Wednesday, July 4, 2018

iis 6 - IIS 7.5 running Classic ASP connecting to UNC path problem



Moving from Windows Server 2003 to Windows Server 2008 R2.
We have a classic ASP site that connect to a remote UNC '\10.1.40.7\' path.
When I run PROCMON on the web server, it says ACCESS DENIED....Impersonating: NT AUTHORITY\IUSR.




On the 10.1.40.7 server, the IUSR_COMPUTER account was setup with the same password on both the web server and the file share server. This worked fine for IIS 6.



Moving this application to IIS 7.5 and going through just about every google page I can find along checking the iis.net, learn.iis.net pages has gotten me no closer to a resolution.



This script was ran on the Windows 2003 IIS 6 server to retrieve the IUSR_COMPUTER password:
http:// www.iisfaq.com/Default.aspx?tabid=2796 -Sorry, first time poster, only 1 hyperlink permitted.-



Is classic ASP under IIS 7.5 really using just IUSR as the user, so if I get the IUSR password from IIS 7.5, and set that up on 10.1.40.7, It will work again?



Of course, it gets a little more complicated. This classic ASP web site also has some .NET mixed in with it. Again, everything works perfect on Windows 2003 IIS 6.

So If some fix allows the Classic ASP to work, hopefully it won't break the .NET code.



Again, I have been through many documents.
This article was pretty close to my issue:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.inetserver.iis&tid=fafc2d90-662f-4c61-a2c4-5328303fc429&cat=&lang=en&cr=US&sloc=en-us&p=1



While I have you looking at this is there an App that you can run on the remote server that will tell you what ID someone is trying to use to access your share?
For example in Windows XP under Computer Management, Shared Folders, Sessions/Open Files. You can see what current user is connecting to your share, but how do you see what other users are trying to connect(the failed attempts)?



!THANK YOU!




---UPDATE!---



Here is what I was able to find.
Under the Default web Site, click Authentication, then for 'Anonymous Authentication', right click, Edit. Changed Specific User to my newly created IUSR_MACHINE user account.
Now when Classic ASP connects to UNC paths, it uses the specified account.
Is this the best Solution?



Recap:
So on my old IIS 6 server, I had an account :IUSR_DELL-1SBLAH.
I used the above link to extract the password for it.
I then created that same user and ID on my new 2008 box.

I changed the Anonymous Authentication to use that specific account.



Seems to work. Will test for a few days on some of the site to see if anything fails.



Also reading more of this document to see if this is a better method:



http:// www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication


Answer



Seems the above solution is working fine.
Too bad no one else was able to chime in, I would like to know if this is the best solution.




Anyway, here is a recap.



Under the Default web Site, click Authentication, then for 'Anonymous Authentication', right click, Edit. Changed Specific User to my newly created IUSR_MACHINE user account.
Now when Classic ASP connects to UNC paths, it uses the specified account.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...