This article provides information about problems with accessing files on a computer other than your Internet Information Server (IIS) server from an Internet Server API (ISAPI) extension, Active Server Pages (ASP) page, or Common Gateway Interface (CGI) application. This article lists some of the issues that are involved and some possible methods to make this work.
Although this article is written primarily in the context of accessing fileson network shares, the same concepts apply to named-pipe connections aswell. Named pipes are frequently used for SQL Server connections and also forremote procedure call (RPC) and Component Object Model (COM) communications. In particular, if you connect to a SQL Server across thenetwork that is configured to use Microsoft Windows NT Integrated Security, you cannot connect because of the issues that are outlined in this article. RPC and COM may also use other communication mechanisms thathave similar network authentication schemes. Therefore, the concepts inthis article can apply to a wide variety of network communicationmechanisms that may be used from your IIS applications.back to the top Authentication and impersonation types
When IIS services an HTTP request, IIS performs impersonation so that accessto resources to handle the request is limited appropriately. Theimpersonated security context is based on the kind of authenticationperformed for the request. The five different types of authenticationavailable from IIS 4.0 are:
Authentication Type Impersonation Type Anonymous Access (no authentication) NetworkAuto Password Synchronization isON (ON=default) Anonymous Access (no authentication) IIS Clear TextAuto Password Synchronization is OFF Basic Authentication IIS Clear Text NT Challenge/Response Authentication Network Client SSL Certificate Mapping Interactive back to the top Token types
Whether or not access to network resources is permitted is dependent on thekind of impersonation token under which the request is being processed.
- Network tokens are "NOT" permitted to access network resources. (Network tokens are named so because this kind of token is traditionallycreated by a server when a user is authenticated across the network. Toallow the server to use a network token to act as a network client andaccess another server is called "delegation" and is considered a possiblesecurity hole.)
- Interactive tokens are traditionally used when authenticating a local user on the computer. Interactive tokens are permitted to access resources across the network.
- Batch tokens are designed to provide a security context under which batch jobs run. Batch tokens have network access.
IIS has the concept of a Clear Text
logon. Clear Text
logon is named so because of thefact that IIS has access to both the username and the password in clear text.You can control whether a Clear Text
logon creates a Network token,an Interactive token, or a Batch token by setting the LogonMethod
property in themetabase. By default, Clear Text
logons receive an Interactive tokenand have access to network resources. The LogonMethod
can be configured atthe server, the site, the virtual directory, the directory, or the file level.
Anonymous access impersonates the account configured as the anonymous userfor the request. By default, IIS has a single anonymous user accountcalled IUSR_<machinename> that is impersonated when handling a non-authenticated request. By default IIS 4.0 has a configurable featurecalled "Enable Automatic Password Synchronization" that uses a securitysub-authority to create the token. Tokens that are created in this manner arenetwork tokens which do "NOT" have access to other computers on thenetwork. If you disable Automatic Password Synchronization, IIS createsthe token in the same manner as the Clear Text
logon mentioned earlier.Automatic Password Synchronization is only available for accounts that arelocated on the same computer as IIS. Therefore, if you change youranonymous account to a domain account, you cannot useAutomatic Password Synchronization and you receive a Clear Text
logon.The exception is if you install IIS on your Primary Domain Controller. Inthis case, the domain accounts are on the local computer. The anonymousaccount and the Automatic Password Synchronization option can beconfigured at the server, the site, the virtual directory, the directory, orthe file level.
You must have the correct type of token as the first step in accessing a resourceon the network. You must also impersonate an account that has accessto the resource across the network. By default, the IUSR_<machinename> accountthat IIS creates for anonymous requests exists only on the local computer. Even if you disable Automatic Password Synchronization so thatyou can get an Interactive token that can access network resources,the IUSR_<machinename> account typically does not have access tomost network resources because this is an account that is unrecognizedon other computers. If you want to access network resources with anonymousrequests, you must replace the default account with anaccount in a domain on your network that can be recognized by allcomputers. If you install IIS on a Domain Controller,the IUSR_<machinename> account is a domain account and mustbe recognized by other computers on the network without taking additionalaction.back to the top Problem avoidance
Following are ways to avoid problems when you access network resourcesfrom your IIS application:
- Keep files on the local computer.
- Some network communication methods do not require a security check. An example is using Windows sockets.
- You can provide direct access to the network resources of the computer byconfiguring a virtual directory to be:
"A share located on another computer."All access to the computer that shares the network resources is performed inthe context of the person specified under the Connect As.. dialog box. This occurs nomatter what kind of authentication is configured for the virtualdirectory. By using this option, all files on the network share are available from browsers that access the IIS computer.
- Use basic authentication or anonymous authentication without Automatic Password Synchronization.
By default, the impersonation that Internet Information Server does for basic authentication provides a token that can access network resources (unlike Windows NT Challenge/Response, which provides a token that cannot access network resources). For anonymous authentication, the token can only access a network resource if Automatic Password Synchronization is disabled. By default, Automatic Password Synchronization is enabled when Internet Information Server is first installed. In such a default configuration, the anonymous user token cannot access network resources.
Must enter password manually after you toggle password sync
- Configure the anonymous account as a domain account.
This permits anonymous requests from potential access to resources across thenetwork. To prevent all anonymous requests from having network access, youmust only make the anonymous account a domain account on the virtualdirectories that specifically require access.
- Configure the anonymous account with the same username and password on the computer that is sharing the network resources andthen disable Automatic Password Synchronization.
If you do this you must make sure that the passwords match exactly. This approach must only beused when the "Configure the anonymous account as a domain account" mentioned earlier is not an option for some reason.
- NullSessionShares and NullSessionPipes can be used to allow accessto a specific network share or to a named pipe when your request is handled with a network token.
If you have a network token and you try to establish a connection to a network resource, the operating systemtries to establish a connection as a non-authenticated connection (referred to as a "NULL Session"). This registry setting must be madeon the computer that is sharing the network resource, not on the IIS computer. If youtry to access a NullSessionShare or NullSessionPipe with a non-networktoken, typical Microsoft Windows authentication is used and access to theresource is based on the accountuser rights of the impersonated user.
- You can potentially perform your own impersonation tocreate a Thread token that does have network access.
The LogonUser function andthe ImpersonateLoggedOnUser function can be used to impersonate a differentaccount. This requires that you have the Clear Text username and passwordof another account available to your code. LogonUser also requires thatthe account that calls LogonUser has the "Act as part of the operating system"privilege in User Manager. By default, most users who IIS impersonates whileit handles an HTTP request do not have this user right. However,for "In Process Applications" there are a number of ways to cause yourcurrent security context to change to the LocalSystem account, which doeshave the "Act as part of the operating system" administrative credentials. For ISAPI DLLsthat run in-process, the best way to change the security contextthat IIS has created to the LocalSystem account is to call theRevertToSelf function. If you are running your IIS application "Out ofProcess", this mechanism does not work by default because the process isrunning under the IWAM_<machinename> account and not the Local Systemaccount. By default, the IWAM_<machinename> does "NOT" have the "Act as part ofthe operating system" administrative credentials.
- Add the component that is called from the ASP page to a Microsoft Transaction Server (MTS) Server package or COM+ Server application, and then specify a specific user as the identity of the package.
Note The component runs in a separate .exe file that is outside of IIS.
- With basic/clear text authentication, we recommend that you encrypt the data by using SSL because it is extremely easy to obtain credentials from a network trace. For more information about how to install SSL, click the following article number to view the article in the Microsoft Knowledge Base:
How to create and install an SSL certificate in Internet Information Server 4.0
Do not forget that you can prevent network access for anonymous requests where password synchronization is disabled and requests are authenticated by using basic authentication (Clear Text
logons) if you set the LogonMethod
metabase property to "2" (indicating that a network logon is used to create the impersonation token). With this setting, the only way for requests to avoid the network token limitation is to connect to NullSessionShares or NullSessionPipes.
Do not use drive letters mapped to network shares. Notonly are there only 26 potential driver letters to select from, but if you tryto use a drive letter that is mapped in a different security context, problems can occur. Instead, you must always use Universal Naming Convention(UNC) names to access resources. The format must look similar to thefollowing:
For more information about using UNC, click the following article number to view the article in the Microsoft Knowledge Base:
IIS Security recommendations when you use a UNC share
The information in this article pertains only to Internet InformationServer 4.0. In Internet Information Server 5.0 (that is included with Windows2000), there are significant changes to new authenticationtypes and capabilities. Although most of the concepts in this articlestill apply to IIS 5.0, the details on the kinds of impersonation tokens that are generated with certain authentication schemes in this article applystrictly to IIS 4.0.
How to run applications not in the context of the system account
If you cannot determine what kind of logon isoccurring on your IIS server to handle requests, you can turn on auditingfor Logons and Logoffs. Follow these steps:
- Click Start, click Settings, click Control Panel, click Administrative Tools, and then click Local Security Policy.
- After you open Local Security Policy, in the left Tree View pane, click Security Settings, click Local Policies, and then click Audit Policy.
- Double-click Audit Logon Event and then click Success and Failure.Event Log entries areadded under the Security log. You can determine the kind of logon bylooking at the event details under the Logon Type:
2=Interactiveback to the top