"Glen Scott" wrote in message
news:%23eV40a6jFHA.3012@TK2MSFTNGP12.phx.gbl...
: Roland Hall wrote:
:
: >"Glen Scott" wrote in message
: >news:%23ZvpwdxjFHA.2852@TK2MSFTNGP15.phx.gbl...
: >...
: >:
: >: My question? What is the security difference between disabling
: >: anonymous access and using account X from the web client, versus
: >: allowing anonymous access but using account X as the account that runs
: >: the application?
: >
: >What are the NTFS permissions and what authentication method are you
using?
: >
: I was using plain text authentication when disabling anonymous access.
I believe that's called Basic Authentication.
: I'm really looking for some understanding as to what different
: permissions the web app process is given depending on the configuration.
Well, it's more than that. It also depends on how you first connect to the
web server itself. If anonymous, it will look for anonymous and if
integrated, then it will look for integrated for other pages. So, if you're
using Basic authentication, then you shouldn't be connecting anonymously
first.
: For example, what does a) enabling anonymous access using a high
: permission account give that b) windows integrated security not give and
: c) plain text authentication does not give?
Here is how I understand it to work:
The anonymous account uses the Internet Guest account. By default, the
password is handled automatically and you do not need to know what it is.
This way anyone (anonymously) can connect to your web server and retrieve
any document where they have rights to do so.
Basic authentication makes a request to retrieve a page and if the NTFS
permissions require authentication to the document, then you are prompted to
enter credentials of username/password [domain]. This is either sent across
the wire in plain text or encoded (not encrypted) so best only to use this
method with an SSL (secure - encrypted) connection.
Integrated authentication offers a challenge and the client responds and if
the challenge is met, the document is returned. It works similar to a
public/private key handshake where information is encrypted with the public
key, passed to the client and the client uses it's private key to decrypt
the page and respond with a result. It never passes the username/password
across the wire and since only the client can decrypt the message, the
server knows then the correct response is returned, the client has the right
credentials and returns the page.
http://msdn.microsoft.com/library/de...l/iis5auth.asp http://msdn.microsoft.com/library/de...entication.asp
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation -
http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library -
http://msdn.microsoft.com/library/default.asp 
