from Windows2000 (IIS5) to Windows2003 (IIS6)

from Windows2000 (IIS5) to Windows2003 (IIS6)

am 04.10.2007 16:21:01 von Mike

The application is a pair of ISAPI dlls running under IIS which in turn call
some COM components, etc...
They are set as high isolation in the IIS admin settings. This issue I saw
when setting up our stuff on
Server2003 is that I would get a windows login prompt while hitting the
ISAPI site with an http POST.
I think I got around the login prompt by allowing the anonymous internet
user higher access levels. This was just to get our development
environment running. This is probably not the recommend way to avoid the
login prompt. I do not know which
settings are allowed or not allowed in production environments to meet
security compliance, etc.
This login prompt does not occur in production with the settings on Windows
2000 (IIS5)

Any suggestions...

Re: from Windows2000 (IIS5) to Windows2003 (IIS6)

am 05.10.2007 05:34:15 von David Wang

On Oct 4, 7:21 am, Mike wrote:
> The application is a pair of ISAPI dlls running under IIS which in turn call
> some COM components, etc...
> They are set as high isolation in the IIS admin settings. This issue I saw
> when setting up our stuff on
> Server2003 is that I would get a windows login prompt while hitting the
> ISAPI site with an http POST.
> I think I got around the login prompt by allowing the anonymous internet
> user higher access levels. This was just to get our development
> environment running. This is probably not the recommend way to avoid the
> login prompt. I do not know which
> settings are allowed or not allowed in production environments to meet
> security compliance, etc.
> This login prompt does not occur in production with the settings on Windows
> 2000 (IIS5)
>
> Any suggestions...


IIS6 and COM+ on Windows Server 2003 runs with far fewer privileges
than IIS5 and COM+ on Windows 2000 Server. This security change, while
breaking to your ISAPI, is by-design.

Unfortunately, while you say you don't know which settings are needed
to meet security compliance in production, no one else can help you
with this task that you must do, so you will have to figure out what
privileges your ISAPI DLLs require. Of course, you can take the easy
way out and just elevate anonymous user's privileges, but if your
server gets hacked because of it, it's all your responsibility since
you chose that configuration.

I can only try to help you understand what you must figure out and
some of the steps.

The reason you get the login prompt is because your ISAPI DLL is
failing to do *something* due to insufficient privileges and causes a
401 to be returned. This, in turn, causes the browser to pop up the
windows login prompt which keeps coming back no matter what user
credential you put in.

I can't tell you what "something" that your ISAPI fails to accomplish
due to insufficient privileges, nor what privileges are required.
However, I can tell you that you will have to do one of the following
to figure it out:
1. Go through your ISAPI DLL's design specification to determine the
privileges it needs to do what it wants
2. Debug through the ISAPI DLL binary to determine which line of code
is failing and what privileges that line of code needs


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//