All geek questions in one place

Classic ASP impersonation issue on an IIS7 Windows 2008 server

I am trying to write a file on a server (web05) from a classic asp site running on Windows 2008 serer on IIS7 (webadmin). This fails and web05 logs an anonymous login attempt during the save operation.

The Webadmin site runs in the application pool in classic mode with the domain user as the process account. The process account has rights: "Trust this user with delegation to any service (Kerberos only)." The same applies to web05 and webadmin servers.

The site uses Windows authentication, and the idea is that when I enter the site with my domain user, my user rights should determine what I am allowed to do in the context of the IIS site. If I enable Basic Authentication, everything will be fine.

I also used setspn.exe to add the SPN for the URL. If I type setpn.exe -L webadmin, I get:

HTTP/webadmin.companyname.com TERMSRV/webadmin TERMSRV/webadmin.companypub.local HOST/webadmin HOST/webadmin.companypub.local

So, from what I understand, SPNs are configured correctly.

If I run the processmonitor on webadmin while the save operation is in progress, it says that this process really represents the user of my domain - but getting "Access denied" (and, as I said, web05 logs an anonymous login attempt).

Any idea what causes this?

Regards, Simon

+4
source share
3 answers

I am trying to clear my previous questions. This answer is not enough to answer this question above, but I came to the conclusion that it is better to give some idea than not. If op disagrees, take the necessary action.

This is a way back - but I remember that I wanted to run Kerberos authentication in this application. The problem was that I tried to make a keberros outside the firewall. The application works fine in the domain and firewall of the server’s home domain, but it didn’t succeed whenever requests came from outside.

I talked a lot with an Irish specialist at Microsoft, and he taught me a bit about the limitations of using Kerberos. The reason I wanted to use Kerberos was because I didn't like the unencrypted idea of ​​Basic Windows authentication.

Good luck with the Kerberos quest :-)

0
source

It seems to me that you are a little confused by the personification. This process does not impersonate a domain user account that it simply runs as that user. There is a difference.

When the request arrives in ASP, it will impersonate the user, and the thread processing the request will be launched under the security token issued by the user. It is possible that the same process represents several different users in multiple threads. In most cases, when anonymous user access is enabled, this user is an IUSR guest account. Its most likely that under this user your code tries and does not work.

However, if the anonymous is disabled to access the resource or the IUSR account does not have access to the resource, then the 401 response is sent back, with some indication of which authentication protocols it will accept. The browser can then try to authenticate the connection using either the current user credentials, or request the user credentials.

You did not specify exactly how you are trying to save the file. However, it is worth noting a couple of things.

  • The output of ASP code, which may subsequently result in access denial, will not use the above mechanism to try to allow the user.
  • After authenticating the connection, it is often still reused for subsequent requests (which contradicts the intuitive information that HTTP is a "connectionless" protocol).
+4
source

I ran into the same problem and it turned out to be a simple change in the application pool. If you allow 32-bit applications to be set to FALSE, then I received a login request. Setting this value to true fixes the problem.

0
source

Source: https://habr.com/ru/post/1300028/

More articles:


All Articles