[thelist] ASP FSO problem.

Rosalie Sennett rsennett at brainlink.com
Mon Dec 20 00:36:23 CST 2004


Ken, 

Thanks for the clarification. 

I do remember reading that there were problems with IIS 5 involving the
IWAM_<machinename> and permissions not being set properly in order to
"impersonate" users. So it was as if dllhost.exe was started without full
ability. The correction involved security policy changes.

I suppose that's what I was thinking of.

One thing we don't know, are the details of Craig's configuration.

Hopefully... he's just got a typo somewhere.

rose

-----------------
c:/dos
c:/dos/run
run/dos/run
>>
-----------------
> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of Ken Schaefer
> Sent: Monday, December 20, 2004 1:05 AM
> To: thelist at lists.evolt.org
> Subject: RE: [thelist] ASP FSO problem.
> 
> Whether or not ASP runs inside dllhost.exe depends on the IIS application
> setting.
> 
> Low Isolation -> ASP pages in that app run inside inetinfo.exe (runs as
> LocalSystem)
> 
> Medium Isolation -> ASP pages in that app run inside a shared dllhost.exe
> that all other medium isolation apps share
> 
> High Isolation -> ASP pages in that app run inside a dllhost.exe that's
> not
> shared with any other apps
> 
> By default IWAM_machinename is the process identity for out-of-process web
> applications (out-of-process means any app running in medium or high
> isolation, ie outside inetinfo.exe)
> 
> However, in order to access a resource (eg run a webpage), the thread
> servicing the request "impersonates" a user account - IIS logs on that
> account and processes the page under that user context. If the app
> requires
> authentication, then the page will be run under the context of the
> credentials supplied by the user. If the app allows "anonymous" access,
> then
> IIS will impersonate the configured anonymous user account (by default
> IUSR_<machinename>)
> 
> HTH
> 
> Note: this applies to IIS up to IIS5.1, and IIS6 running in IIS5 Isolation
> Mode. IIS6 running in its native Worker Process Isolation mode is a
> different
> kettle of fish.
> 
> Cheers
> Ken
> 
> : -----Original Message-----
> : From: thelist-bounces at lists.evolt.org [mailto:thelist-
> : bounces at lists.evolt.org] On Behalf Of Rosalie Sennett
> : Sent: Monday, 20 December 2004 3:49 PM
> : To: thelist at lists.evolt.org
> : Subject: RE: [thelist] ASP FSO problem.
> :
> : Correct me if I'm wrong... but IWAM_machine name starts up dllhost.exe
> :
> : And all .asp, com and other ISAPI extensions are run under dllhost
> :
> : (ASP is considered an ISAPI extension)
> :
> : So, perhaps it is the IWAM_machine user that is being locked out?
> :
> :
> : Keep that in mind when you're poking around with effective permissions
> :
> :
> : You also may want to simplify your code just to be sure it isn't some
> typo
> : that none of us is noticing...
> :
> : I had something the other day that was driving me nuts... and just when
> I
> : was sure my machine was haunted... I went back to a kind of "hello
> world"
> : script and found that I'd done something stupid...
> :
> : So run this with and without a folder specified in the drive, 'cause I
> : know
> : it works fine.
> :
> : <table border="1">
> : <tr>
> :   <td>Path</td>
> :   <td>Name</td>
> :   <td>Size</td>
> :   <td>DateCreated</td>
> :   <td>DateLastAccessed</td>
> :   <td>DateLastModified</td>
> : </tr>
> :
> : <%
> : Set FSObj=Server.CreateObject("Scripting.FileSystemObject")
> : Set FolderObj = FSObj.GetFolder ("M:\")
> :
> : For Each Item in FolderObj.Files %>
> :   <tr>
> :     <td><%= Item.Path %></td>
> :     <td><%= Item.Name %></td>
> :     <td><%= Item.Size %></td>
> :     <td><%= Item.DateCreated %></td>
> :     <td><%= Item.DateLastAccessed %></td>
> :     <td><%= Item.DateLastModified %></td>
> :   </tr>
> : <% Next %>
> :
> : </table>
> :
> : <% Response.Write("Total = " & FolderObj.Files.Count)%>
> :
> : rose
> :
> : -----------------
> : c:/dos
> : c:/dos/run
> : run/dos/run
> : >>
> : -----------------
> :
> : > -----Original Message-----
> : > From: thelist-bounces at lists.evolt.org [mailto:thelist-
> : > bounces at lists.evolt.org] On Behalf Of Ken Schaefer
> : > Sent: Sunday, December 19, 2004 9:18 PM
> : > To: thelist at lists.evolt.org
> : > Subject: RE: [thelist] ASP FSO problem.
> : >
> : >
> : > : -----Original Message-----
> : > : From: thelist-bounces at lists.evolt.org
> : > [mailto:thelist-bounces at lists.evolt.org] On
> : > : Behalf Of cd-ml at aardvark.net.au
> : > : Subject: RE: [thelist] ASP FSO problem.
> : > :
> : > : > What are the permissions on the share that 'M' is mapped to? IUSR
> : > isn't
> : > : > part of the everyone group, which can be confusing.
> : > :
> : > : Drive M: is a local drive, not a networked share or anything.
> : > :
> : > : > Does this behave as expected on local drives? How 'bout if you get
> : the
> : > : > item's name rather than size?
> : > :
> : > : Yes, the item.name works but item.size get's permission denied. I
> : don't
> : > : know why ?:)
> : > :
> : > : Drive M: (which is a local HD) will give me a permission denied,
> : however
> : > : if I set it to the CD-ROM drive or my USB Key it works. It must be a
> : > : permission issue somewhere.
> : >
> : > I suppose you next need to check the effective permissions on those
> : files.
> : >
> : > Right-click on a file -> properties -> security -> advanced ->
> effective
> : > permissions -> add IUSR_Machinename
> : >
> : > Cheers
> : > Ken
> : > --
> : >
> : > * * Please support the community that supports you.  * *
> : > http://evolt.org/help_support_evolt/
> : >
> : > For unsubscribe and other options, including the Tip Harvester
> : > and archives of thelist go to: http://lists.evolt.org
> : > Workers of the Web, evolt !
> :
> :
> : --
> :
> : * * Please support the community that supports you.  * *
> : http://evolt.org/help_support_evolt/
> :
> : For unsubscribe and other options, including the Tip Harvester
> : and archives of thelist go to: http://lists.evolt.org
> : Workers of the Web, evolt !
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !




More information about the thelist mailing list