I have a base Windows 2008 installation and took an HTML website
working in IIS6 and moved it to IIS7. I cannot resolve the 403 -
Forbidden: Access is denied. error that I am getting. I have tried
changing the user for anonymous authentication and have successfully
tested the connection. I have tried using the Network Service account
using pass through authentication. My website directory has the
appropriate read permissions for the Network Service and the anonymous
account.

I cannot seem to find a solution, any thoughts on how to resolve?

I know you could do XSS in the past with IIS 5.0 until it got plugged, but
now I have a "real need".

Is it possible to loosen up the security in a control fashion?

Hello,

This is a very belated followup to the below issue, I am the original
poster. I recently was creating a new OU structure and new security policy
and during testing it was noticed that in fact happened on a server that has
a web-app that uses Windows integrated authentication, which was a surprise
to me.

Does this "Log on Locally" policy also affect web-apps using Windows
Integrated Authentication?

Thanks.

---------------------------------------------------------
Basic Auth requires that the authenticating user have "login locally"
privilege on the server.

The reason that your changes to IUSR/VUSR/Web Anonymous group have no effect
is because those users are NOT used for basic auth (they are accounts used
for Anonymous auth)

The actual user accounts authenticating under Basic auth needs to have
"login locally" privilege.

I am running a Windows IIS machine (standalone) and would like to allow
users to authenticate against our existing back-end KDC (MIT Kerberos realm
authentication).

IIS is running a COTS app, so I don't have any flexibility to muck with the
code.

Ideas?

Thanks
Blake

I have recently created a program that analyzes the ftp log files and
uses PeerGuardian to block IPs that generate more than a certain
number of login attempts. If anyone is interested, please email me
(kms2061_at_gmail_dot_com).

I have an internal-only web app which I want to use a Windows Integrated
Security to control access. I setup the Properties - Directory Security -
Authentication and Access Control ensuring Anonymous Access is NOT checked
and Integrated Windows Authentication is checked.

I'm hoping the credentials used when logging into the domain will pass thru
to the website and allow access. However, when I have the above configured
users get prompted to enter a user id/password when they hit the website.
When entered the prompt comes back, not granting the user access. I tried
user id and password and domain\user id and password and neither granted
access.

Is there something I'm missing?

Thanks in advance,
steve

HTTPS protocol transfers data using encryption. Is request URL encrypted or
is it available in plain text when packets are transmitted? I'd like to use
query part of URL to pass request id and I wonder if that request ID is
encrypted or not.

for example:

https://host/page.aspx?myId=myIdValue

Will myIdValue be encrypted or not?

Have a question about an IIS server with multiple commerce web sites and
single SSL certificate

Here is the scenario (single server, single static IP)
www.TheCompany.com this top level company website has the SSL certificate

www.Product1.com \\CompanyServer\c\web\Product1
www.Product2.com \\CompanyServer\c\web\Product2
www.Product3.com \\CompanyServer\c\web\Product3
they both have their own shopping cart, etc. and their own "payment.asp" or
"payment.aspx" pages, with their own theme.

But I want to handle the credit card number entry screen with https:\\ but
with the existing SSL certificate for TheCompany domain, without buying Wild
Card cert and without dealing with many certificates. How can I do that?

Second acceptable solution is to redirect from Product1.com to
Product1.TheCompany.com/payment.asp, but it causes redirction related
security problems.

Is there any way of solving this issue without changing the URL away from
Product1.com with Frames or some other way so that I can use the single
Certificate. I believe some of the Hosters are doing this kind of stuff.

Any ideas about how it can be done? Thanks a million

Hi,

I'm trying to get a CGI to use delegated Kerberos authentication. The
environment is IE6 on the client (A) and IIS6 on two servers (B and C).

Delegated authentication is working with ASP, according to
http://support.microsoft.com/kb/314404 but when I substitute the CGI for
"Test1.asp" (both running on the server B in the same virtual directory and
accessed using the same URL) the authentication against server C fails with a
401.1 error.

So, I guess the problem is in the CGI code. The CGI (on server B) gets the
authentication protocol and key from the browser (on server A) in the
HTTP_AUTHORIZATION variable. At the moment, the code is just passing this
protocol and key on to server C in the Authorization: HTTP header. This
works fine for Basic authentication but not for Kerberos. Does the code need
to do something special with the key for Kerberos before passing it on?

Some notes:

1) The CGI is written in portable C++ and accesses HTTP resources directly
through a socket library (Winsock 1.1 on Windows) so has complete control
over the HTTP headers

I'm developing an web application with DCOM interfaces.

When I run the application from VS2005 (internal Web Server), I don't have
any problem accessing to the DCOM hosted by another machine.

When I run the application from a virtual directory configured in IIS 7
(Windows Vista), I can access too without problems.

But When I run the application from a virtual directori configured in IIS6
(Windows 2003 Server), I can't access to the DCOM machine.

I try everything, same users and passwords, same workgroup, etc, but the
problem is just with IIS6.

Any suggestion