User Security?

Hello Asaf,

Thank you for posting in the MSDN newsgroup.

From your description, you're developing an ASP.NET webservice which hosted
in IIS. Recently, you've publshed it onto a SBS 2003 server (IIS6), and
configure it to deny anonymous access. However, you found that you can not
make a custom user (newly created one) successfully access the webservice,
correct?

As for this issue, I would like to confirm some further things in your
application and the problem environment:

1. What's the authentication type setting in your webservice's IIS virtual
directory, is it basic or intergrated windows? Also, what's the webservice
application's application pool identity in IIS.

2. What's the authentication setting you configured for your ASP.NET
webservice application in the web.config , also have you used impersonate
in your webservice (through the <identity impersonate=xxx /element in
web.config) ?

3. Currently how are you accessing the webservice(through webbrowser or
client proxy code in client application built through .net framework)?

4. What's the error message or detaile behavior you get when you failed to
access the webservice through your custom non-admin account?

When you access webservice in IIS (deny anonymous access), the webbrowser
(IE) will help you supply user credential to the service, while when we use
code proxy to programmtically call webservice memthods, we need to
programmaticaly set the credential (if we don't want to use the default
security context of the client program). Also, at server-side, whether
the ASP.NET appliation is impersonated also affect the appliation's
behavior since when ASP.NET is configured as impersonate=true, it will use
the client authenticated user identity(from IIS) to access any restriected
resource which may cause error when that user doesn't have sufficient
permission.

Anyway, please feel free to let me know if you have any other finding or
there is anything I've missed here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take approximately
2 business days

as the support professional working with you may need further investigation
to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Steven,

Thanks for your reply.

1. The authentication is "Integrated Windows Authentication".

2. Application Pool Identity is set to "Predefined" on "Network Service".

3. At web.config file only "<authentication mode="Windows" />" is set for
authentication.

4. Currently I am trying to access the web service thru IE6.

5. The error I receive when trying to access from IE6 is:

Access is denied.
Description: An error occurred while accessing the resources required to
serve this request. You might not have permission to view the requested
resources.

Error message 401.3: You do not have permission to view this directory or
page using the credentials you supplied (access denied due to Access Control
Lists). Ask the Web server's administrator to give you access.

6. When I am setting the user to be a part of *Administrator* group I am
able to access successfully to the web service.
Kind Regards,
Asaf
"Steven Cheng[MSFT]" wrote:

Hello Asaf,

Thank you for posting in the MSDN newsgroup.

From your description, you're developing an ASP.NET webservice which hosted
in IIS. Recently, you've publshed it onto a SBS 2003 server (IIS6), and
configure it to deny anonymous access. However, you found that you can not
make a custom user (newly created one) successfully access the webservice,
correct?

As for this issue, I would like to confirm some further things in your
application and the problem environment:

1. What's the authentication type setting in your webservice's IIS virtual
directory, is it basic or intergrated windows? Also, what's the webservice
application's application pool identity in IIS.

2. What's the authentication setting you configured for your ASP.NET
webservice application in the web.config , also have you used impersonate
in your webservice (through the <identity impersonate=xxx /element in
web.config) ?

3. Currently how are you accessing the webservice(through webbrowser or
client proxy code in client application built through .net framework)?

4. What's the error message or detaile behavior you get when you failed to
access the webservice through your custom non-admin account?

When you access webservice in IIS (deny anonymous access), the webbrowser
(IE) will help you supply user credential to the service, while when we use
code proxy to programmtically call webservice memthods, we need to
programmaticaly set the credential (if we don't want to use the default
security context of the client program). Also, at server-side, whether
the ASP.NET appliation is impersonated also affect the appliation's
behavior since when ASP.NET is configured as impersonate=true, it will use
the client authenticated user identity(from IIS) to access any restriected
resource which may cause error when that user doesn't have sufficient
permission.

Anyway, please feel free to let me know if you have any other finding or
there is anything I've missed here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take approximately
2 business days

as the support professional working with you may need further investigation
to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights

Thanks for your quick response Asaf,

Now I get that you're using the IE browser to visit the asmx page and the
server gave you 401.3 error when the custom user try visiting the page.
Based on my experience, this is a typical NTFS permission as the below
message indicates:

=========================
Error message 401.3: You do not have permission to view this directory or
page using the credentials you supplied (access denied due to Access
Control
Lists). Ask the Web server's administrator to give you access.
=========================

When you use "integrated windows authentication" and deny anonymous access
in IIS, the client will be forced to provide a valid user
identity(recognizable at server). And this identity will be forwarded from
IIS to ASP.NET runtime, if the ASP.NET application is using "Windows"
authentication(in web.config), it will use is security identity (from IIS)
as the HttpContext.Current.User.Identity, also ASP.NET by default will
perform NTFS file permision checking against this security identity for the
file (aspx or asmx ) the client is requesting...

Therefore, the problem here is whether that custom account has sufficient
permission(NTFS) to access that asmx file(read permission is enough). Based
on my local test, if your web application is created under the IIS default
site (under c:\inetpub\wwwroot), the machine\users group should have the
read permission to it automatically. Is your webservice application's
folder put in an external directory/drive on the server machine? Anyway,
you can check your webservice application's directory's NTFS security
setting (grant the custom account sufficient permision to your webservice's
application dir or that certain asmx file).

Hope this helps. If there is anything unclear or if you still meet any
problem, please feel free to let me know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.