I have a Classic ASP application that gives permissions based on the NT user, so I can't allow anonymous. I want to save files off to another server, but the IUSER account can't do that.
If I was anonymous, I could substitute a username and it would work.
How can I require a NT logon and still allow the application to save files to another server?
Change IUSR account to a user on the box that has the proper
permissions or if it is a remote UNC share, use an account that has
permissions to the share
> I have a Classic ASP application that gives permissions based on the NT
user, so I can't allow anonymous. I want to save files off to another
server, but the IUSER account can't do that.
>
> If I was anonymous, I could substitute a username and it would work.
>
> How can I require a NT logon and still allow the application to save files
to another server?
Isn't the IUSR account (or another sustitute) used only when you allow anonymous access?
I can't do this because I use the NT logon for access permissions within the app by looking them up in a SQL table.
If I check the Anonymous logon checkbox, there isn't anything in the Request.ServerVariables("LOGON_USER") variable.
I had the same issue and decided to move
to SQL authentication instead of NT authentication.
I still needed the IUSR account to create files across
the domain to UNC shares coming from the internet.
Basically if the asp application creates modifies or deletes
files then the IUSR account must have rights to do so.
> Isn't the IUSR account (or another sustitute) used only when you allow
anonymous access?
>
> I can't do this because I use the NT logon for access permissions within
the app by looking them up in a SQL table.
>
> If I check the Anonymous logon checkbox, there isn't anything in the
Request.ServerVariables("LOGON_USER") variable.
Fred,
You are correct in that teh IUSR account is not used in an environment that
has anonymous access disabled.
Having said that, I am not sure you will be able to do what you wish in your
environment unless you are running AD or you have a domain with user accounts
established.
What has to happen is that the user that is viewing your ASP page must have
appropriate permissions on the directories on the remote server where you
want to copy the files to. Even then, I am not sure you will be able to
accomplish this becuase IIS typically does not pass the validated credentials
from the client to the remote server for authentication.
Say you have a user named ted on the web server. You must also have a user
named ted on the server where you want to compy the file, and that user must
have appropriate permissions and MUST have the same password as that account
on the web server.
Again, there are no gaurantees that this will work, but it should only taek
a minute or two to set it up and test it.
One other possible solution is to build a custom DLL that runs under an
admin user with priviledges on both machines and then call the DLL to do the
moves for you.
Sorry I am not able to be more help.
"FredT" wrote:
> I have a Classic ASP application that gives permissions based on the NT user, so I can't allow anonymous. I want to save files off to another server, but the IUSER account can't do that.
>
> If I was anonymous, I could substitute a username and it would work.
>
> How can I require a NT logon and still allow the application to save files to another server?
>
Fred,
I just ran a simple test and confirmed that I was unable to write to a file
on a remote server (note that I mean another server in our AD Domain not a
remote server in the usual sense). I even gave teh EVERYONE user full
permissions to the directory where I was trying to do the write and I still
get permission denied.
I believe the issue has to do with passing the authentication to the remote
server. The webserver receives valid authentication fro teh client; however,
the web server is unable to pass that authentication to the remote server.
It may work using basic authentication (as opposed to NT authentication) but
I cannot promise this. Also, supposedly this issue is "fixed" if both
servers are Windows Server 2003 and they are in the same AD Domain.
"John Beschler" wrote:
> Fred,
>
> You are correct in that teh IUSR account is not used in an environment that
> has anonymous access disabled.
>
> Having said that, I am not sure you will be able to do what you wish in your
> environment unless you are running AD or you have a domain with user accounts
> established.
>
> What has to happen is that the user that is viewing your ASP page must have
> appropriate permissions on the directories on the remote server where you
> want to copy the files to. Even then, I am not sure you will be able to
> accomplish this becuase IIS typically does not pass the validated credentials
> from the client to the remote server for authentication.
>
> Say you have a user named ted on the web server. You must also have a user
> named ted on the server where you want to compy the file, and that user must
> have appropriate permissions and MUST have the same password as that account
> on the web server.
>
> Again, there are no gaurantees that this will work, but it should only taek
> a minute or two to set it up and test it.
>
> One other possible solution is to build a custom DLL that runs under an
> admin user with priviledges on both machines and then call the DLL to do the
> moves for you.
>
> Sorry I am not able to be more help.
>
>
>
>
> "FredT" wrote:
>
> > I have a Classic ASP application that gives permissions based on the NT user, so I can't allow anonymous. I want to save files off to another server, but the IUSER account can't do that.
> >
> > If I was anonymous, I could substitute a username and it would work.
> >
> > How can I require a NT logon and still allow the application to save files to another server?
> >