How to access network files from IIS applications
IN THIS TASK
Although this article is written primarily in the context of accessing fileson network shares, the same concepts apply to named-pipe connections aswell. Named pipes are frequently used for SQL Server connections and also forremote procedure call (RPC) and Component Object Model (COM) communications. In particular, if you connect to a SQL Server across thenetwork that is configured to use Microsoft Windows NT Integrated Security, you cannot connect because of the issues that are outlined in this article. RPC and COM may also use other communication mechanisms thathave similar network authentication schemes. Therefore, the concepts inthis article can apply to a wide variety of network communicationmechanisms that may be used from your IIS applications.
back to the top
Authentication and impersonation typesWhen IIS services an HTTP request, IIS performs impersonation so that accessto resources to handle the request is limited appropriately. Theimpersonated security context is based on the kind of authenticationperformed for the request. The five different types of authenticationavailable from IIS 4.0 are:
Authentication Type Impersonation Type Anonymous Access (no authentication) NetworkAuto Password Synchronization isON (ON=default) Anonymous Access (no authentication) IIS Clear TextAuto Password Synchronization is OFF Basic Authentication IIS Clear Text NT Challenge/Response Authentication Network Client SSL Certificate Mapping Interactiveback to the top
Token typesWhether or not access to network resources is permitted is dependent on thekind of impersonation token under which the request is being processed.
- Network tokens are "NOT" permitted to access network resources. (Network tokens are named so because this kind of token is traditionallycreated by a server when a user is authenticated across the network. Toallow the server to use a network token to act as a network client andaccess another server is called "delegation" and is considered a possiblesecurity hole.)
- Interactive tokens are traditionally used when authenticating a local user on the computer. Interactive tokens are permitted to access resources across the network.
- Batch tokens are designed to provide a security context under which batch jobs run. Batch tokens have network access.
Anonymous access impersonates the account configured as the anonymous userfor the request. By default, IIS has a single anonymous user accountcalled IUSR_<machinename> that is impersonated when handling a non-authenticated request. By default IIS 4.0 has a configurable featurecalled "Enable Automatic Password Synchronization" that uses a securitysub-authority to create the token. Tokens that are created in this manner arenetwork tokens which do "NOT" have access to other computers on thenetwork. If you disable Automatic Password Synchronization, IIS createsthe token in the same manner as the Clear Text logon mentioned earlier.Automatic Password Synchronization is only available for accounts that arelocated on the same computer as IIS. Therefore, if you change youranonymous account to a domain account, you cannot useAutomatic Password Synchronization and you receive a Clear Text logon.The exception is if you install IIS on your Primary Domain Controller. Inthis case, the domain accounts are on the local computer. The anonymousaccount and the Automatic Password Synchronization option can beconfigured at the server, the site, the virtual directory, the directory, orthe file level.
You must have the correct type of token as the first step in accessing a resourceon the network. You must also impersonate an account that has accessto the resource across the network. By default, the IUSR_<machinename> accountthat IIS creates for anonymous requests exists only on the local computer. Even if you disable Automatic Password Synchronization so thatyou can get an Interactive token that can access network resources,the IUSR_<machinename> account typically does not have access tomost network resources because this is an account that is unrecognizedon other computers. If you want to access network resources with anonymousrequests, you must replace the default account with anaccount in a domain on your network that can be recognized by allcomputers. If you install IIS on a Domain Controller,the IUSR_<machinename> account is a domain account and mustbe recognized by other computers on the network without taking additionalaction.
back to the top
Problem avoidanceFollowing are ways to avoid problems when you access network resourcesfrom your IIS application:
- Keep files on the local computer.
- Some network communication methods do not require a security check. An example is using Windows sockets.
- You can provide direct access to the network resources of the computer byconfiguring a virtual directory to be:"A share located on another computer."All access to the computer that shares the network resources is performed inthe context of the person specified under the Connect As.. dialog box. This occurs nomatter what kind of authentication is configured for the virtualdirectory. By using this option, all files on the network share are available from browsers that access the IIS computer.
- Use basic authentication or anonymous authentication without Automatic Password Synchronization.
By default, the impersonation that Internet Information Server does for basic authentication provides a token that can access network resources (unlike Windows NT Challenge/Response, which provides a token that cannot access network resources). For anonymous authentication, the token can only access a network resource if Automatic Password Synchronization is disabled. By default, Automatic Password Synchronization is enabled when Internet Information Server is first installed. In such a default configuration, the anonymous user token cannot access network resources.259353 Must enter password manually after you toggle password sync
- Configure the anonymous account as a domain account.
This permits anonymous requests from potential access to resources across thenetwork. To prevent all anonymous requests from having network access, youmust only make the anonymous account a domain account on the virtualdirectories that specifically require access.
- Configure the anonymous account with the same username and password on the computer that is sharing the network resources andthen disable Automatic Password Synchronization.
If you do this you must make sure that the passwords match exactly. This approach must only beused when the "Configure the anonymous account as a domain account" mentioned earlier is not an option for some reason.
- NullSessionShares and NullSessionPipes can be used to allow accessto a specific network share or to a named pipe when your request is handled with a network token.
If you have a network token and you try to establish a connection to a network resource, the operating systemtries to establish a connection as a non-authenticated connection (referred to as a "NULL Session"). This registry setting must be madeon the computer that is sharing the network resource, not on the IIS computer. If youtry to access a NullSessionShare or NullSessionPipe with a non-networktoken, typical Microsoft Windows authentication is used and access to theresource is based on the accountuser rights of the impersonated user.
- You can potentially perform your own impersonation tocreate a Thread token that does have network access.
The LogonUser function andthe ImpersonateLoggedOnUser function can be used to impersonate a differentaccount. This requires that you have the Clear Text username and passwordof another account available to your code. LogonUser also requires thatthe account that calls LogonUser has the "Act as part of the operating system"privilege in User Manager. By default, most users who IIS impersonates whileit handles an HTTP request do not have this user right. However,for "In Process Applications" there are a number of ways to cause yourcurrent security context to change to the LocalSystem account, which doeshave the "Act as part of the operating system" administrative credentials. For ISAPI DLLsthat run in-process, the best way to change the security contextthat IIS has created to the LocalSystem account is to call theRevertToSelf function. If you are running your IIS application "Out ofProcess", this mechanism does not work by default because the process isrunning under the IWAM_<machinename> account and not the Local Systemaccount. By default, the IWAM_<machinename> does "NOT" have the "Act as part ofthe operating system" administrative credentials.
- Add the component that is called from the ASP page to a Microsoft Transaction Server (MTS) Server package or COM+ Server application, and then specify a specific user as the identity of the package.
Note The component runs in a separate .exe file that is outside of IIS.
- With basic/clear text authentication, we recommend that you encrypt the data by using SSL because it is extremely easy to obtain credentials from a network trace. For more information about how to install SSL, click the following article number to view the article in the Microsoft Knowledge Base:228991 How to create and install an SSL certificate in Internet Information Server 4.0
Do not use drive letters mapped to network shares. Notonly are there only 26 potential driver letters to select from, but if you tryto use a drive letter that is mapped in a different security context, problems can occur. Instead, you must always use Universal Naming Convention(UNC) names to access resources. The format must look similar to thefollowing:
- Click Start, click Settings, click Control Panel, click Administrative Tools, and then click Local Security Policy.
- After you open Local Security Policy, in the left Tree View pane, click Security Settings, click Local Policies, and then click Audit Policy.
- Double-click Audit Logon Event and then click Success and Failure.Event Log entries areadded under the Security log. You can determine the kind of logon bylooking at the event details under the Logon Type:
Article ID: 207671 - Last Review: 01/05/2012 23:40:00 - Revision: 7.0
- kbhowtomaster kbhttp KB207671