R
redcrystal
My setup:
Windows 2003 Servers, IIS 6.0. There have almost certainly been
adjustments to the configuration performed by the IT group that
provisions these, but I don't have complete details on what they did.
Visual Studio 2003, .NET 1.1.
I created two web services, Ping and PingAuth. I put both applications
into the same App Pool, named PingPool. In IIS, I allow anonymous users
to access Ping, but only Integrated Windows authentication allowed to
PingAuth.
In both Ping and PingAuth's web.config files, I set:
<authentication mode="Windows" />
<authorization><allow users="*" /></authorization>
<identity impersonate="false" />
(I know that impersonation defaults to false, but just so you can see
it...)
I am in the Administrators group on the IIS 6 box.
Here's the scenario. If I use IIS 6 to set the identity for the
application pool (PingPool) to a domain account (a faceless service
account, in my test), then, even if I do not access any other resources
(not even on the same box), I get a 401 error on the PingAuth service,
even when I just try to open the project in Visual Studio or browse to
the Service1.asmx page. IE will present a login dialog, but even if I
supply my proper credentials, it will not log me in. Similarly, a web
service client proxy fails to access the web service. I do not get a
401 error on the anonymous-enabled project, Ping.
However, if I reset the PingPool application pool's identity to Network
Service, and then change the web.config files for both Ping and
PingAuth to impersonate the service account, everything runs
beautifully. Only authenticated users are allowed in, and I can
identify them properly using Context.User or Thread.CurrentPrincipal,
while WindowsIdentity.GetCurrent() identifies the impersonated service
account.
Is there a Windows 2003 privilege that I need to set for the service
account so that I can set it to be the identity of the application
pool? I'd rather not have the password for the service account hanging
around in the web.config file, nor stored in the source code, and I'm
too lazy to mess with storing it securely in web.config or in code,
when just setting the application pool identity should work.
TIA,
->Alan
Windows 2003 Servers, IIS 6.0. There have almost certainly been
adjustments to the configuration performed by the IT group that
provisions these, but I don't have complete details on what they did.
Visual Studio 2003, .NET 1.1.
I created two web services, Ping and PingAuth. I put both applications
into the same App Pool, named PingPool. In IIS, I allow anonymous users
to access Ping, but only Integrated Windows authentication allowed to
PingAuth.
In both Ping and PingAuth's web.config files, I set:
<authentication mode="Windows" />
<authorization><allow users="*" /></authorization>
<identity impersonate="false" />
(I know that impersonation defaults to false, but just so you can see
it...)
I am in the Administrators group on the IIS 6 box.
Here's the scenario. If I use IIS 6 to set the identity for the
application pool (PingPool) to a domain account (a faceless service
account, in my test), then, even if I do not access any other resources
(not even on the same box), I get a 401 error on the PingAuth service,
even when I just try to open the project in Visual Studio or browse to
the Service1.asmx page. IE will present a login dialog, but even if I
supply my proper credentials, it will not log me in. Similarly, a web
service client proxy fails to access the web service. I do not get a
401 error on the anonymous-enabled project, Ping.
However, if I reset the PingPool application pool's identity to Network
Service, and then change the web.config files for both Ping and
PingAuth to impersonate the service account, everything runs
beautifully. Only authenticated users are allowed in, and I can
identify them properly using Context.User or Thread.CurrentPrincipal,
while WindowsIdentity.GetCurrent() identifies the impersonated service
account.
Is there a Windows 2003 privilege that I need to set for the service
account so that I can set it to be the identity of the application
pool? I'd rather not have the password for the service account hanging
around in the web.config file, nor stored in the source code, and I'm
too lazy to mess with storing it securely in web.config or in code,
when just setting the application pool identity should work.
TIA,
->Alan