|
-
Mar 20th, 2003, 01:08 AM
#1
Thread Starter
New Member
IIS & dll's & iusr & iwam & Active Directory
hey all,
I have been reading up on IIS processes and Active Directory but i am
still fuzzy about a few things. Our company has an ASP based website
running on IIS on win2k and an oracle database on a unix machine and
Active Directory running on the domain controller. the asp pages
reference a dll thru which all DML operations on the database take
place, so that there is no direct connection from ASP to oracle.
For certain reasons, we want to use Active directory to authenticate
users of the website (and to create new users in AD whenever a new
user is registered on our site).
So how can i do this? my thinking so far is:
have anonymous access in iis. the user enters his uname & pwd in the
asp page, they are sent to the dll(which runs in-process), which then
connects to AD and authenticates the user and passes the result back
to asp. now the site is running as Medium(Pooled) which means that
dllhost is handling the request which in turn means that iwam is the
account that is being used.
in order to access AD and create users, the process that's accessing
it should be running with 'domain admin' privileges. so i guess i have
to impersonate the domain admin in my dll in order to be able to
access AD?
the reason i'm proposing anonymous access and not authentication in
iis is that the user who is logging on should not have the privilege
of accessing the AD or anything else for that matter. i just want to
use AD for its authentication functions and to eventually integrate it
with Exchange.
does this sound like a viable solution?
a few asides:
1- i used File Monitor from sysinternals, and it seems that all access
to the asp pages, dll and oracle is handled by dllhost, whereas access
to html pages, css pages, jpg, and gif is handled by inetinfo. why
aren't they all handled by dllhost?
2- when i tried running the application as Low(iis process), i got the
following ODBC error when connecting to the database: "Driver's
SQLSetConnectAttr failed".
3- i read in an article, that since it's inetinfo that launches
dllhost, then dllhost is actually impersonating iusr and thus is
running under the iusr account. that didn't make much sense to me. is
it true?
i know this is a long post, any help on any of these matters is
greatly appreciated.
thx...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote