|
|
|
date: Mon, 28 Apr 2008 15:35:05 -0400,
group: microsoft.public.inetserver.misc
back
Log on Locally user right for IIS Lockdown servers
Hello,
This is a very belated followup to the below issue, I am the original
poster. I recently was creating a new OU structure and new security policy
and during testing it was noticed that in fact happened on a server that has
a web-app that uses Windows integrated authentication, which was a surprise
to me.
Does this "Log on Locally" policy also affect web-apps using Windows
Integrated Authentication?
Thanks.
---------------------------------------------------------
Basic Auth requires that the authenticating user have "login locally"
privilege on the server.
The reason that your changes to IUSR/VUSR/Web Anonymous group have no effect
is because those users are NOT used for basic auth (they are accounts used
for Anonymous auth)
The actual user accounts authenticating under Basic auth needs to have
"login locally" privilege.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<-> wrote in message news:OLg0S3e7EHA.3236@TK2MSFTNGP15.phx.gbl...
Hello,
We have a server that has IIS lockdown and basic authentication for a
website and when the server team applied a policy that restricted logon only
to administrators, no one was able to log into the application. The
application users are not actually logging in locally, so I am thinking that
there is something in the IIS definition that requires that they have this
privilege. In addition, we took the IUSR and VUSR accounts and also Web
anonymous (all "Web" groups local to the machines) and added them, and still
no luck. We added the Everyone group, and this resolved the problem. Is
there any way to preserve non Single Sign-on authentication and not have to
have the Everyone group with the log on locally user right?
Thanks.
date: Mon, 28 Apr 2008 15:35:05 -0400
author: -
Re: Log on Locally user right for IIS Lockdown servers
Anybody?
<-> wrote in message news:%23xXy2bWqIHA.1436@TK2MSFTNGP05.phx.gbl...
> Hello,
>
> This is a very belated followup to the below issue, I am the original
> poster. I recently was creating a new OU structure and new security
> policy and during testing it was noticed that in fact happened on a server
> that has a web-app that uses Windows integrated authentication, which was
> a surprise to me.
>
> Does this "Log on Locally" policy also affect web-apps using Windows
> Integrated Authentication?
>
> Thanks.
>
>
> ---------------------------------------------------------
> Basic Auth requires that the authenticating user have "login locally"
> privilege on the server.
>
> The reason that your changes to IUSR/VUSR/Web Anonymous group have no
> effect
> is because those users are NOT used for basic auth (they are accounts used
> for Anonymous auth)
>
>
> The actual user accounts authenticating under Basic auth needs to have
> "login locally" privilege.
>
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
>
> <-> wrote in message news:OLg0S3e7EHA.3236@TK2MSFTNGP15.phx.gbl...
>
>
> Hello,
>
> We have a server that has IIS lockdown and basic authentication for a
> website and when the server team applied a policy that restricted logon
> only
> to administrators, no one was able to log into the application. The
> application users are not actually logging in locally, so I am thinking
> that
> there is something in the IIS definition that requires that they have this
> privilege. In addition, we took the IUSR and VUSR accounts and also Web
> anonymous (all "Web" groups local to the machines) and added them, and
> still
> no luck. We added the Everyone group, and this resolved the problem. Is
> there any way to preserve non Single Sign-on authentication and not have
> to
> have the Everyone group with the log on locally user right?
>
>
> Thanks.
>
>
>
date: Wed, 30 Apr 2008 19:47:36 -0400
author: -
|
|
