file security/authentication

OK, I thought I had tackled this before a while a ago but forgot what I
did...

I am running IIS6 on a W2K3 server. for most of my site I have Anonymous
access authorized. I have one file that I want to use the local system ACLs
to authenticate with... I have turned off Anonymous access, I have
Integrated Authentication turned on. I have removed IUSR_XXXX from the local
ACL's. If I use my IE to access the file, the audit log shows a failure for
IUSR vice the actual user....

This is on an internal INTRANET,

How can I tweak the system so that the actual user's credintials are used to
verify file permissions.

Thansk
Carl

Re: file security/authentication

OK, so I must be missing something, or just do not get
what "vice the actual user . . . " means.
So, what you have done is not effecting what you want?
You did ACL the restricted part with a grant to the account(s)
that should have access ? Ideally this is with a group from
the domain that is also either in the IIS's Users group or is
granted network logon user right.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Carl Hilton" wrote in message
news:ewSAGBvlGHA.3588@TK2MSFTNGP02.phx.gbl...
> OK, I thought I had tackled this before a while a ago but forgot what I
> did...
>
> I am running IIS6 on a W2K3 server. for most of my site I have Anonymous
> access authorized. I have one file that I want to use the local system
> ACLs to authenticate with... I have turned off Anonymous access, I have
> Integrated Authentication turned on. I have removed IUSR_XXXX from the
> local ACL's. If I use my IE to access the file, the audit log shows a
> failure for IUSR vice the actual user....
>
> This is on an internal INTRANET,
>
> How can I tweak the system so that the actual user's credintials are used
> to verify file permissions.
>
> Thansk
> Carl
>
>

Re: file security/authentication

I have, granted permissions to this file to domain users. I had thought that
if ANONYMOUS access is turned off in IIS for an object and I authenticated
using INTEGRATED WINDOWS AUTHENTICATION, then the users credentials would be
passed to the object prior to access.




"Roger Abell [MVP]" wrote in message
news:eE3PNA1lGHA.3732@TK2MSFTNGP05.phx.gbl...
> OK, so I must be missing something, or just do not get
> what "vice the actual user . . . " means.
> So, what you have done is not effecting what you want?
> You did ACL the restricted part with a grant to the account(s)
> that should have access ? Ideally this is with a group from
> the domain that is also either in the IIS's Users group or is
> granted network logon user right.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> "Carl Hilton" wrote in message
> news:ewSAGBvlGHA.3588@TK2MSFTNGP02.phx.gbl...
>> OK, I thought I had tackled this before a while a ago but forgot what I
>> did...
>>
>> I am running IIS6 on a W2K3 server. for most of my site I have Anonymous
>> access authorized. I have one file that I want to use the local system
>> ACLs to authenticate with... I have turned off Anonymous access, I have
>> Integrated Authentication turned on. I have removed IUSR_XXXX from the
>> local ACL's. If I use my IE to access the file, the audit log shows a
>> failure for IUSR vice the actual user....
>>
>> This is on an internal INTRANET,
>>
>> How can I tweak the system so that the actual user's credintials are used
>> to verify file permissions.
>>
>> Thansk
>> Carl
>>
>>
>
>

Re: file security/authentication

"Carl Hilton" wrote in message
news:%23TOWVZRmGHA.4696@TK2MSFTNGP05.phx.gbl...
>I have, granted permissions to this file to domain users. I had thought
>that if ANONYMOUS access is turned off in IIS for an object and I
>authenticated using INTEGRATED WINDOWS AUTHENTICATION, then the users
>credentials would be passed to the object prior to access.
>

Well, they are, so to speak . . . access to the object is checked
against the token of the process thread that is attempting access.
Upon the access failure by IUsr there should be attempt to get
credentials that will allow, which may cause login prompt at client
if IE is not configured to do this under the covers.

You said you see in the logs failure for IUsr, but you have not
stated what it is that does happen (saving indicating it does not
work as hoped)

>
> "Roger Abell [MVP]" wrote in message
> news:eE3PNA1lGHA.3732@TK2MSFTNGP05.phx.gbl...
>> OK, so I must be missing something, or just do not get
>> what "vice the actual user . . . " means.
>> So, what you have done is not effecting what you want?
>> You did ACL the restricted part with a grant to the account(s)
>> that should have access ? Ideally this is with a group from
>> the domain that is also either in the IIS's Users group or is
>> granted network logon user right.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>>
>> "Carl Hilton" wrote in message
>> news:ewSAGBvlGHA.3588@TK2MSFTNGP02.phx.gbl...
>>> OK, I thought I had tackled this before a while a ago but forgot what I
>>> did...
>>>
>>> I am running IIS6 on a W2K3 server. for most of my site I have Anonymous
>>> access authorized. I have one file that I want to use the local system
>>> ACLs to authenticate with... I have turned off Anonymous access, I have
>>> Integrated Authentication turned on. I have removed IUSR_XXXX from the
>>> local ACL's. If I use my IE to access the file, the audit log shows a
>>> failure for IUSR vice the actual user....
>>>
>>> This is on an internal INTRANET,
>>>
>>> How can I tweak the system so that the actual user's credintials are
>>> used to verify file permissions.
>>>
>>> Thansk
>>> Carl
>>>
>>>
>>
>>
>
>