IIS runas Different User

Thxx fpo your answer.

I have already tried to deny anonymous access, but this
doesn't change anything at all. towards ActiveDirectory,
the webserver still authenticates as i_usr or anonymous or
so.

but what exactly do you mean by: change the anonymous user
account??



 >-----Original Message-----
 >You can change the anonymous user account
 > -or-
 >You can force the user to authenticate (by denying "allow
anonymous")
 >
 >You do both these things via the IIS MMC Snapin, on the
directory security
 >tab, for either the website as a whole, a specific
directory or a specific
 >file.
 >
 >Cheers
 >Ken
 >
 >
 >"Treml Juergen" <juergentreml.RemoveThis@sar-gmbh.com> wrote in
message
 >news:13c701c3826f$a11c19e0$a101280a@phx.gbl...
 >: Hi,
 >:
 >: i have the problem, that i need to list the users in an
 >: Active Directory via ASP Page. And i need to do this
with
 >: LDAP not WinNT Command.
 >:
 >: The Problem is, this only works if i run then page
 >: directly on the webserver connection to
 >: <a style='text-decoration: underline;' href="http://localhost/test.asp." target="_blank">http://localhost/test.asp.</a> If somebody else in the
network
 >: visits this site, he gets an internal server error
because
 >: the server authenticates towards active directory
 >: as "Anonymous" or "I_User" or so an though has not
enought
 >: rights to list AD entries.
 >:
 >: Is there any possibility to tell IIS under which user to
 >: run a certain page or web?
 >:
 >: I hope anyone of you can help me.
 >: Thxx
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS runas Different User 

I tried something similar, listing the logged in users (using ADSI
with Sessions) and had the same problem: it worked fine on the server
itself en gave a server error (-2147463164, 80005004) on clients.

Using the administrator account for anynomous access solved my problem
(it's a local intranet site, so using the administrator account is not
that much of a problem).

You do that by selecting the site in IIS, right-clicking and selecting
properties. Tab 'Directory security', select 'Anonymous access' and
with the Edit button you select an account with administrative rights.
Enter the admin-password twice when prompted and there you go.

It's not ideal for your security, though. I would like to use an
separate user account for this. On which file(s) do you need to set
the security to access the domain functions on a NT server? Anyone
have any ideas?


"Treml Juergen" <juergentreml.DeleteThis@sar-gmbh.com> wrote in message news:<d5a601c3827a$97c077a0$a601280a@phx.gbl>...
 > Thxx fpo your answer.
 >
 > I have already tried to deny anonymous access, but this
 > doesn't change anything at all. towards ActiveDirectory,
 > the webserver still authenticates as i_usr or anonymous or
 > so.
 >
 > but what exactly do you mean by: change the anonymous user
 > account??
 >
 >
 >
  > >-----Original Message-----
  > >You can change the anonymous user account
  > > -or-
  > >You can force the user to authenticate (by denying "allow
 > anonymous")
  > >
  > >You do both these things via the IIS MMC Snapin, on the
 > directory security
  > >tab, for either the website as a whole, a specific
 > directory or a specific
  > >file.
  > >
  > >Cheers
  > >Ken
  > >
  > >
  > >"Treml Juergen" <juergentreml.DeleteThis@sar-gmbh.com> wrote in
 > message
  > >news:13c701c3826f$a11c19e0$a101280a@phx.gbl...
  > >: Hi,
  > >:
  > >: i have the problem, that i need to list the users in an
  > >: Active Directory via ASP Page. And i need to do this
 > with
  > >: LDAP not WinNT Command.
  > >:
  > >: The Problem is, this only works if i run then page
  > >: directly on the webserver connection to
  > >: <a style='text-decoration: underline;' href="http://localhost/test.asp." target="_blank">http://localhost/test.asp.</a> If somebody else in the
 > network
  > >: visits this site, he gets an internal server error
 > because
  > >: the server authenticates towards active directory
  > >: as "Anonymous" or "I_User" or so an though has not
 > enought
  > >: rights to list AD entries.
  > >:
  > >: Is there any possibility to tell IIS under which user to
  > >: run a certain page or web?
  > >:
  > >: I hope anyone of you can help me.
  > >: Thxx
  > >
  > >
  > >.
  > ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS runas Different User 

i already tried all that things, but the problem i have
is, that i need two things:

1) i need the login of the user who visits the site (this
has a lot of reasons which i do not want to explain here.
i just need it!)

2)the webserver must pass this login to the active
directory, because i_usr - of course - does not have the
permission to read or write anything to AD.

I've been searching for a solution to this problem for two
days now, and i didn't find anything.

Please help me!!!! *g*
 >> Stay informed about: IIS runas Different User 

If you deny anonymous access, you need to enable Basic Authentication (not
Integrated Authentication). Or, if you want to use Integrated
Authentication, you need to enable delegation. When using Integreated
Authentication, the user token that the webserver gets doesn't have
permission to logon to remote network resources, and since the webserver
doesn't have the user's password, it can't logon either.

Alternatively, you can change the account used for anonymous access (usually
IUSR_<machinename>) to a domain account (ie an account that has permissions
to remote resources. The IUSR account is local to the webserver and can't be
assigned permissions to remote resources)

Cheers
Ken

"Treml Juergen" <juergentreml RemoveThis @sar-gmbh.com> wrote in message
news:d5a601c3827a$97c077a0$a601280a@phx.gbl...
: Thxx fpo your answer.
:
: I have already tried to deny anonymous access, but this
: doesn't change anything at all. towards ActiveDirectory,
: the webserver still authenticates as i_usr or anonymous or
: so.
:
: but what exactly do you mean by: change the anonymous user
: account??
:
:
:
: >-----Original Message-----
: >You can change the anonymous user account
: > -or-
: >You can force the user to authenticate (by denying "allow
: anonymous")
: >
: >You do both these things via the IIS MMC Snapin, on the
: directory security
: >tab, for either the website as a whole, a specific
: directory or a specific
: >file.
: >
: >Cheers
: >Ken
: >
: >
: >"Treml Juergen" <juergentreml RemoveThis @sar-gmbh.com> wrote in
: message
: >news:13c701c3826f$a11c19e0$a101280a@phx.gbl...
: >: Hi,
: >:
: >: i have the problem, that i need to list the users in an
: >: Active Directory via ASP Page. And i need to do this
: with
: >: LDAP not WinNT Command.
: >:
: >: The Problem is, this only works if i run then page
: >: directly on the webserver connection to
: >: http://localhost/test.asp. If somebody else in the
: network
: >: visits this site, he gets an internal server error
: because
: >: the server authenticates towards active directory
: >: as "Anonymous" or "I_User" or so an though has not
: enought
: >: rights to list AD entries.
: >:
: >: Is there any possibility to tell IIS under which user to
: >: run a certain page or web?
: >:
: >: I hope anyone of you can help me.
: >: Thxx
: >
: >
: >.
: >
 >> Stay informed about: IIS runas Different User 

First, uncheck anonymous, and decide if you are going to use Basic, or Integrated (or both if you have some non IE clients). Now, run filemon and regmon
from www.sysinternals.com and find out what is failing. You also want to the asp group, as they should know exactly what you need:
microsoft.public.inetserver.asp.general

Thank you. I hope this information is helpful.

Tim Coffey [MSFT]

This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
--------------------
| Content-Class: urn:content-classes:message
| From: "Treml Juergen" <juergentreml.DeleteThis@sar-gmbh.com>
| Sender: "Treml Juergen" <juergentreml.DeleteThis@sar-gmbh.com>
| References: <13c701c3826f$a11c19e0$a101280a@phx.gbl> <ehlcJTngDHA.1088.DeleteThis@TK2MSFTNGP10.phx.gbl> <d5a601c3827a$97c077a0
$a601280a@phx.gbl> <8793649b.0309240542.45abc7a9.DeleteThis@posting.google.com>
| Subject: Re: IIS runas Different User, it works!
| Date: Wed, 24 Sep 2003 08:59:00 -0700
| Lines: 15
| Message-ID: <19df01c382b4$c4f6f930$a001280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcOCtMT0EMofx69YTke7wr63vEltuA==
| Newsgroups: microsoft.public.inetserver.iis
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis:276934
| NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
| X-Tomcat-NG: microsoft.public.inetserver.iis
|
| i already tried all that things, but the problem i have
| is, that i need two things:
|
| 1) i need the login of the user who visits the site (this
| has a lot of reasons which i do not want to explain here.
| i just need it!)
|
| 2)the webserver must pass this login to the active
| directory, because i_usr - of course - does not have the
| permission to read or write anything to AD.
|
| I've been searching for a solution to this problem for two
| days now, and i didn't find anything.
|
| Please help me!!!! *g*
|
 >> Stay informed about: IIS runas Different User