Authenticated User Impersonation in Classic ASP under IIS7IIS 6.0 on Windows Server 2003 setup for Integrated Windows Authentication but no direct access for users to the shared foldersIssues with Classic ASP on IIS7IIS7 Session ID rotating with Classic ASPIIS 7.5 running Classic ASP connecting to UNC path problemGetting Classic ASP to work in .js files under IIS 7ASP Classic + IIS7 issuesGetting Impersonation working in Classic ASP app under IIS 7.5IIS7 + ASP.NET Impersonation + Windows Auth = 401 UnauthorizedClassic ASP Impersonation | Windows authentication | File Access Denied IIS 7WMI Impersonation levels within vbscript / ASP codeIIS 6.0 on Windows Server 2003 setup for Integrated Windows Authentication but no direct access for users to the shared folders
How wide is a neg symbol, how to get the width for alignment?
Apache ErrorDocument returns 404 in place of 302
What is the name of this hexagon/pentagon polyhedron?
How did Kirk identify Gorgan in "And the Children Shall Lead"?
What to use instead of cling film to wrap pastry
How to apply differences on part of a list and keep the rest
How can I get a job without pushing my family's income into a higher tax bracket?
Shantae Dance Matching
Can Infinity Stones be retrieved more than once?
Using column size much larger than necessary
Can there be a single technologically advanced nation, in a continent full of non-technologically advanced nations?
Why doesn't WotC use established keywords on all new cards?
If I readied a spell with the trigger "When I take damage", do I have to make a constitution saving throw to avoid losing Concentration?
What does this colon mean? It is not labeling, it is not ternary operator
How do LIGO and VIRGO know that a gravitational wave has its origin in a neutron star or a black hole?
Is latino sine flexione dead?
Why wasn't the Night King naked in S08E03?
Verb "geeitet" in an old scientific text
Pressure inside an infinite ocean?
What is the most remote airport from the center of the city it supposedly serves?
Why is B♯ higher than C♭ in 31-ET?
Hyperlink on red background
Should I replace my bicycle tires if they have not been inflated in multiple years
Why Isn’t SQL More Refactorable?
Authenticated User Impersonation in Classic ASP under IIS7
IIS 6.0 on Windows Server 2003 setup for Integrated Windows Authentication but no direct access for users to the shared foldersIssues with Classic ASP on IIS7IIS7 Session ID rotating with Classic ASPIIS 7.5 running Classic ASP connecting to UNC path problemGetting Classic ASP to work in .js files under IIS 7ASP Classic + IIS7 issuesGetting Impersonation working in Classic ASP app under IIS 7.5IIS7 + ASP.NET Impersonation + Windows Auth = 401 UnauthorizedClassic ASP Impersonation | Windows authentication | File Access Denied IIS 7WMI Impersonation levels within vbscript / ASP codeIIS 6.0 on Windows Server 2003 setup for Integrated Windows Authentication but no direct access for users to the shared folders
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've recently moved one of our servers from Server 2003 and IIS6 to Server 2008 R2 and IIS7 (technically IIS7.5 I suppose). In doing so I am transitioning a small account management tool written in classic ASP and have run into a problem with user impersonation. Extensive searching hasn't been much help so far.
Under IIS6, the site was configured to impersonate the logged-in user. Thus, if a domain admin logged in, he was able to run commands to create user directories, adjust permissions, etc. Using Procmon you can see the processes executing as that user. This worked fine.
However, with the same code under IIS7, I am unable to get this behavior. I have enabled Basic Authentication, disabled Anonymous Auth, enabled impersonation and have changed the app pool to classic instead of integrated pipelining. Everything seems to be configured correctly, however, all the processes launched by the classic ASP site continue to run as the default AppPool identity and not the logged-in user.
If it matters, programs are being launched with code such as:
set Wsh = Server.CreateObject("WScript.Shell")
Wsh.Run("cmd.exe /C mkdir D:usersfoo")
Monitoring via Procmon shows cmd.exe being run as either "Classic .NET AppPool" or "DefaultAppPool" depending on the pipeline mode.
Any suggestions on how to get the classic ASP site to impersonate and execute as the authenticated user would be great. Thanks!
iis-7 asp-classic asp impersonation
add a comment |
I've recently moved one of our servers from Server 2003 and IIS6 to Server 2008 R2 and IIS7 (technically IIS7.5 I suppose). In doing so I am transitioning a small account management tool written in classic ASP and have run into a problem with user impersonation. Extensive searching hasn't been much help so far.
Under IIS6, the site was configured to impersonate the logged-in user. Thus, if a domain admin logged in, he was able to run commands to create user directories, adjust permissions, etc. Using Procmon you can see the processes executing as that user. This worked fine.
However, with the same code under IIS7, I am unable to get this behavior. I have enabled Basic Authentication, disabled Anonymous Auth, enabled impersonation and have changed the app pool to classic instead of integrated pipelining. Everything seems to be configured correctly, however, all the processes launched by the classic ASP site continue to run as the default AppPool identity and not the logged-in user.
If it matters, programs are being launched with code such as:
set Wsh = Server.CreateObject("WScript.Shell")
Wsh.Run("cmd.exe /C mkdir D:usersfoo")
Monitoring via Procmon shows cmd.exe being run as either "Classic .NET AppPool" or "DefaultAppPool" depending on the pipeline mode.
Any suggestions on how to get the classic ASP site to impersonate and execute as the authenticated user would be great. Thanks!
iis-7 asp-classic asp impersonation
Is your IIS application configured for pass-through authentication as the application user? To check on this, highlight your application (virtual directory) in the IIS Manager and bring up the Basic Settings window. Then click on the Connect As button. What is it set to? If you set up the "Connect As" option to run under a specific account and then check ProcMon, does your process run under the specified account, or does it still run under DefaultAppPool? I'm struggling with a VERY similar issue. I have one 2008 R2 server where our object runs properly under the user's context and another R2 s
– CowherPower
Mar 2 '11 at 20:42
FWIW, Domain Admins should no be logging into web apps to perform administration. This now becomes low hanging fruit to compromise those credentials. Consider upgrading this web app to use jobs and/or services.
– user2320464
Jan 2 '16 at 0:59
add a comment |
I've recently moved one of our servers from Server 2003 and IIS6 to Server 2008 R2 and IIS7 (technically IIS7.5 I suppose). In doing so I am transitioning a small account management tool written in classic ASP and have run into a problem with user impersonation. Extensive searching hasn't been much help so far.
Under IIS6, the site was configured to impersonate the logged-in user. Thus, if a domain admin logged in, he was able to run commands to create user directories, adjust permissions, etc. Using Procmon you can see the processes executing as that user. This worked fine.
However, with the same code under IIS7, I am unable to get this behavior. I have enabled Basic Authentication, disabled Anonymous Auth, enabled impersonation and have changed the app pool to classic instead of integrated pipelining. Everything seems to be configured correctly, however, all the processes launched by the classic ASP site continue to run as the default AppPool identity and not the logged-in user.
If it matters, programs are being launched with code such as:
set Wsh = Server.CreateObject("WScript.Shell")
Wsh.Run("cmd.exe /C mkdir D:usersfoo")
Monitoring via Procmon shows cmd.exe being run as either "Classic .NET AppPool" or "DefaultAppPool" depending on the pipeline mode.
Any suggestions on how to get the classic ASP site to impersonate and execute as the authenticated user would be great. Thanks!
iis-7 asp-classic asp impersonation
I've recently moved one of our servers from Server 2003 and IIS6 to Server 2008 R2 and IIS7 (technically IIS7.5 I suppose). In doing so I am transitioning a small account management tool written in classic ASP and have run into a problem with user impersonation. Extensive searching hasn't been much help so far.
Under IIS6, the site was configured to impersonate the logged-in user. Thus, if a domain admin logged in, he was able to run commands to create user directories, adjust permissions, etc. Using Procmon you can see the processes executing as that user. This worked fine.
However, with the same code under IIS7, I am unable to get this behavior. I have enabled Basic Authentication, disabled Anonymous Auth, enabled impersonation and have changed the app pool to classic instead of integrated pipelining. Everything seems to be configured correctly, however, all the processes launched by the classic ASP site continue to run as the default AppPool identity and not the logged-in user.
If it matters, programs are being launched with code such as:
set Wsh = Server.CreateObject("WScript.Shell")
Wsh.Run("cmd.exe /C mkdir D:usersfoo")
Monitoring via Procmon shows cmd.exe being run as either "Classic .NET AppPool" or "DefaultAppPool" depending on the pipeline mode.
Any suggestions on how to get the classic ASP site to impersonate and execute as the authenticated user would be great. Thanks!
iis-7 asp-classic asp impersonation
iis-7 asp-classic asp impersonation
asked Aug 28 '10 at 3:24
user52663
Is your IIS application configured for pass-through authentication as the application user? To check on this, highlight your application (virtual directory) in the IIS Manager and bring up the Basic Settings window. Then click on the Connect As button. What is it set to? If you set up the "Connect As" option to run under a specific account and then check ProcMon, does your process run under the specified account, or does it still run under DefaultAppPool? I'm struggling with a VERY similar issue. I have one 2008 R2 server where our object runs properly under the user's context and another R2 s
– CowherPower
Mar 2 '11 at 20:42
FWIW, Domain Admins should no be logging into web apps to perform administration. This now becomes low hanging fruit to compromise those credentials. Consider upgrading this web app to use jobs and/or services.
– user2320464
Jan 2 '16 at 0:59
add a comment |
Is your IIS application configured for pass-through authentication as the application user? To check on this, highlight your application (virtual directory) in the IIS Manager and bring up the Basic Settings window. Then click on the Connect As button. What is it set to? If you set up the "Connect As" option to run under a specific account and then check ProcMon, does your process run under the specified account, or does it still run under DefaultAppPool? I'm struggling with a VERY similar issue. I have one 2008 R2 server where our object runs properly under the user's context and another R2 s
– CowherPower
Mar 2 '11 at 20:42
FWIW, Domain Admins should no be logging into web apps to perform administration. This now becomes low hanging fruit to compromise those credentials. Consider upgrading this web app to use jobs and/or services.
– user2320464
Jan 2 '16 at 0:59
Is your IIS application configured for pass-through authentication as the application user? To check on this, highlight your application (virtual directory) in the IIS Manager and bring up the Basic Settings window. Then click on the Connect As button. What is it set to? If you set up the "Connect As" option to run under a specific account and then check ProcMon, does your process run under the specified account, or does it still run under DefaultAppPool? I'm struggling with a VERY similar issue. I have one 2008 R2 server where our object runs properly under the user's context and another R2 s
– CowherPower
Mar 2 '11 at 20:42
Is your IIS application configured for pass-through authentication as the application user? To check on this, highlight your application (virtual directory) in the IIS Manager and bring up the Basic Settings window. Then click on the Connect As button. What is it set to? If you set up the "Connect As" option to run under a specific account and then check ProcMon, does your process run under the specified account, or does it still run under DefaultAppPool? I'm struggling with a VERY similar issue. I have one 2008 R2 server where our object runs properly under the user's context and another R2 s
– CowherPower
Mar 2 '11 at 20:42
FWIW, Domain Admins should no be logging into web apps to perform administration. This now becomes low hanging fruit to compromise those credentials. Consider upgrading this web app to use jobs and/or services.
– user2320464
Jan 2 '16 at 0:59
FWIW, Domain Admins should no be logging into web apps to perform administration. This now becomes low hanging fruit to compromise those credentials. Consider upgrading this web app to use jobs and/or services.
– user2320464
Jan 2 '16 at 0:59
add a comment |
3 Answers
3
active
oldest
votes
There's a little-known setting called LogonMethod, which varies the capabilities of a user account which logs on with an anonymous or plain-text logon.
I (think I) remember this changing for IIS 5 or 6, so it's possible it's changed again for 7. The effect would be exactly what you describe - a failure to do things an interactive user would have no trouble doing.
It's a bad idea to change it wholesale to achieve delegation - after all, that's what Kerberos constrained delegation and protocol transition are for - but it might help resolve this issue.
LogonMethod - IIS 6 and earlier property - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/fa99f59f-d11f-41f7-b220-ad9d433f80b0.mspx?mfr=true
LogonType - a similar-looking property for an App Pool that accepts fewer options (but Service might work for you) - http://www.iis.net/ConfigReference/system.applicationHost/applicationPools/add/processModel
Oh, and it's possible (though how-you-say bloody?) unlikely that your WScript object is running in a COM container with a different identity to the worker process.
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
add a comment |
Old post, but maybe somebody could find it helpful.
I struggled on this problem and found a way.
If you need to run .asp pages with a special user (I had problems with date and currency format) try setting the specified user as an Identity in the App pool, then set "Load User Profile" to True.
This solved my issues.
answered Jul 20 '15 at 14:11
EmileEmile
1
tried this, but the identity is still reported as NT AUTHORITYANONYMOUS LOGON
– dlatikay
Feb 23 '18 at 13:05
add a comment |
Why have not you enabled also "Integrated Windows Authentication" in IIS?
Had it logged in locally?
under local Administrator?
Make sure that:
- NTLM2 is enabled
you changed web.config from default
<authentication mode="None" />to
<authentication mode="Windows" />
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
Thanks for your reply. I'm not sure why you ask about integrated authentication. I've turned if off because we prefer to have the user explicitly prompted for credentials. However, enabling it does not make impersonation work. I'm not sure what you mean by "NTLM2 is enabled". The web.config is very sparse and contains only a single directive, <identity impersonate="true" />. Adding <authentication mode="Windows" /> doesn't do anything different. In all cases, I still see processes being created using the AppPool identity and not that of the authenticated user.
– user52663
Aug 28 '10 at 22:26
The question is about classic ASP, so<authentication>is useless here.
– Lex Li
Sep 26 '18 at 0:42
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f175534%2fauthenticated-user-impersonation-in-classic-asp-under-iis7%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
There's a little-known setting called LogonMethod, which varies the capabilities of a user account which logs on with an anonymous or plain-text logon.
I (think I) remember this changing for IIS 5 or 6, so it's possible it's changed again for 7. The effect would be exactly what you describe - a failure to do things an interactive user would have no trouble doing.
It's a bad idea to change it wholesale to achieve delegation - after all, that's what Kerberos constrained delegation and protocol transition are for - but it might help resolve this issue.
LogonMethod - IIS 6 and earlier property - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/fa99f59f-d11f-41f7-b220-ad9d433f80b0.mspx?mfr=true
LogonType - a similar-looking property for an App Pool that accepts fewer options (but Service might work for you) - http://www.iis.net/ConfigReference/system.applicationHost/applicationPools/add/processModel
Oh, and it's possible (though how-you-say bloody?) unlikely that your WScript object is running in a COM container with a different identity to the worker process.
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
add a comment |
There's a little-known setting called LogonMethod, which varies the capabilities of a user account which logs on with an anonymous or plain-text logon.
I (think I) remember this changing for IIS 5 or 6, so it's possible it's changed again for 7. The effect would be exactly what you describe - a failure to do things an interactive user would have no trouble doing.
It's a bad idea to change it wholesale to achieve delegation - after all, that's what Kerberos constrained delegation and protocol transition are for - but it might help resolve this issue.
LogonMethod - IIS 6 and earlier property - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/fa99f59f-d11f-41f7-b220-ad9d433f80b0.mspx?mfr=true
LogonType - a similar-looking property for an App Pool that accepts fewer options (but Service might work for you) - http://www.iis.net/ConfigReference/system.applicationHost/applicationPools/add/processModel
Oh, and it's possible (though how-you-say bloody?) unlikely that your WScript object is running in a COM container with a different identity to the worker process.
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
add a comment |
There's a little-known setting called LogonMethod, which varies the capabilities of a user account which logs on with an anonymous or plain-text logon.
I (think I) remember this changing for IIS 5 or 6, so it's possible it's changed again for 7. The effect would be exactly what you describe - a failure to do things an interactive user would have no trouble doing.
It's a bad idea to change it wholesale to achieve delegation - after all, that's what Kerberos constrained delegation and protocol transition are for - but it might help resolve this issue.
LogonMethod - IIS 6 and earlier property - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/fa99f59f-d11f-41f7-b220-ad9d433f80b0.mspx?mfr=true
LogonType - a similar-looking property for an App Pool that accepts fewer options (but Service might work for you) - http://www.iis.net/ConfigReference/system.applicationHost/applicationPools/add/processModel
Oh, and it's possible (though how-you-say bloody?) unlikely that your WScript object is running in a COM container with a different identity to the worker process.
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
There's a little-known setting called LogonMethod, which varies the capabilities of a user account which logs on with an anonymous or plain-text logon.
I (think I) remember this changing for IIS 5 or 6, so it's possible it's changed again for 7. The effect would be exactly what you describe - a failure to do things an interactive user would have no trouble doing.
It's a bad idea to change it wholesale to achieve delegation - after all, that's what Kerberos constrained delegation and protocol transition are for - but it might help resolve this issue.
LogonMethod - IIS 6 and earlier property - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/fa99f59f-d11f-41f7-b220-ad9d433f80b0.mspx?mfr=true
LogonType - a similar-looking property for an App Pool that accepts fewer options (but Service might work for you) - http://www.iis.net/ConfigReference/system.applicationHost/applicationPools/add/processModel
Oh, and it's possible (though how-you-say bloody?) unlikely that your WScript object is running in a COM container with a different identity to the worker process.
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
answered Jan 19 '12 at 4:25
TristanKTristanK
8,31812131
8,31812131
add a comment |
add a comment |
Old post, but maybe somebody could find it helpful.
I struggled on this problem and found a way.
If you need to run .asp pages with a special user (I had problems with date and currency format) try setting the specified user as an Identity in the App pool, then set "Load User Profile" to True.
This solved my issues.
answered Jul 20 '15 at 14:11
EmileEmile
1
tried this, but the identity is still reported as NT AUTHORITYANONYMOUS LOGON
– dlatikay
Feb 23 '18 at 13:05
add a comment |
Old post, but maybe somebody could find it helpful.
I struggled on this problem and found a way.
If you need to run .asp pages with a special user (I had problems with date and currency format) try setting the specified user as an Identity in the App pool, then set "Load User Profile" to True.
This solved my issues.
answered Jul 20 '15 at 14:11
EmileEmile
1
tried this, but the identity is still reported as NT AUTHORITYANONYMOUS LOGON
– dlatikay
Feb 23 '18 at 13:05
add a comment |
Old post, but maybe somebody could find it helpful.
I struggled on this problem and found a way.
If you need to run .asp pages with a special user (I had problems with date and currency format) try setting the specified user as an Identity in the App pool, then set "Load User Profile" to True.
This solved my issues.
answered Jul 20 '15 at 14:11
EmileEmile
1
Old post, but maybe somebody could find it helpful.
I struggled on this problem and found a way.
If you need to run .asp pages with a special user (I had problems with date and currency format) try setting the specified user as an Identity in the App pool, then set "Load User Profile" to True.
This solved my issues.
answered Jul 20 '15 at 14:11
EmileEmile
1
answered Jul 20 '15 at 14:11
EmileEmile
1
answered Jul 20 '15 at 14:11
EmileEmile
1
answered Jul 20 '15 at 14:11
EmileEmile
1
1
tried this, but the identity is still reported as NT AUTHORITYANONYMOUS LOGON
– dlatikay
Feb 23 '18 at 13:05
add a comment |
tried this, but the identity is still reported as NT AUTHORITYANONYMOUS LOGON
– dlatikay
Feb 23 '18 at 13:05
tried this, but the identity is still reported as NT AUTHORITYANONYMOUS LOGON
– dlatikay
Feb 23 '18 at 13:05
tried this, but the identity is still reported as NT AUTHORITYANONYMOUS LOGON
– dlatikay
Feb 23 '18 at 13:05
add a comment |
Why have not you enabled also "Integrated Windows Authentication" in IIS?
Had it logged in locally?
under local Administrator?
Make sure that:
- NTLM2 is enabled
you changed web.config from default
<authentication mode="None" />to
<authentication mode="Windows" />
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
Thanks for your reply. I'm not sure why you ask about integrated authentication. I've turned if off because we prefer to have the user explicitly prompted for credentials. However, enabling it does not make impersonation work. I'm not sure what you mean by "NTLM2 is enabled". The web.config is very sparse and contains only a single directive, <identity impersonate="true" />. Adding <authentication mode="Windows" /> doesn't do anything different. In all cases, I still see processes being created using the AppPool identity and not that of the authenticated user.
– user52663
Aug 28 '10 at 22:26
The question is about classic ASP, so<authentication>is useless here.
– Lex Li
Sep 26 '18 at 0:42
add a comment |
Why have not you enabled also "Integrated Windows Authentication" in IIS?
Had it logged in locally?
under local Administrator?
Make sure that:
- NTLM2 is enabled
you changed web.config from default
<authentication mode="None" />to
<authentication mode="Windows" />
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
Thanks for your reply. I'm not sure why you ask about integrated authentication. I've turned if off because we prefer to have the user explicitly prompted for credentials. However, enabling it does not make impersonation work. I'm not sure what you mean by "NTLM2 is enabled". The web.config is very sparse and contains only a single directive, <identity impersonate="true" />. Adding <authentication mode="Windows" /> doesn't do anything different. In all cases, I still see processes being created using the AppPool identity and not that of the authenticated user.
– user52663
Aug 28 '10 at 22:26
The question is about classic ASP, so<authentication>is useless here.
– Lex Li
Sep 26 '18 at 0:42
add a comment |
Why have not you enabled also "Integrated Windows Authentication" in IIS?
Had it logged in locally?
under local Administrator?
Make sure that:
- NTLM2 is enabled
you changed web.config from default
<authentication mode="None" />to
<authentication mode="Windows" />
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
Why have not you enabled also "Integrated Windows Authentication" in IIS?
Had it logged in locally?
under local Administrator?
Make sure that:
- NTLM2 is enabled
you changed web.config from default
<authentication mode="None" />to
<authentication mode="Windows" />
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
answered Aug 28 '10 at 4:15
Gennady Vanin Геннадий ВанинGennady Vanin Геннадий Ванин
41231028
41231028
Thanks for your reply. I'm not sure why you ask about integrated authentication. I've turned if off because we prefer to have the user explicitly prompted for credentials. However, enabling it does not make impersonation work. I'm not sure what you mean by "NTLM2 is enabled". The web.config is very sparse and contains only a single directive, <identity impersonate="true" />. Adding <authentication mode="Windows" /> doesn't do anything different. In all cases, I still see processes being created using the AppPool identity and not that of the authenticated user.
– user52663
Aug 28 '10 at 22:26
The question is about classic ASP, so<authentication>is useless here.
– Lex Li
Sep 26 '18 at 0:42
add a comment |
Thanks for your reply. I'm not sure why you ask about integrated authentication. I've turned if off because we prefer to have the user explicitly prompted for credentials. However, enabling it does not make impersonation work. I'm not sure what you mean by "NTLM2 is enabled". The web.config is very sparse and contains only a single directive, <identity impersonate="true" />. Adding <authentication mode="Windows" /> doesn't do anything different. In all cases, I still see processes being created using the AppPool identity and not that of the authenticated user.
– user52663
Aug 28 '10 at 22:26
The question is about classic ASP, so<authentication>is useless here.
– Lex Li
Sep 26 '18 at 0:42
Thanks for your reply. I'm not sure why you ask about integrated authentication. I've turned if off because we prefer to have the user explicitly prompted for credentials. However, enabling it does not make impersonation work. I'm not sure what you mean by "NTLM2 is enabled". The web.config is very sparse and contains only a single directive, <identity impersonate="true" />. Adding <authentication mode="Windows" /> doesn't do anything different. In all cases, I still see processes being created using the AppPool identity and not that of the authenticated user.
– user52663
Aug 28 '10 at 22:26
Thanks for your reply. I'm not sure why you ask about integrated authentication. I've turned if off because we prefer to have the user explicitly prompted for credentials. However, enabling it does not make impersonation work. I'm not sure what you mean by "NTLM2 is enabled". The web.config is very sparse and contains only a single directive, <identity impersonate="true" />. Adding <authentication mode="Windows" /> doesn't do anything different. In all cases, I still see processes being created using the AppPool identity and not that of the authenticated user.
– user52663
Aug 28 '10 at 22:26
The question is about classic ASP, so
<authentication> is useless here.– Lex Li
Sep 26 '18 at 0:42
The question is about classic ASP, so
<authentication> is useless here.– Lex Li
Sep 26 '18 at 0:42
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f175534%2fauthenticated-user-impersonation-in-classic-asp-under-iis7%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Is your IIS application configured for pass-through authentication as the application user? To check on this, highlight your application (virtual directory) in the IIS Manager and bring up the Basic Settings window. Then click on the Connect As button. What is it set to? If you set up the "Connect As" option to run under a specific account and then check ProcMon, does your process run under the specified account, or does it still run under DefaultAppPool? I'm struggling with a VERY similar issue. I have one 2008 R2 server where our object runs properly under the user's context and another R2 s
– CowherPower
Mar 2 '11 at 20:42
FWIW, Domain Admins should no be logging into web apps to perform administration. This now becomes low hanging fruit to compromise those credentials. Consider upgrading this web app to use jobs and/or services.
– user2320464
Jan 2 '16 at 0:59