Re: IIS 6 & Server Permisions

From: Joe Milli (JoeMilli_at_discussions.microsoft.com)
Date: 11/12/04 

Date: Fri, 12 Nov 2004 11:38:02 -0800

Thank you Dave. I am running a server side applett. Please direct me to a
link where I can find the correct changes to make in IIS6. I think this is
where Im failing as mentioned earlier. Plus, I dont know IIS and am finding
it difficult to locate pertinent information on this subject. I have MS Win
Server 2003 Administrators Companion (book), and looked through many sites
and see only general information. As mentioned earlier I agree, its related
to the Web Sevices Ext and ? App-scrptmap as you pointed out. But what
changes do I need? Also, I think we all can agree that security is of major
inportance.
jm

"David Wang [Msft]" wrote:

> I suggest you revert all your changes and start troubleshooting your
> symptoms/configuration BEFORE making any system changes. It is possible for
> your system changes to be insecure or otherwise prevent other software from
> functioning in random ways, so -- you have been warned.
>
> Now, is this Java application running on the Web Server or the Web Browser.
> In other words, does it run on the server, generate HTML, and send the HTML
> back to the client, or does it run on the client and dynamically display
> data?
>
> If it is supposed to be running on the Web Server, then you need to
> configure a Web Service Extension as well as an Application Scriptmap to
> instruct IIS to launch the Java environment to handle the Java requests.
> You do the exact same things on all IIS versions, and IIS6 requires the
> additional Web Service Extension step.
>
> If it is supposed to be running on the Web Browser, then you need to
> configure IIS to allow the files which constitute the Java applet to be
> downloadable to the client (i.e. allow .class , .jar files to be
> downloadable by adding them to the MIME Type of the website). This is also
> exactly the same on all IIS versions, and IIS6 requires the MIME Type step
> to allow file download.
>
> Finally, where is the Applet trying to store the hit counters? If it is
> storing it in a location it doesn't have access to, then it will fail, and
> that is by-design.
>
>
> My suspicion is that when you browse the applet from the directory, it
> launches with your credentials, and it writes its counters SOMEWHERE on the
> system (I have no idea where) using your credentials -- and if you run with
> administrative privileges, it likely works.
>
> If this applet is running on the Web Browser, it should behave similarly
> (since your credentials will be used to download/retrieve the applet from
> the Web Server and launched on the client -- basically the same as the
> working situation).
>
> If this applet is running on the Web Server, it will now be running as some
> configured identity (unknown, since it depends on configuration), and it
> tries to write those counters SOMEWHERE using that credential -- and it
> likely fails on IIS6 since it runs as an unprivileged user by default. One
> alternative, of course, is to run IIS6 with a very privileged user so that
> bad code like your applet works, but realize that you are increasing your
> security risk. The other is to change the ACL on the resource such that it
> is accessible to a more unprivileged user, and once again, you potentially
> increase your security risk, depending on the location of the resource.
>
>
> Bottom line: IIS6 runs in a secure configuration and require you to make the
> correct security decisions to obtain the functionality you want. The user
> has a significant responsibility in maintaining their server's security.
> Believe it or not, most existing software are not exactly secure, and if
> they are not designed with a secured server in mind, it likely fails in
> random ways.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Joe Milli" <Joe Milli@discussions.microsoft.com> wrote in message
> news:1EF5474E-1584-4FC1-B233-6D008452F61A@microsoft.com...
> Waite a minute, I'm having similar problems also and enjoy the banter on
> this
> thread probably because I have little experience W/IIS6.
> I am running a simple java applet hitcounter that works great when browsed
> to from the directory, but in IIS6 2003 Server it doesn't count. I have
> opened security as much as I can with no results. I was wondering if it had
> something to do with Web Server Extensions. No extensions were listed for
> java or class. I'm bewildered.
>
>
> "David Wang [Msft]" wrote:
>
> > Hanging does not sound like a permissions problem. If code doesn't have
> > permissions to do something, it is an immediate "access denied" sort of
> > failure. The OS isn't going to ponder about it.
> >
> > It sounds like maybe the Java component has retry logic on failures, so
> when
> > it is failing now (possibly due to permissions), it is infinitely
> > retrying -- thus looking like a hang. Can you figure out if the hang
> > happens when trying to instantiate the wrapper or when invoking a method
> (so
> > that you can narrow down the problem and hopefully you have source code to
> > this component).
> >
> > If you wrote this component, I suggest debugging its sources. If this
> > component comes from someone else, I suggest obtaining support for it. I
> > have no idea what permissions this component requires, so it is not clear
> > what needs to be added.
> >
> > ASP uses the impersonated identity to execute pages, so if you say that
> your
> > user identity can make it work from vbscript on this server, then you
> should
> > try disabling Anonymous authentication and enabling Basic Authentication
> on
> > the vdir containing this ASP page, browse to it using your user identity
> (so
> > request should be authenticated using your user identity -- very similar
> to
> > when you execute the code from vbscript), and see what happens.
> >
> > If Basic auth still fails, then I suspect it is because the token obtained
> > by IIS is not exactly the same token you have -- in particular, your user
> > token is "Interactive Logon" (i.e. you hit Ctrl-Alt-Del and logged
> yourself
> > onto the machine) while the IIS-obtained token is "Network Logon". Some
> > files on the system are distinguish between these logon types -- maybe
> they
> > are causing your issues. For example, CMD.EXE is accessible to
> "Interactive
> > Logon" users but NOT "Network Logon" users -- thus it is normally
> > inaccessible from IIS. This is a by-design security feature on Windows
> > Server 2003.
> >
> > --
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Aubrey" <Aubrey@discussions.microsoft.com> wrote in message
> > news:9768BC6B-39E2-450D-B5B3-DEADE93AD504@microsoft.com...
> > Hi there,
> >
> > I'm having the same problem, maybe some else could contribute to a
> solution.
> >
> > I'm using ASP pages on Windows 2003, previously on Windows 2000 where i
> was
> > instantiating a java component with an ActiveX wrapper. I have tested this
> > by
> > using a vbs script to call the component and it works as expected, but
> > unfortunately not when called from within the ASP page served by IIS6.
> > Noting
> > happens the pages, it just hangs.
> >
> > If it's a permission setting how will i change it, since the component
> isn't
> > registered in COM+? Or do i have to add read and execute to the entire JRE
> > folder?
> >
> > Thanks
> > Aubrey
> >
> >
> >
> > "GingerNinja" wrote:
> >
> > > > I'm sorry, but I cannot just tell you the answer. I'd rather
> > > > people take information, learn, and figure it out.
> > >
> > > Who do you think you are Yoda?!?!?
> > >
> > > >I'm sorry if you think it was a waste of your time because
> > > >you simply expected direct answers to your questions.
> > >
> > > WHAT!!! Why would I ask a question if I didnt want a direct answer its
> > > not:
> > > microsoft.public.iwantvagueanswerstomyquestions.nothelpfullsoltuions
> > >
> > > Seriously I think this thread is in danger of becomming a slanging
> > > match... I'm sure your a nice guy David and I'm sure your just trying to
> > > help, and for what its worth I DO appreciate you responding to my
> > > thread, afterall you dont have to, right?
> > >
> > > But I personally think that if you know the answer to a question you
> > > should give it, tell them the caveats (if there are any) and let them
> > > deal with the consequences, its THEIR choice.
> > >
> > > For me personally I needed a solution as quickly as possible. For now,
> > > at least we have a solution and I will be considering removing that
> > > section completely and finding an alternative, I never liked it to begin
> > > with and now I have the breathing room to find a more "elegant" secure
> > > solution.
> > >
> > > *** Sent via Developersdex http://www.developersdex.com ***
> > > Don't just participate in USENET...get rewarded for it!
> > >
> >
> >
> >
>
>
>