Diff behavior for "Integrated windows authentication" in IIS6 Vs I

Hi,

I'm quite confused by the behavior of IIS6's "Integrated windows
authentication"!

Because when I specify an admin account as the Identity of the application
pool which my web application used. Then, even an anounymous user in the
intranet
would be able to access my application, and in the meanwhile I didn't enable
the anounymous access in IIS6.

But this case, would never happenned in IIS5, because as we know that other
users who did not have the priviledge to access the server, would not be able
to
access my web application when "Integrated windows authentication" be
enabled only.

Please help me, thanks.

Re: Diff behavior for "Integrated windows authentication" in IIS6 Vs I

You need to provide more precise details.
It is not just whether Windows integrated authentication is or is
not enabled for use, but also what permissions exist on the content
that determines what access happens. The account used for the
application pool does not really alter the authentication behavior
when the browser hits on the site.

"David Zhu" wrote in message
news:487A0A8C-AA7F-4C05-915C-137F378DA605@microsoft.com...
>
> Hi,
>
> I'm quite confused by the behavior of IIS6's "Integrated windows
> authentication"!
>
> Because when I specify an admin account as the Identity of the application
> pool which my web application used. Then, even an anounymous user in the
> intranet
> would be able to access my application, and in the meanwhile I didn't
> enable
> the anounymous access in IIS6.
>
> But this case, would never happenned in IIS5, because as we know that
> other
> users who did not have the priviledge to access the server, would not be
> able
> to
> access my web application when "Integrated windows authentication" be
> enabled only.
>
> Please help me, thanks.
>
>

Re: Diff behavior for "Integrated windows authentication" in IIS6

Hi Roger,

Thank. After further investigation, I found that I neglect a quite important
thing before. The ACL of my Web Application follow allows the "Domain Users"
to read and execute. So I think that allowst the anonymous domain user access
my web
application.

Thanks again.


"Roger Abell [MVP]" wrote:

> You need to provide more precise details.
> It is not just whether Windows integrated authentication is or is
> not enabled for use, but also what permissions exist on the content
> that determines what access happens. The account used for the
> application pool does not really alter the authentication behavior
> when the browser hits on the site.
>
> "David Zhu" wrote in message
> news:487A0A8C-AA7F-4C05-915C-137F378DA605@microsoft.com...
> >
> > Hi,
> >
> > I'm quite confused by the behavior of IIS6's "Integrated windows
> > authentication"!
> >
> > Because when I specify an admin account as the Identity of the application
> > pool which my web application used. Then, even an anounymous user in the
> > intranet
> > would be able to access my application, and in the meanwhile I didn't
> > enable
> > the anounymous access in IIS6.
> >
> > But this case, would never happenned in IIS5, because as we know that
> > other
> > users who did not have the priviledge to access the server, would not be
> > able
> > to
> > access my web application when "Integrated windows authentication" be
> > enabled only.
> >
> > Please help me, thanks.
> >
> >
>
>
>

Re: Diff behavior for "Integrated windows authentication" in IIS6

IIS6 Integrated Windows Authentication works just like IIS5.

If you find a difference in behavior, it is most likely due to
difference in user configuration between the Windows 2000 Server and
Windows Server 2003 machines.

Anonymous authentication in all versions of IIS means: "for all
requests, logon a specified user account in IIS configuration and use
that user account to execute the request". It has no relation to
"anonymous user on the Intranet". It means that EVERY user from
anywhere uses the specified user account in IIS configuration to
execute requests on the server.

Integrated Windows authentication in all versions of IIS means: "For
all requests, negotiate an acceptable authenication protocol to confirm
the identity of a Windows user principle, and use that user's token to
execute the request."

If you want do disallow "anonymous" access, then turn off Anonymous
authentication in IIS, and make sure your resources are ACL'd to the
right users and groups.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



David Zhu wrote:
> Hi Roger,
>
> Thank. After further investigation, I found that I neglect a quite important
> thing before. The ACL of my Web Application follow allows the "Domain Users"
> to read and execute. So I think that allowst the anonymous domain user access
> my web
> application.
>
> Thanks again.
>
>
> "Roger Abell [MVP]" wrote:
>
> > You need to provide more precise details.
> > It is not just whether Windows integrated authentication is or is
> > not enabled for use, but also what permissions exist on the content
> > that determines what access happens. The account used for the
> > application pool does not really alter the authentication behavior
> > when the browser hits on the site.
> >
> > "David Zhu" wrote in message
> > news:487A0A8C-AA7F-4C05-915C-137F378DA605@microsoft.com...
> > >
> > > Hi,
> > >
> > > I'm quite confused by the behavior of IIS6's "Integrated windows
> > > authentication"!
> > >
> > > Because when I specify an admin account as the Identity of the application
> > > pool which my web application used. Then, even an anounymous user in the
> > > intranet
> > > would be able to access my application, and in the meanwhile I didn't
> > > enable
> > > the anounymous access in IIS6.
> > >
> > > But this case, would never happenned in IIS5, because as we know that
> > > other
> > > users who did not have the priviledge to access the server, would not be
> > > able
> > > to
> > > access my web application when "Integrated windows authentication" be
> > > enabled only.
> > >
> > > Please help me, thanks.
> > >
> > >
> >
> >
> >