469,623 Members | 1,800 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,623 developers. It's quick & easy.

IIS 6 security - anyone can explain this for me ?

Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael
Nov 19 '05 #1
3 1383
Michael, what do you find odd in that ?

http.sys does *not* load any application code,
it only parses and routes requests.

Please review these documents :

"Security Enhancements in Internet Information Services 6.0" :
http://download.microsoft.com/downlo...IISEnhance.doc

"Technical Overview of Internet Information Services (IIS) 6.0" :
http://download.microsoft.com/downlo...ISOverview.doc

They will be of use in understanding how http.sys works within IIS.

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Michael Tsai" <hu**********@gmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael

Nov 19 '05 #2
I should have added these 2 links. They have additional info.

"HTTP Protocol Stack (IIS 6.0)" :
http://www.microsoft.com/technet/pro...2cda661b4.mspx

"Http.sys.doc" (Changes to HTTP API in Windows Server 2003 SP1) :
http://download.microsoft.com/downlo...6/HTTP.SYS.doc


Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Juan T. Llibre" <no***********@nowhere.com> wrote in message
news:eh**************@TK2MSFTNGP14.phx.gbl...
Michael, what do you find odd in that ?

http.sys does *not* load any application code,
it only parses and routes requests.

Please review these documents :

"Security Enhancements in Internet Information Services 6.0" :
http://download.microsoft.com/downlo...IISEnhance.doc

"Technical Overview of Internet Information Services (IIS) 6.0" :
http://download.microsoft.com/downlo...ISOverview.doc

They will be of use in understanding how http.sys works within IIS.

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Michael Tsai" <hu**********@gmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael


Nov 19 '05 #3
Juan, thank you very much for the information.
I've read them quickly and I still confused,
maybe I didnot describe my question clearly.

In Fritz's "Essential ASP.NET with Examples",
section 3.1.5, he said:

"IIS is always listening for requests and dispatching
them to the ASP.NET worker process if they are
ASP.NET requests. This is important to realize because
the configuration settings in the IIS metabase are applied
<i>before</i> the request to the ASP.NET worker process
is dispatched.
....
For example, if you specify in the IIS metabase that users
must be authenticated using Windows authentication, but
in your ASP.NET application application web.config file
you have granted anonymous access, user will always be
required to authenticate before thay can access pages.."

I experiment it both with IIS 5 and IIS 6, and I get the same
result as Fritz said. But why? All the documents say that in
IIS 6, HTTP.sys is only a "gate" to pass requests to w3wp.exe,
so in the above example, when and who checked the IIS
metabase for the authentication? Is it WAS or aspnet_isapi.dll
in w3wp process? This is what I really want to know.

Hope I made my question clear (English is not my mother tongue).

Michael

"Juan T. Llibre" <no***********@nowhere.com> wrote in message
news:Oc**************@TK2MSFTNGP14.phx.gbl...
I should have added these 2 links. They have additional info.

"HTTP Protocol Stack (IIS 6.0)" :
http://www.microsoft.com/technet/pro...2cda661b4.mspx

"Http.sys.doc" (Changes to HTTP API in Windows Server 2003 SP1) :
http://download.microsoft.com/downlo...6/HTTP.SYS.doc


Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Juan T. Llibre" <no***********@nowhere.com> wrote in message
news:eh**************@TK2MSFTNGP14.phx.gbl...
Michael, what do you find odd in that ?

http.sys does *not* load any application code,
it only parses and routes requests.

Please review these documents :

"Security Enhancements in Internet Information Services 6.0" :
http://download.microsoft.com/downlo...IISEnhance.doc

"Technical Overview of Internet Information Services (IIS) 6.0" :
http://download.microsoft.com/downlo...ISOverview.doc

They will be of use in understanding how http.sys works within IIS.

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================

"Michael Tsai" <hu**********@gmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael



Nov 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Wescotte | last post: by
2 posts views Thread by Rama Sharma | last post: by
5 posts views Thread by nicholas | last post: by
1 post views Thread by nancy | last post: by
2 posts views Thread by Doogie | last post: by
18 posts views Thread by Earl Anderson | last post: by
reply views Thread by devrayhaan | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.