Re: IIS error with ISAPI and virtual directory to remote svr .. 40
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/09/04
- Next message: David Wang [Msft]: "Re: Authentication filter"
- Previous message: Jeff Cochran: "Re: aspnet gets stuck causing error 500s"
- In reply to: Rob: "Re: IIS error with ISAPI and virtual directory to remote svr .. 40"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 8 Oct 2004 18:28:32 -0700
Ok, I am still a bit confused, so let me reiterate in more concrete terms
what you are saying:
You have three machines involved:
1. User/browser on machine A
2. Web Server on machine B
3. Actual resource on machine C
You want A to authenticate to B, and then have those credentials be
"passed-through" to access resources on C.
This scenario is natively supported by IIS6. It seems like your setup is a
convoluted way to do this on IIS5, so it may/not work -- it depends on how
well your ISAPI developer understood the security implications of what was
happening. In particular, with some authentication protocols, your ISAPI
cannot impersonate user A to access resources on server C -- so your
configuration may have haphazardly worked on IIS5 but is by no means the
"right" configuration.
Until you locate the corresponding entry to the 403 response in a log file,
everything is speculation. You should find the 403 error in the web log
files on machine B. Now, since an ISAPI is involved, it is possible that it
causes IIS to log the incorrect error code (i.e. the ISAPI returns a 403
response, but it logs some other error code) -- so you may need to
individually isolate the log entry by:
1. Run this on an idle system (so you control all requests being logged)
2. Make the request that results in the 403
3. Then immediately stop IIS (NET STOP W3SVC). This will immediately flush
the log entry to disk
4. Go look in the web log files. The last entry should correspond to the 403
that you see.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Rob" <Rob@discussions.microsoft.com> wrote in message news:BDBFA838-3430-43A4-B7D8-8A526072842F@microsoft.com... let me see if i can explain this differently.. i am a bit gray on this as well but here goes.. we have 3 servers.. a, b, c.. when the user (user a) connects to ISAPI on the IIS server (a to b) the ISAPI then connects (or IIS?) connects to the virtual directory (on b) looking to pull files from a remote file server (c).. instead of using the 'connect as' user on the virtual directory it impersonates with 'user a''s account for security reasons. this way each connection is using authorized users and not the 'connect as' user... somewhere in the ISAPI function .. believed to be after the authentication of the user (on server a) but before the remote files are seen (on c)we receive a 403 error.. this error does not show in the audit logs or IIS logs. it may be easy to say that its our ISAPI function but i have to make sure that its not IIS 6.0 and any new security added to it.. remember this does not happen when the exact setup is used on IIS 5.0.. thats why i need to check every where in IIS to make sure that its not that.. "David Wang [Msft]" wrote: > No, if the response was handled by the ISAPI, you will see a log entry. > IIS6 buffers log entries for about a minute before flushing it to disk, so > you will have to wait for it to show up. If you cannot get a log entry, > then the problem is not with IIS. > > Are we talking about ISAPI Extension or ISAPI Filter here? > > I have no idea what you mean by: > "this ISAPI works fine when directory is local .. only on a remote server i > have issue.." > "it seems to fail when it sends its request or challenge response to the > virtual directory.." > > ISAPI does not send requests nor challenge response to any virtual > directory. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Rob" <Rob@discussions.microsoft.com> wrote in message > news:821E208C-7AB7-4291-87E8-35C4550B2157@microsoft.com... > well thats another story.. this is not showing up in the logs... nothing.. > > UPDATE... the ISAPI is local to the IIS6 server not in the virtual directory > as i may have lead to in the first post.. it seems to fail when it sends its > request or challenge response to the virtual directory.. > > "David Wang [Msft]" wrote: > > > Please give the web log entry for the request that results in 403 -- > > %SYSTEMROOT%\System32\LogFiles\W3SVC#\*.log > > > > I want the HTTP status (403), substatus (??), and Win32 error (??) of that > > failing request. > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Rob" <Rob@discussions.microsoft.com> wrote in message > > news:343628BA-B06D-42A7-871E-C3ABA2AD6DFE@microsoft.com... > > all. > > > > settings: 2003 server standard..iis in 5.0 isolation mode.. all processes > > low.. virtual directory on 2000 server (or any other OS doesnt seem to > > matter). > > > > i have a 403 error when trying to access a virtual directory when usign > > ISAPI.. i can browse the directory fine wth IIS in IE.. but when ISAPI is > > used my challenge response is rejected with 403.. i have change just about > > everything to anonynous and windows integrated and still nothing.. i need > > setting of not using anonymous and windows integrated security.. this > ISAPI > > works fine with iis5 on 2000 server.. when moved to 2003 it bails.. this > > ISAPI works fine when directory is local .. only on a remote server i > have > > issue.. > > > > r > > > > > > > > >
- Next message: David Wang [Msft]: "Re: Authentication filter"
- Previous message: Jeff Cochran: "Re: aspnet gets stuck causing error 500s"
- In reply to: Rob: "Re: IIS error with ISAPI and virtual directory to remote svr .. 40"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
