Translate

Tuesday, February 12, 2013

IIS Identity

There are many ways in which an IIS hosted website can access resources on the webserver and a remote server. This fact doesn't seem well documented. To change that, this is what I did. I created a website on server A which accessed a SQL server database on server B. The connection to SQL server used windows authentication. After setting this up, I tried accessing the website from my local desktop and noted down all the credentials it used to access resources.




During the experiment I played around with the IIS Authentication settings



I performed the experiment once each Connect As option in IIS 7.5

The first one as Application user (pass-through authentication)


Results:


IIS
AUTHENTICATION
WEB APPLICATION
AUTHENTICATION MODE
IMPERSONATION ENABLED?
CREDENTIALS USED TO ACCESS RESOURCES ON THE WEBSERVER

CREDENTIALS USED TO ACCESS RESOURCES ON SQL SERVER
ANONYMOUS
NONE
NO
APPLICATION POOL
 IDENTITY
INVALID LOGIN
ANONYMOUS
NONE
YES
NT AUTHORITY
\IUSR
NT AUTHORITY\
ANONYMOUS LOGON
ANONYMOUS
WINDOWS
YES
NT AUTHORITY
\IUSR
NT AUTHORITY\
ANONYMOUS LOGON
ANONYMOUS

WINDOWS
NO
APPLICATION POOL
 IDENTITY
INVALID LOGIN
ANONYMOUS
AND
WINDOWS
WINDOWS
NO
APPLICATION POOL
IDENTITY
INVALID LOGIN
ANONYMOUS
AND
WINDOWS
WINDOWS
YES
NT AUTHORITY
\IUSR
NT AUTHORITY\
ANONYMOUS LOGON
WINDOWS
WINDOWS
YES
LOGGED IN USER
NT AUTHORITY\
ANONYMOUS LOGON



The second one as specific user:



Results


IIS
AUTHENTICATION
WEB APPLICATION
AUTHENTICATION MODE
IMPERSONATION ENABLED?
CREDENTIALS USED TO ACCESS RESOURCES ON THE WEBSERVER
CREDENTIALS USED TO ACCESS RESOURCES ON SQL SERVER
ANONYMOUS
NONE
NO
APPLICATION POOL IDENTITY
INVALID LOGIN
ANONYMOUS
NONE
YES
IIS
SPECIFIC USER
IDENTITY
INVALID LOGIN
ANONYMOUS
WINDOWS
YES
IIS
SPECIFIC USER
IDENTITY
INVALID LOGIN
ANONYMOUS

WINDOWS
NO
APPLICATION POOL IDENTITY
INVALID LOGIN
ANONYMOUS
AND
WINDOWS
WINDOWS
NO
APPLICATION POOL IDENTITY
INVALID LOGIN
ANONYMOUS
AND
WINDOWS
WINDOWS
YES
IIS
SPECIFIC USER
IDENTITY
INVALID LOGIN
WINDOWS
WINDOWS
YES
IIS
SPECIFIC USER
IDENTITY
INVALID LOGIN




If you are trying o access SQL server with windows authentication, the double hop issue prevents you from sending the user credentials to SQL server. One way to overcome that is to impersonate a specific user in your web.config.

No comments:

Post a Comment

Comments will appear once they have been approved by the moderator