Re: IIS 6 & Server Permisions

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/11/04 

Date: Wed, 10 Nov 2004 20:30:29 -0800

I suggest you revert all your changes and start troubleshooting your
symptoms/configuration BEFORE making any system changes. It is possible for
your system changes to be insecure or otherwise prevent other software from
functioning in random ways, so -- you have been warned.

Now, is this Java application running on the Web Server or the Web Browser.
In other words, does it run on the server, generate HTML, and send the HTML
back to the client, or does it run on the client and dynamically display
data?

If it is supposed to be running on the Web Server, then you need to
configure a Web Service Extension as well as an Application Scriptmap to
instruct IIS to launch the Java environment to handle the Java requests.
You do the exact same things on all IIS versions, and IIS6 requires the
additional Web Service Extension step.

If it is supposed to be running on the Web Browser, then you need to
configure IIS to allow the files which constitute the Java applet to be
downloadable to the client (i.e. allow .class , .jar files to be
downloadable by adding them to the MIME Type of the website). This is also
exactly the same on all IIS versions, and IIS6 requires the MIME Type step
to allow file download.

Finally, where is the Applet trying to store the hit counters? If it is
storing it in a location it doesn't have access to, then it will fail, and
that is by-design.

My suspicion is that when you browse the applet from the directory, it
launches with your credentials, and it writes its counters SOMEWHERE on the
system (I have no idea where) using your credentials -- and if you run with
administrative privileges, it likely works.

If this applet is running on the Web Browser, it should behave similarly
(since your credentials will be used to download/retrieve the applet from
the Web Server and launched on the client -- basically the same as the
working situation).

If this applet is running on the Web Server, it will now be running as some
configured identity (unknown, since it depends on configuration), and it
tries to write those counters SOMEWHERE using that credential -- and it
likely fails on IIS6 since it runs as an unprivileged user by default. One
alternative, of course, is to run IIS6 with a very privileged user so that
bad code like your applet works, but realize that you are increasing your
security risk. The other is to change the ACL on the resource such that it
is accessible to a more unprivileged user, and once again, you potentially
increase your security risk, depending on the location of the resource.

Bottom line: IIS6 runs in a secure configuration and require you to make the
correct security decisions to obtain the functionality you want. The user
has a significant responsibility in maintaining their server's security.
Believe it or not, most existing software are not exactly secure, and if
they are not designed with a secured server in mind, it likely fails in
random ways. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Joe Milli" <Joe Milli@discussions.microsoft.com> wrote in message
news:1EF5474E-1584-4FC1-B233-6D008452F61A@microsoft.com...
Waite a minute, I'm having similar problems also and enjoy the banter on
this
thread probably because I have little experience W/IIS6.
 I am running a simple java applet hitcounter that works great when browsed
to from the directory, but in IIS6 2003 Server it doesn't count. I have
opened security as much as I can with no results. I was wondering if it had
something to do with Web Server Extensions. No extensions were listed for
java or class. I'm bewildered.
"David Wang [Msft]" wrote:
> Hanging does not sound like a permissions problem.  If code doesn't have
> permissions to do something, it is an immediate "access denied" sort of
> failure.  The OS isn't going to ponder about it.
>
> It sounds like maybe the Java component has retry logic on failures, so
when
> it is failing now (possibly due to permissions), it is infinitely
> retrying -- thus looking like a hang.  Can you figure out if the hang
> happens when trying to instantiate the wrapper or when invoking a method
(so
> that you can narrow down the problem and hopefully you have source code to
> this component).
>
> If you wrote this component, I suggest debugging its sources.  If this
> component comes from someone else, I suggest obtaining support for it.  I
> have no idea what permissions this component requires, so it is not clear
> what needs to be added.
>
> ASP uses the impersonated identity to execute pages, so if you say that
your
> user identity can make it work from vbscript on this server, then you
should
> try disabling Anonymous authentication and enabling Basic Authentication
on
> the vdir containing this ASP page, browse to it using your user identity
(so
> request should be authenticated using your user identity -- very similar
to
> when you execute the code from vbscript), and see what happens.
>
> If Basic auth still fails, then I suspect it is because the token obtained
> by IIS is not exactly the same token you have -- in particular, your user
> token is "Interactive Logon" (i.e. you hit Ctrl-Alt-Del and logged
yourself
> onto the machine) while the IIS-obtained token is "Network Logon".  Some
> files on the system are distinguish between these logon types -- maybe
they
> are causing your issues.  For example, CMD.EXE is accessible to
"Interactive
> Logon" users but NOT "Network Logon" users -- thus it is normally
> inaccessible from IIS.  This is a by-design security feature on Windows
> Server 2003.
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Aubrey" <Aubrey@discussions.microsoft.com> wrote in message
> news:9768BC6B-39E2-450D-B5B3-DEADE93AD504@microsoft.com...
> Hi there,
>
> I'm having the same problem, maybe some else could contribute to a
solution.
>
> I'm using ASP pages on Windows 2003, previously on Windows 2000 where i
was
> instantiating a java component with an ActiveX wrapper. I have tested this
> by
> using a vbs script to call the component and it works as expected, but
> unfortunately not when called from within the ASP page served by IIS6.
> Noting
> happens the pages, it just hangs.
>
> If it's a permission setting how will i change it, since the component
isn't
> registered in COM+? Or do i have to add read and execute to the entire JRE
> folder?
>
> Thanks
> Aubrey
>
>
>
> "GingerNinja" wrote:
>
> > > I'm sorry, but I cannot just tell you the answer. I'd rather
> > > people take information, learn, and figure it out.
> >
> > Who do you think you are Yoda?!?!?
> >
> > >I'm sorry if you think it was a waste of your time because
> > >you simply expected direct answers to your questions.
> >
> > WHAT!!! Why would I ask a question if I didnt want a direct answer its
> > not:
> > microsoft.public.iwantvagueanswerstomyquestions.nothelpfullsoltuions
> >
> > Seriously I think this thread is in danger of becomming a slanging
> > match... I'm sure your a nice guy David and I'm sure your just trying to
> > help, and for what its worth I DO appreciate you responding to my
> > thread, afterall you dont have to, right?
> >
> > But I personally think that if you know the answer to a question you
> > should give it, tell them the caveats (if there are any) and let them
> > deal with the consequences, its THEIR choice.
> >
> > For me personally I needed a solution as quickly as possible. For now,
> > at least we have a solution and I will be considering removing that
> > section completely and finding an alternative, I never liked it to begin
> > with and now I have the breathing room to find a more "elegant" secure
> > solution.
> >
> > *** Sent via Developersdex http://www.developersdex.com ***
> > Don't just participate in USENET...get rewarded for it!
> >
>
>
>