From: "Liam Bedford" <*@lbedford.org> wrote:
> this sounds a bit like the stuff I was trying to work out for an
> The interesting part to this is that IIS (using NTLM) lets you
> use your NT permissions to access files (it works with basic
> as well, but it's a bit more painful).
>> IIS doesn't run as Administrator IIRC (it runs as IIS_ANONUSER or
> so it must have some funny way of doing this kind of thing.
> Actually on my 2K machine it runs as System (which is not admin), and if
> use NTLM it basically su's to me..
When an NT client connects to an NT server within the same domain (or a
trusted domain) it passes a login token that identifies it. When IIS
receives a request for a file it tries to access it with the IUSR account,
and if NTFS denies access, IIS prompts the client to authenticate. If the
client is IE and in the same trust domain, it can do an NTLM
authentication to the IIS server, and IIS essentially spawns a subprocess
using that token to access the requested file. If you have rights to the
file, NTFS gives it up.
The token can't be passed on from the IIS server to another machine, so
you can't use this to authenticate through a proxy server, or to access a
page that the IIS server is loading of a mapped network drive, or to
access a protected database on a remote SQL server (you can use this to
access an ASP script that queries a SQL database on the same machine if
the SQL database requires NT authentication). On an intranet, it's a very
compelling facility, and far easier to set up and maintain than an LDAP
directory for personal certificates.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!