locked
Integrated Security Authentication - Win2003/IIS different from XP/IIS RRS feed

  • 問題

  • Any different for Win2K3 and XP in the captioned topic?

     

    My problem is:

     

    I develope a Web Service from XP/IIS, using impersonate for Oracle connection and its workfine.

     

    When I deploy the code into Win2K3/IIS, it always get "Logon Denied, Invalid username/password" get back from Oracle.

     

    Any configuration need to be done before or after the deployment?

    2008年10月10日 上午 09:20

解答

  • Dear Customer,


    Based on my research, IIS security restriction is fully NTFS based. I suggest you use the TCP/IP address access restriction for this issue:

     

    1. Setup a complex password for administrator account.

     

    2. Open the Internet Information Server (IIS), Right-click the site.

     

    3. Click Properties>Directory Security>click add.

     

    4. Add the IP address that requires access to the exceptions list.

     

    Hope the above info helps.

     

    Sincerely


    Tom Zhang

     

    2008年10月13日 上午 09:34
    版主

所有回覆

  • Dear Customer,


    Based on my research, IIS security restriction is fully NTFS based. I suggest you use the TCP/IP address access restriction for this issue:

     

    1. Setup a complex password for administrator account.

     

    2. Open the Internet Information Server (IIS), Right-click the site.

     

    3. Click Properties>Directory Security>click add.

     

    4. Add the IP address that requires access to the exceptions list.

     

    Hope the above info helps.

     

    Sincerely


    Tom Zhang

     

    2008年10月13日 上午 09:34
    版主
  • Hi Tom,

    Thanks for your kind help to research for my problem.

    I think I agree with you for the NTFS security even for the domain user (as my company running AD).

    However, I got the problem for Impersonation for IIS, when I open the log file for remote Oracle in W2K3,

    The application is different for IIS5 (aspnet_wp.exe) and IIS6 (wc3wp.exe), other is the same.

    What my question may can say: is there any different between this 2?

    So far I still get no answer for my question....
    2008年10月13日 下午 12:24
  • There are differences between IIS in XP (IIS 5.1) and IIS in Windows 2003 (IIS 6.0).  In simple words, in your case, if you set Integrated Security Authentication in IIS and impersonation in the connection string to Oracle, you will get the following results:

    1. For IIS in XP, you are using the client's login account to connect to Oracle

    2. For IIS in Windows 2003, you are using the account "ASPNET" on Windows 2003 web server to connect to Oracle

     

    To get back similar behavior in both cases, you can try to add the following configurations in your Web services's Web.config file (within the <system.web></system.web> element):

     

    <identity impersonate="true" />

    2008年10月14日 下午 06:53
  • Dear Customer,

     

    I agree with Raymond’s suggestion.

     

    I just wanted to say hi, and to see how things are going. I haven't heard back from you yet and I was wondering if there are any updates on the service request.

     

    Thanks.

     

    Sincerely


    Tom Zhang

     

    2008年10月29日 上午 07:50
    版主
  •  

    Dear Tom and Raymond,

     

    Thanks for follow up, and sorry for long time no update.

     

    Regarding Raymond pervious mentioned:

     

    1. For IIS in XP, you are using the client's login account to connect to Oracle

        -- Actually I already config using Impersonate in Web Apps configuration (Web.Config)

     

    2. For IIS in Windows 2003, you are using the account "ASPNET" on Windows 2003 web server to connect to Oracle

        -- Same, IIS config / Web.Config is already set for Impersonate.

     

    Because it is a remote connect from another web service (consuming from remote web service).

     

     

    Finally I have work around for it:

     

    using 2 domain account, 1 for self web service connect to Oracle, another 1 used to restrict the connection from remote web service.

     

    The setting so far is work fine and already put into production.

     

    Thanks for support and look forward to have your help again.

     

    Cheers

     

    Louie

    2008年12月17日 上午 09:51