Monday, January 08, 2007
Who's on first? An IIS identity crisis
Microsoft Internet Information Services (IIS) version 6.0 introduced essential capabilities for managing Web page services to the Windows environment, including process pools, caching and server farms. Along with that came several more security features, including detailed control of the privileges under which Web page services execute on a server.
IIS 6.0 includes several protentially conflicting ways to specify privileges, yet Microsoft provides very little information about how they interact. The most obvious of these potential conflicts is specifying a user account for a Web site and also specifying a user account for the process pool in which the site's services execute. When they are not the same, who's on first? What happens?
The Web site's user account is specified in the IIS Manager tool under the properties "Directory Security," "Authentication and access control (Edit)," "Enable anonymous access." The process pool's user account is specified in IIS Manager under the properties "Identity," "Configurable." Both affect documented fields in the XML metabase of IIS, but undocumented is what will happen when the specified user accounts are not the same. Other, largely undocumented complications are "special privileges" and the default user accounts similarly specified for all Web sites and all process pools.
At present most of this remains a mystery to be disentangled mainly through experimental programming. The few Internet forums and Web logs that touch on these topics reveal a general lack of knowledge. The only significant book on IIS 6.0, by Mitch Tulloch (Osborne, 2003), provides no more help than one can get on-line from Microsoft. At the "deliberate speed" with which Microsoft provides documentation, the next version of IIS is likely to be available before the current one has been explained.
IIS 6.0 includes several protentially conflicting ways to specify privileges, yet Microsoft provides very little information about how they interact. The most obvious of these potential conflicts is specifying a user account for a Web site and also specifying a user account for the process pool in which the site's services execute. When they are not the same, who's on first? What happens?
The Web site's user account is specified in the IIS Manager tool under the properties "Directory Security," "Authentication and access control (Edit)," "Enable anonymous access." The process pool's user account is specified in IIS Manager under the properties "Identity," "Configurable." Both affect documented fields in the XML metabase of IIS, but undocumented is what will happen when the specified user accounts are not the same. Other, largely undocumented complications are "special privileges" and the default user accounts similarly specified for all Web sites and all process pools.
At present most of this remains a mystery to be disentangled mainly through experimental programming. The few Internet forums and Web logs that touch on these topics reveal a general lack of knowledge. The only significant book on IIS 6.0, by Mitch Tulloch (Osborne, 2003), provides no more help than one can get on-line from Microsoft. At the "deliberate speed" with which Microsoft provides documentation, the next version of IIS is likely to be available before the current one has been explained.
Subscribe to Posts [Atom]