Archived Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008


all groups > iis security > recent posts

RE: Getting Ip address of the actual client
Posted by hariharadeep at 8/4/2008 4:44:01 AM
Using remoting methodology you can get those details of server machine located. Also i do recommend not to mention your private IP's on the blogs. It would effect your employment in your company. "Maintain in different application pools so that burden with the servers too will be reduced." Fro...more >>

Re: Web server delivers wrong SSL certificate information
Posted by Ken Schaefer at 6/23/2008 4:53:36 PM
Look in the metabase to see what the SSLCertHash value is for that website. It should match the thumbprint value of the certificate you want to use. Cheers Ken "Jerry Hodson" <JerryHodson@discussions.microsoft.com> wrote in message news:62F1A8E6-BA24-4A7F-91A0-BA42C9FF81EA@microsoft.com.....more >>

Re: Kerberos Problem with App Pool running as Domain Account
Posted by Consultant at 6/23/2008 3:20:14 PM
is the domain account it is running under "trusted for delegation"? "VC" <VC@discussions.microsoft.com> wrote in message news:3630E23B-1C39-48A9-BE3F-AB25507AE8A1@microsoft.com... > Thank you for the response. > > There are some authentication types of "Negotiate" however, there are no > du...more >>

Re: FTP access issues
Posted by Pablo A. Allois at 6/23/2008 2:25:12 PM
What kind of isolation are u using ? "nandagopalrvarma" <nandagopalrvarma@gmail.com> wrote in message news:84a1dfb3-8aff-460b-85f6-533c4469af53@q24g2000prf.googlegroups.com... > Hi , > I have a Windows Server 2003 R2 Enterprise box which is an ADC and > runs SMS 2003 SP3 primary site, a FT...more >>

Re: Kerberos Problem with App Pool running as Domain Account
Posted by Ken Schaefer at 6/23/2008 12:59:56 PM
a) you need to make sure that the browser is authenticating using Kerberos (and not NTLM). Check the Windows Event logs for this b) you need to remove any duplicate SPNs you might have registered under the original computer account http://adopenstatic.com/faq has a list of IIS and Kerberos...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by Kyle Alons at 6/23/2008 12:48:49 PM
>Those are all EXE in System32, which like CMD.EXE have "special" ACLs that prevent them from being launched remotely from IIS. Even a bogus EXE like 'blah'? I also have the same problem with a custom console executable (which is what I was using originally). It and the others previously m...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by Kyle Alons at 6/23/2008 11:26:02 AM
>Do you need to use cmd.exe. Try another EXE. I've tried with xcopy, cscript, and a bogus (non-existent) exe and get the same result. ...more >>

Re: Web server delivers wrong SSL certificate information
Posted by Jerry Hodson at 6/23/2008 10:52:00 AM
Ken, Thank you for the tip. I looked at the metabase and it does show the correct SSLCertHash value. But when I view the certificate when I go to the web site, I am seeing the old certificate's information that is expired. -- Jerry "Ken Schaefer" wrote: > Look in the metabase to ...more >>



Re: IIS7: CreateProcessWithLogonW access denied
Posted by David Wang at 6/23/2008 10:45:49 AM
On Jun 23, 10:26=A0am, "Kyle Alons" <re...@to.newsgroup> wrote: > >Do you need to use cmd.exe. Try another EXE. > > I've tried with xcopy, cscript, and a bogus (non-existent) exe and get th= e > same result. Those are all EXE in System32, which like CMD.EXE have "special" ACLs that preven...more >>

Re: Kerberos Problem with App Pool running as Domain Account
Posted by VC at 6/23/2008 7:52:03 AM
Thank you for the response. There are some authentication types of "Negotiate" however, there are no duplicate SPNs, and as far as I can tell everything is setup as it should be. My only thought might be that the application pool is running under a domain account, perhaps IIS itself has to...more >>

FTP access issues
Posted by nandagopalrvarma at 6/22/2008 9:59:04 PM
Hi , I have a Windows Server 2003 R2 Enterprise box which is an ADC and runs SMS 2003 SP3 primary site, a FTP web site and ISA 2006 to protect the FTP as well provide Web Proxy services. My FTP site is running quite nicely though I've heard the above mentioned setup is not good and can cause l...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by David Wang at 6/22/2008 7:59:10 PM
Do you need to use cmd.exe. Try another EXE. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Jun 21, 9:03=A0pm, "Kyle Alons" <re...@to.newsgroup> wrote: > >How are you certain your settings actually took place at the scope you > > desire... > > I'm not ce...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by Kyle Alons at 6/21/2008 10:03:49 PM
>How are you certain your settings actually took place at the scope you desire... I'm not certain of much, but changing the setting does seem to have some effect. "Full" results in GetLastError of 5 (access denied), while High or Medium results in: Security Exception Description: The ap...more >>

Re: Unwanted login request
Posted by David Wang at 6/21/2008 3:05:46 PM
On Jun 20, 11:05=A0am, "Ben" <bf...@furino.org> wrote: > Problem: trying to move web sites to a second controller in my domain, an= d > I'm getting unwanted request for authentication. > > Detail: when the IP address of the site is on the domain controller, I > attempt to access it with IE. =A...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by David Wang at 6/21/2008 2:08:30 AM
On Jun 20, 12:03=A0pm, "Kyle Alons" <re...@to.newsgroup> wrote: > >I highly recommend searching on the terms "Modify Code Access > > Security" to arrive at good answers for your question. > > Based onhttp://msdn.microsoft.com/en-us/library/aa302425.aspx, I added a > trust element to machine.co...more >>

Re: FTPS Clients with IIS7
Posted by BPF (Brian and Paul Fan) at 6/20/2008 9:45:59 PM
> When will Microsoft's FTP.EXE and Internet Explorer support FTP over SSL > (FTPS) as it is implemented in IIS7? I hope Pablo's reply didn't redirect people away from this question: It's about the *client*-side FTPS apps in Windows, not IIS. It's rather strange that IIS7 supports FTPS but...more >>

Unwanted login request
Posted by Ben at 6/20/2008 1:05:53 PM
Problem: trying to move web sites to a second controller in my domain, and I'm getting unwanted request for authentication. Detail: when the IP address of the site is on the domain controller, I attempt to access it with IE. If I've set the site up in IIS, I see it, if I don't, I get a pag...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by Kyle Alons at 6/20/2008 1:03:52 PM
>I highly recommend searching on the terms "Modify Code Access Security" to arrive at good answers for your question. Based on http://msdn.microsoft.com/en-us/library/aa302425.aspx, I added a trust element to machine.config (both 32- and 64-bit flavors): <system.web> <!-- level="[Full|Hi...more >>

Web server delivers wrong SSL certificate information
Posted by Jerry Hodson at 6/20/2008 7:18:00 AM
Completely befuddled here. Running IIS 6.0 on my web server for many years now and have never had any issues when replacing expiring certificate file with new ones, until now. When I hit the web site, the certificate that I can view is the old expired one. Not the new one that I replced it...more >>

Re: SelfSSL IIS 6.0
Posted by David Wang at 6/19/2008 11:52:41 PM
On Jun 19, 12:03=A0pm, S H A R I Q U E <SHARI...@discussions.microsoft.com> wrote: > i have setup intranet website and encrypted its content using SelfSSL. > Now, i want to enable external users outside the company to access this > website using HTTPS. Is it possible to utilize SelfSSL for both ...more >>

Re: _stat from ISAPI Extension always returns FILE_NOT_FOUND
Posted by David Wang at 6/19/2008 11:50:03 PM
On Jun 19, 8:27=A0am, Jason Viers <s...@beanalby.net> wrote: > I have an IIS 6 ISAPI Extension that is set as a Wildcard Application > Map. =A0The virtual directory is set to Inegrated Authentication > only so it impersonates the requesting user (which GetUserNameEx > confirms). > > The IIS ma...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by David Wang at 6/19/2008 10:15:52 PM
On Jun 19, 10:20=A0am, "Kyle Alons" <re...@to.newsgroup> wrote: > >There is no alternative for your type of code to work with the default > > setting -- that would be allowing the very security vulnerabilities > which were closed by changing the default. > > >Your choices are to either change ...more >>

SelfSSL IIS 6.0
Posted by S H A R I Q U E at 6/19/2008 12:03:02 PM
i have setup intranet website and encrypted its content using SelfSSL. Now, i want to enable external users outside the company to access this website using HTTPS. Is it possible to utilize SelfSSL for both intranet and extranet or do i need to purchase a certificate from VeriSign to encryp t...more >>

Re: iis 5.1, internet explorer, cached credentials and kerberos
Posted by Brian Yuill at 6/19/2008 11:30:01 AM
After googling around some more it feels like my problem lives in IE. I've tried IE versions 6 and 7. Both fail the same way. Multiple machines. Same problem. Couple of different ISPs. Same problem. I've tried running site under IIS 6. Problem persists. It seems like the conventional ...more >>

_stat from ISAPI Extension always returns FILE_NOT_FOUND
Posted by Jason Viers at 6/19/2008 11:27:03 AM
I have an IIS 6 ISAPI Extension that is set as a Wildcard Application Map. The virtual directory is set to Inegrated Authentication only so it impersonates the requesting user (which GetUserNameEx confirms). The IIS machine is trusted for delegation, and the extension uses WinHttp to access ...more >>

Re: IIS7: CreateProcessWithLogonW access denied
Posted by Kyle Alons at 6/19/2008 11:20:05 AM
>There is no alternative for your type of code to work with the default setting -- that would be allowing the very security vulnerabilities which were closed by changing the default. >Your choices are to either change the default or modify the default Code Access Security on your system. Ho...more >>

Re: IIS 6 Cert Wizard - Copy Certificate Another Server - Access i
Posted by Scott at 6/19/2008 6:46:03 AM
David, Thank you for your response. Shortly after posting this issue, I figured out that I needed to export with private key to a .pfx file and then re-import the .pfx file back to the dev server as you indicate. If that is the procedure, however, why does the IIS Cert Wizard also offer the...more >>

RE: Integrated Security fails using machine name, succeeds using F
Posted by VC at 6/19/2008 6:46:02 AM
Glad that you solved the problem. Just as an answer to why you need those settings: Trusted for delegation means that the account can forward credentials to another server. Without this, the client's credentials are lost between the web server and the database server. IIS_WPG group allows ...more >>

RE: Integrated Security fails using machine name, succeeds using F
Posted by Seth Petry-Johnson at 6/19/2008 6:30:03 AM
Just yesterday I received an email back from my customer saying they had figured out the configuration. They say the solution was to configure the domain account as (1) trusted for delegation, (2) a member of IIS_WPG group on FOOWEB, and (3) has "Act as a part of OS" / "Impersonate a client af...more >>

Kerberos Problem with App Pool running as Domain Account
Posted by VC at 6/19/2008 6:00:00 AM
Good Morning, I have multiple applications running with integrated security to connect to a SQL back-end database. Everything works fine on our production servers which use the default system accounts for the Application Pool. However, I had to change this to use a domain account because ...more >>


DevelopmentNow Blog