IIS 6 security - anyone can explain this for me ?

M

Michael Tsai

Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael
 
J

Juan T. Llibre

Michael, what do you find odd in that ?

http.sys does *not* load any application code,
it only parses and routes requests.

Please review these documents :

"Security Enhancements in Internet Information Services 6.0" :
http://download.microsoft.com/download/a/4/c/a4c57604-f17c-4214-9d64-53084036922e/IISEnhance.doc

"Technical Overview of Internet Information Services (IIS) 6.0" :
http://download.microsoft.com/download/8/a/7/8a700c68-d1af-4c8d-b11e-5f974636a7dc/IISOverview.doc

They will be of use in understanding how http.sys works within IIS.
 
M

Michael Tsai

Juan, thank you very much for the information.
I've read them quickly and I still confused,
maybe I didnot describe my question clearly.

In Fritz's "Essential ASP.NET with Examples",
section 3.1.5, he said:

"IIS is always listening for requests and dispatching
them to the ASP.NET worker process if they are
ASP.NET requests. This is important to realize because
the configuration settings in the IIS metabase are applied
<i>before</i> the request to the ASP.NET worker process
is dispatched.
....
For example, if you specify in the IIS metabase that users
must be authenticated using Windows authentication, but
in your ASP.NET application application web.config file
you have granted anonymous access, user will always be
required to authenticate before thay can access pages.."

I experiment it both with IIS 5 and IIS 6, and I get the same
result as Fritz said. But why? All the documents say that in
IIS 6, HTTP.sys is only a "gate" to pass requests to w3wp.exe,
so in the above example, when and who checked the IIS
metabase for the authentication? Is it WAS or aspnet_isapi.dll
in w3wp process? This is what I really want to know.

Hope I made my question clear (English is not my mother tongue).

Michael
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IIS 6 and ASP.NET security 1
Could anyone explain this Yahoo! source code? 1
ASP.NET on IIS 6 security problem 2
Failed access to IIS metabase problem - Can anyone help please 7
ASP.NET keeps forcing us to restart IIS 11
IIS Security for Printing 3
Hosting ASP applications without IIS... in IIS7 mode! Permissionproblems with handlers & Web.config 0
"Invalid token for impersonation - it cannot be duplicated." in IIS trying to prepare additional ap 0

Members online

Total: 34 (members: 1, guests: 33)
Robots: 145

Forum statistics

Threads
473,776
Messages
2,569,603
Members
45,190
Latest member
Martindap

Latest Threads

Top