the answer (was Re: [thelist] authenticated access to network resource via web page)
spinhead
evolt at spinhead.com
Thu Oct 18 16:45:19 CDT 2001
Just in case it ever comes up in your peregrinations (as I join the ranks of
the self-responders)
From
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html
/dnauth_security.asp
========================================
When the IIS Web server impersonates a user authenticated using
Challenge/Response, the IIS server does NOT have the user's password or
password hash. IIS only sees the encrypted challenge, which it passes to the
domain controller. You will most likely encounter this when you have an ASP
page that accesses resources on another Windows NT box (such as a remote
database server). The remote server will challenge IIS to prove that it is
the impersonated user, and IIS will not be able to, because it cannot
encrypt any challenges sent to it with the user's hash.
========================================
The solution is to use, not Windows authentication, but Basic
Authentication. Turn off anonymous and Windows, turn on Basic, and your ASP
or other web app can access network resources by connecting as your logged
in user.
spinhead
----- Original Message -----
From: "spinhead" <evolt at spinhead.com>
To: "thelist" <thelist at lists.evolt.org>
Sent: Thursday, October 18, 2001 1:55 PM
Subject: [thelist] authenticated access to network resource via web page
> We've got a Perl script in c:\inetpub\scripts on our intranet web server.
> Its job is to parse a bit of info from a dozen test machines. I've removed
> anonymous access to the scripts folder, and when I look at the server
> variables (using a page called whoami.asp which just iterates thru all of
> 'em) it says I'm accessing the scripts directory as the authenticated user
> DOMAIN\myname (not really, but we're security freaks around here.)
>
> If I'm touching the directory as an authenticated user shouldn't the Perl
> script run as me and be allowed access to whatever network resources my
user
> has access to? It's not.
>
> spinhead
>
>
More information about the thelist
mailing list