Hi all,

I've got an ASP (not asp.net... not sure if it matters) running on IIS 6.0 that needs to access some network resources.

So we set it up so it uses windows authentication.  The problem is it was not able to access the network resource.

Changing it to basic authentication, typing in my windows logon credentials...and it works.   That is all I am toggling at the moment.

Is my understanding that with IIS 6, the authenticated user becomes the impersonated user automatically correct?  If so, would basic authentication work, but windows authentication not work?

A little confused.  Or is there anything else I can change?

Thanks

It has been years since I last worked with classic ASP, but IIRC then the application pool identity for your web application in IIS is used with Windows Authentication. So, you need to make sure that the application pool identity has access to the network resource.

Thanks integrasol,

Yeah, it is some old ASP app that just got dumped on us.  I've gotten so used to IIS 7 and ASP.NET.

So Basic authentication does not use the application pool identity?  This is the part that is confusing me.

Okay, is there any way then to transfer the authenticated credentials to the impersonated user when using windows authentication and IIS 6?  Even if the change is in source, it is fine.

The overall goal:

What I want to do is have the users logon using windows credentials (automatically if they're using IE)... then when the ASP applicatoin needs to write to a networked location, it uses their credentials automatically.  I haven't seen any options in II6 in so far as impersonation, so maybe it is not doable... but I thought I'd check first.

THanks,

Just FYI, from what I have read, this is my understanding of how II6 works.

Network Service (w3wp.exe) is the process' identity.

However, when pages are served, new threads handling ASP
pages will impersonate a user account based upon the logon credentials.

So the thread *should* have the windows logon credentials. 

The other possibility I am thinking is that something is going screwy when accessing the UNC path.

It might use the Network Service identity of the process instead of the thread credentials?

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/c65e97d7-a085-4d8f-bdd7-1e6a9f223708.mspx?mfr=true

aaaah, looks like I need something called 'constrained delegation'.

This explains why basic authentication works, but not windows authentication.

Alright.  seeing as to how it will take more effort to get the AD to add the server to the trusted for delegation (bureaucratic... not technical wise) as it would to get a user just for the website, we're probably going for a set user.

Problem solved... I guess :P

yaminb:

A little confused.  Or is there anything else I can change?

I suggest you try to refer to this article to get some ideas:

http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx