ASP and Active Directory permissions? 1

[Hondy]

Hi, we have an ASP page that accesses some network resources. The permissions have changed on the network resources so that "Everyone" no longer has permission. The ASP page no longer has access to the network resource.

What account does the ASP use? Is it the IWAM/IUSR account of the server or is it the W3SVC service account or another?

Thanks

 

[Sheco]

By default, Classic ASP uses the IUSR that is a local account on the web server, not an network AD account.

 

[Hondy]

Thanks sheco

Incidentally, I found from microsoft that if you create a domain user of the same name (IUSR_machinename) and use the same password you can access network resources.

 

[Hondy]

does anyone know why the IUSR_machinename account on one server can't access a network resource where "everyone" has permissions?

Does IUSR_machinename class as an Anonymous account or is it a member of Everyone given that it is outside of the active directory?

 

[Sheco]

Is this the same IUSR account mentioned above with a local account and a domain account?

If the ASP needs users with anonymous access and it also needs to reach Active Directory resources, wouldn't it be less confusing to set the anonymous proxy account to use an domain account that isn't also named IUSR_MachineName? Especially if the machines all have similar names granting the correct permissions could get confusing.

 

[Hondy]

Sheco - ok, its still not working. How would you recommend letting a webpage access a network resource?

On thing I found is that in Win2000 the anonymous account is a member of Everyone, but in Win2003 it isn't- this is why it is broken I think but I cant figure out how to resolve. My fix never worked :s

Thanks

 

[Sheco]

How would you recommend letting a webpage access a network resource?

First I would ask questions:
1. Is this an intranet?
2. Do all users will have an Active Directory account with access to the network resource in question?
3. Do I need to worry about the users trying to hack each other?

If the answres are Yes, Yes, No then I might just disable anonymous access to this one particular ASP. This will cause the ASP to execute in the security profile of the user's AD account instead of as the anonymous proxy account. Then, if the user has access to the resource via his own account credentials, there should be no problem accessing it.


If the answers to those top 3 questions are different, I would first get an Active Directory user account that isn't associated with an actual person... it would be a role account. Then I would use the IIS Admin tool to set the role account to be used as the anonymous account for the ASP that needs access to the remote resources. I wouldn't set it as the anonymous account for the entire site, just the ASP that needs it. Final step is to to grant this role account permissions to the local web server and also to the remote resources.