Re: Under what credentials does a web-page run?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Tom Kaminski [MVP] ((A_at_T))
Date: 02/10/05 

Date: Thu, 10 Feb 2005 09:01:34 -0500

"Ron Rosenkoetter" <RonRosenkoetter@discussions.microsoft.com> wrote in
message news:92134E2C-744C-423F-A319-A2CC268AC3CB@microsoft.com...
> > Windows Server 2003, IIS 6
> >
> > I'm teaching myself some basic ASP (i'm very good at VBScript, but I'm
very
> > new to using it in a web environment).
> >
> > As a test, I have a very basic page that connects to a Group object in
AD,
> > and returns its name.
> >
> > When the page is set to anonymous using the local IUSR account, I cannot
> > create the Group object (which makes sense to me). When I change the
> > anonymous connection to use a domain account, it works fine.
> >
> > However, when I turn off anonymous access, and use Integrated Windows,
I
> > can no longer create the group object. I'm logged into my Windows XP
(SP1)
> > machine as a domain administrator. I've verified that my account is
being
> > authenticated by the web-page using the Server variable REMOTE_USER.
> >
> > Basically my question is... what credentials does a web-page run under
when
> > set to Integrated Windows authentication instead of an account for
anonymous
> > use?
> Okay, more information.
>
> If I set the authentication method to basic, it works fine. Any ideas?
>

Sounds like a delegation problem. With Windows Integrated authentication,
the password is not actually sent to IIS. Because of this, IIS can't in
turn authenticate you to a third machine. Basic authentication actually
sends the password so IIS has it and can use it to authenticate to other
machines. This explains it (although it's for IIS5):
http://support.microsoft.com/?id=158229

Some discussion for IIS6 (but for ASP.NET):
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Authentication problem with IIS6 (Win2k3)
    ... Authentication Protocol is Integrated ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... >>I believe the problem to be something related to the Kerberos technology, ...
    (microsoft.public.inetserver.iis)
  • Re: Windows Authentication problem with IIS6 (Win2k3)
    ... Authentication Protocol is Integrated ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... >>I believe the problem to be something related to the Kerberos technology, ...
    (microsoft.public.inetserver.iis.security)