tags:

views:

837

answers:

1
+3  Q: 

Classic ASP Impersonation problem on IIS7 Windows 2008 server

Hi,

I am trying to write to a file on a server (web05) from a classic asp site running on Windows 2008 serer on IIS7 (webadmin). This fails and web05 logs an anonymous logon attempt during the course of the save operation.

Webadmin's site is running on an app pool in classic mode with a domain user as the process account. The process account has rights to "Trust this user for delegation to any service (Kerberos only)". The same applies for the web05 and webadmin servers.

The site is using Windows Authentication and the idea is that when I log on the site with my domain user, the rights of my user should define what I am allowed to do in the context of the IIS site. If I turn on Basic Authentication, everything works fine.

I have also used setspn.exe to add an SPN for the URL. If I type setspn.exe -L webadmin, I get: 

HTTP/webadmin.companyname.com
TERMSRV/webadmin
TERMSRV/webadmin.companypub.local
HOST/webadmin
HOST/webadmin.companypub.local

So from what I understand the SPNs are set up correctly.

If I run processmonitor on webadmin while the save operation is executed, it says that the process is indeed impersonating my domain user - but getting "Access denied" (and as I said before, web05 logs an anonymous logon attempt).

Any idea what causes this?

Kind regards, Simon

+2  A: 

It sounds to me like you're a little confused over impersonation. The process isn't impersonating the domain user account its simply running as that user. There is a difference.

When a request arrives into ASP it will then impersonate a user and the thread handling the request will be running under the security token of the impersonated user. Its quite possible to have the same process impersonating multiple different users in multiple threads. In most cases where the anonymous user access is enabled this user is the Guest level IUSR account. Its most likely that its under this user your code is attempting and failing to run.

However if anonymous is turned off for the resource being accessed or the IUSR account does not have access to the resource then the a 401 response is sent back, with some indication of what authentication protocols it will accept. The browser may then attempt to authenticate the connection using either the current users credentials or request some credentials from the user.

You don't specify exactly how you are attempting to save file. Its worth pointing out couple of things though.

  1. ASP code exection which may subsequently result in an access denied will not use the above mechanism to try to resolve the user.
  2. Once a connection is authenticated it often continues to be re-used for subsequent requests (which is counter-intuative to the knowledge the HTTP is a "connection-less" protocol).
AnthonyWJones  2010-02-02 12:50:06
You are totally right about me being confused over impersonation. So if I go back to start and ask myself what I am trying to do: I want my domain user to be authenticated so I can let he classic ASP site use my domain users credentials to write to a file on another server.Am I on the right track the way I've done it with Windows Authentication? Anonymous authentication is not enabled. I am trying to save the file from an ADODB stream object. FileSytemObject fails too.
nitech  2010-02-03 14:01:32
Yes you're on the right track, if you want the activity done under the client users identity turn off anonymous access, at least for the page that contains your code, and turn on windows integrated security. Assuming the user has the correct permissions the code should work.
AnthonyWJones  2010-02-03 14:37:46
That's good. I have however already turned off anonymous access and turned on Windows Authentication. I am able to log on with my domain user on the site - the user even authenticates the database access (system dsn with windows authentication) but I am not able to save a file on the remote server even if the logged on user has the appropriate rights.
nitech  2010-02-09 08:00:32

related questions

asp consuming a web service, what do do with recordset object ?
How exactly do you configure httpOnly Cookies in ASP Classic?
Replace huge Case statement in Classic ASP
How do the CakePHP and codeigniter frameworks compare to the ASP.NET MVC framework?
Why do I get this error "[DBNETLIB][ConnectionRead (recv()).]General network error" with ASP pages
ASPSmartUpload v3.2
Are there benefits to Classic ASP over ASP.net
Why continue writing legacy systems?
Remote Debugging Server Side of a Web Application with Visual Studio 2008
Migrating from ASP Classic to .NET and pain mitigation
VBScript/ASP Classic
What is this 'Multiple-step OLE DB' error?
Code Classic ASP in Linux
How do I secure a folder used to let users upload files?
ASP/VBScript - Int() vs CInt()
What's the best way to manage a classic asp front-end using Visual Studio 2008?
Calling ASP.NET web service from ASP using SOAPClient
IIS 6/COM+ hangs
Select Query on 2 tables, on different database servers
Calling REST web services from a classic asp page
How to run remote shell scripts from ASP pages?
What is the IDE for classic ASP and VBScript?
Using ConfigurationManager to load config from an arbitrary location
What is the best way to iterate through an array in Classic Asp VBScript?
How do I build a collection in classic ASP?