not completely following you; anonymous access
> is disabled, basic and integrated is enabled and it is for a local
> resource and is being shown as the IWAM_machinename (not the
> authenticated user - that's the old, correct behaviour).
What identity are you talking about? The actual process (dllhost.exe) has a
process identity that's configured in Component Services MMC. This doesn't
change based on who is authenticated (what is there are 100 authenticated
users? Which identity is dllhost.exe supposed to assume?). Instead, inside
the process there are threads that do work. These threads have assume an
identity depending on what account IIS is impersonating - if you are denying
anonymous access, then this should be the user credentials that the remote
user has supplied. So, when a thread processes a page for UserA, it assumes
the identity of UserA. When a thread processes a request for UserB, it
impersonates UserB, and so on.
> Something has changed which is not related to my code and I'm wondering
> if it was a Microsoft auto-update.
I don't know any updates that have changed anything related to the
identities of IIS processes, or their threads. Such a change would break a
lot of applications methinks, and there'd be a lot of posts about it in the
forums! :-)
Cheers
Ken
> I've searched through MS' support KB, but to no avail (and I'm quite
> aware this could be through my search being flawed rather than it not
> being there).
>
> Of course, it might be something different, I was just wondering if
> anyone else had seen this issue.
>
>
> thanks.
- Next message: Ken Schaefer: "Re: IIS 6 authentication across all trusted domains?"
- Previous message: Ken Schaefer: "Re: XP and IIS"
- In reply to: chris harrison: "Re: IIS5, non-anonymous access and process ownership"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
