开发者

How do I force to not use impersonation in IIS 7+?

开发者 https://www.devze.com 2023-02-04 20:19 出处:网络
I am trying to force my web application to run completely as the AppPool User (Domain\\UserForApp) and I correctly set the setting in IIS and everything runs fine and \"System.Security.Principal.Windo

I am trying to force my web application to run completely as the AppPool User (Domain\UserForApp) and I correctly set the setting in IIS and everything runs fine and "System.Security.Principal.WindowsIdentity.GetCurrent().Name" returns the correct "Domain\UserForApp".

However, when I tried to restrict the permissions of my web app directory to the bare bones needed:

  • SYSTEM (full Access)
  • Me (Full Access)
  • Admininstrators (Full Access)
  • UserForApp (Read)

I could no longer load any static files. So I downloaded Process Monitor to find out why and whenever it tries to access a static file, I get the following error:

ACCESS DENIED:
Desired Access:     Generic Read
Disposition:        Open
Options:            Sequential Access, No Buffering
Attributes:         RE
ShareMode:          Read, Write, Delete
AllocationSize:     n/a
Impersonating:      NT AUTHORITY\IUSR

And as you see from the above IUSR doesn't have permi开发者_JAVA技巧ssions so that is correct, but I just don't understand why its trying to impersonate anyway. In my web.config file I have:

<location path="" overrideMode="Deny">
    <system.web>
        <identity impersonate="false" />
    </system.web>
</location>

just to ensure that no one turns on impersonation, but it had no effect.

It doesn't work in both Classic and Pipelined mode, but the error is slightly different. In classic when viewing the images it just shows a HTTP Error 401.3 - Unauthorized page, and when using Pipelined it redirects to the login site.


If you wan't the site to run as the app pool's identity then you need:

<location path="my_site">
     <system.webServer>
         <security>
             <authentication>
                 <anonymousAuthentication userName="" />
             </authentication>
         </security>
    </system.webServer>
</location>

You can set this in your applicationHost.config file (probably the best place) by doing:

APPCMD.exe set config "my_site" -section:system.webServer/security/authentication/anonymousAuthentication /username:"" /commit:apphost
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号