Re: IIS 6 & Server Permisions

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/13/04 

Date: Fri, 12 Nov 2004 17:44:49 -0800

Java Servlets are executed via Java Servlet Engines, which are extensions
that hook into IIS as Web Service Extensions to help IIS execute Java
programs (which must run in the JVM). You need to install and configure a
Java Servlet Engine on IIS. A free implementation is Apache Tomcat (please
search for the URL), which can both run independently as well as in Apache
or IIS, all having their own configuration instructions to follow. Other
vendors sell their own implementation as well.

I doubt this sort of stuff would be in any MS documentation -- you are
talking about 3rd party integration, and there's literally millions of such
possibilities -- so this is the sort of thing you'd search the web/community
to find how people use IIS to do various things. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Joe Milli" <JoeMilli@discussions.microsoft.com> wrote in message
news:12F512DA-DB86-4FF6-A90B-5BD3EBD090ED@microsoft.com...
Thank you Dave. I am running a server side applett. Please direct me to a
link where I can find the correct changes to make in IIS6. I think this is
where Im failing as mentioned earlier. Plus, I dont know IIS and am finding
it difficult to locate pertinent information on this subject. I have MS Win
Server 2003 Administrators Companion (book), and looked through many sites
and see only general information. As mentioned earlier I agree, its related
to the Web Sevices Ext and ? App-scrptmap as you pointed out.  But what
changes do I need? Also, I think we all can agree that security is of major
inportance.
jm
"David Wang [Msft]" wrote:
> I suggest you revert all your changes and start troubleshooting your
> symptoms/configuration BEFORE making any system changes.  It is possible
for
> your system changes to be insecure or otherwise prevent other software
from
> functioning in random ways, so -- you have been warned.
>
> Now, is this Java application running on the Web Server or the Web
Browser.
> In other words, does it run on the server, generate HTML, and send the
HTML
> back to the client, or does it run on the client and dynamically display
> data?
>
> If it is supposed to be running on the Web Server, then you need to
> configure a Web Service Extension as well as an Application Scriptmap to
> instruct IIS to launch the Java environment to handle the Java requests.
> You do the exact same things on all IIS versions, and IIS6 requires the
> additional Web Service Extension step.
>
> If it is supposed to be running on the Web Browser, then you need to
> configure IIS to allow the files which constitute the Java applet to be
> downloadable to the client (i.e. allow .class , .jar files to be
> downloadable by adding them to the MIME Type of the website).  This is
also
> exactly the same on all IIS versions, and IIS6 requires the MIME Type step
> to allow file download.
>
> Finally, where is the Applet trying to store the hit counters?  If it is
> storing it in a location it doesn't have access to, then it will fail, and
> that is by-design.
>
>
> My suspicion is that when you browse the applet from the directory, it
> launches with your credentials, and it writes its counters SOMEWHERE on
the
> system (I have no idea where) using your credentials -- and if you run
with
> administrative privileges, it likely works.
>
> If this applet is running on the Web Browser, it should behave similarly
> (since your credentials will be used to download/retrieve the applet from
> the Web Server and launched on the client -- basically the same as the
> working situation).
>
> If this applet is running on the Web Server, it will now be running as
some
> configured identity (unknown, since it depends on configuration), and it
> tries to write those counters SOMEWHERE using that credential -- and it
> likely fails on IIS6 since it runs as an unprivileged user by default.
One
> alternative, of course, is to run IIS6 with a very privileged user so that
> bad code like your applet works, but realize that you are increasing your
> security risk. The other is to change the ACL on the resource such that it
> is accessible to a more unprivileged user, and once again, you potentially
> increase your security risk, depending on the location of the resource.
>
>
> Bottom line: IIS6 runs in a secure configuration and require you to make
the
> correct security decisions to obtain the functionality you want. The user
> has a significant responsibility in maintaining their server's security.
> Believe it or not, most existing software are not exactly secure, and if
> they are not designed with a secured server in mind, it likely fails in
> random ways.
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Joe Milli" <Joe Milli@discussions.microsoft.com> wrote in message
> news:1EF5474E-1584-4FC1-B233-6D008452F61A@microsoft.com...
> Waite a minute, I'm having similar problems also and enjoy the banter on
> this
> thread probably because I have little experience W/IIS6.
>  I am running a simple java applet hitcounter that works great when
browsed
> to from the directory, but in IIS6 2003 Server it doesn't count. I have
> opened security as much as I can with no results. I was wondering if it
had
> something to do with Web Server Extensions. No extensions were listed for
> java or class. I'm bewildered.
>
>
> "David Wang [Msft]" wrote:
>
> > Hanging does not sound like a permissions problem.  If code doesn't have
> > permissions to do something, it is an immediate "access denied" sort of
> > failure.  The OS isn't going to ponder about it.
> >
> > It sounds like maybe the Java component has retry logic on failures, so
> when
> > it is failing now (possibly due to permissions), it is infinitely
> > retrying -- thus looking like a hang.  Can you figure out if the hang
> > happens when trying to instantiate the wrapper or when invoking a method
> (so
> > that you can narrow down the problem and hopefully you have source code
to
> > this component).
> >
> > If you wrote this component, I suggest debugging its sources.  If this
> > component comes from someone else, I suggest obtaining support for it.
I
> > have no idea what permissions this component requires, so it is not
clear
> > what needs to be added.
> >
> > ASP uses the impersonated identity to execute pages, so if you say that
> your
> > user identity can make it work from vbscript on this server, then you
> should
> > try disabling Anonymous authentication and enabling Basic Authentication
> on
> > the vdir containing this ASP page, browse to it using your user identity
> (so
> > request should be authenticated using your user identity -- very similar
> to
> > when you execute the code from vbscript), and see what happens.
> >
> > If Basic auth still fails, then I suspect it is because the token
obtained
> > by IIS is not exactly the same token you have -- in particular, your
user
> > token is "Interactive Logon" (i.e. you hit Ctrl-Alt-Del and logged
> yourself
> > onto the machine) while the IIS-obtained token is "Network Logon".  Some
> > files on the system are distinguish between these logon types -- maybe
> they
> > are causing your issues.  For example, CMD.EXE is accessible to
> "Interactive
> > Logon" users but NOT "Network Logon" users -- thus it is normally
> > inaccessible from IIS.  This is a by-design security feature on Windows
> > Server 2003.
> >
> > -- 
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Aubrey" <Aubrey@discussions.microsoft.com> wrote in message
> > news:9768BC6B-39E2-450D-B5B3-DEADE93AD504@microsoft.com...
> > Hi there,
> >
> > I'm having the same problem, maybe some else could contribute to a
> solution.
> >
> > I'm using ASP pages on Windows 2003, previously on Windows 2000 where i
> was
> > instantiating a java component with an ActiveX wrapper. I have tested
this
> > by
> > using a vbs script to call the component and it works as expected, but
> > unfortunately not when called from within the ASP page served by IIS6.
> > Noting
> > happens the pages, it just hangs.
> >
> > If it's a permission setting how will i change it, since the component
> isn't
> > registered in COM+? Or do i have to add read and execute to the entire
JRE
> > folder?
> >
> > Thanks
> > Aubrey
> >
> >
> >
> > "GingerNinja" wrote:
> >
> > > > I'm sorry, but I cannot just tell you the answer. I'd rather
> > > > people take information, learn, and figure it out.
> > >
> > > Who do you think you are Yoda?!?!?
> > >
> > > >I'm sorry if you think it was a waste of your time because
> > > >you simply expected direct answers to your questions.
> > >
> > > WHAT!!! Why would I ask a question if I didnt want a direct answer its
> > > not:
> > > microsoft.public.iwantvagueanswerstomyquestions.nothelpfullsoltuions
> > >
> > > Seriously I think this thread is in danger of becomming a slanging
> > > match... I'm sure your a nice guy David and I'm sure your just trying
to
> > > help, and for what its worth I DO appreciate you responding to my
> > > thread, afterall you dont have to, right?
> > >
> > > But I personally think that if you know the answer to a question you
> > > should give it, tell them the caveats (if there are any) and let them
> > > deal with the consequences, its THEIR choice.
> > >
> > > For me personally I needed a solution as quickly as possible. For now,
> > > at least we have a solution and I will be considering removing that
> > > section completely and finding an alternative, I never liked it to
begin
> > > with and now I have the breathing room to find a more "elegant" secure
> > > solution.
> > >
> > > *** Sent via Developersdex http://www.developersdex.com ***
> > > Don't just participate in USENET...get rewarded for it!
> > >
> >
> >
> >
>
>
>
Loading