[ILUG] Apache question

[Aengus]

From: "Liam Bedford" <*@lbedford.org> wrote:

> this sounds a bit like the stuff I was trying to work out for an
intranet.
> The interesting part to this is that IIS (using NTLM) lets you
> use your NT permissions to access files (it works with basic
authentication
> as well, but it's a bit more painful).
>
> IIS doesn't run as Administrator IIRC (it runs as IIS_ANONUSER or
something)
> so it must have some funny way of doing this kind of thing.
> Actually on my 2K machine it runs as System (which is not admin), and if
I
> use NTLM it basically su's to me..

When an NT client connects to an NT server within the same domain (or a
trusted domain) it passes a login token that identifies it. When IIS
receives a request for a file it tries to access it with the IUSR account,
and if NTFS denies access, IIS prompts the client to authenticate. If the
client is IE and in the same trust domain, it can do an NTLM
authentication to the IIS server, and IIS essentially spawns a subprocess
using that token to access the requested file. If you have rights to the
file, NTFS gives it up.

The token can't be passed on from the IIS server to another machine, so
you can't use this to authenticate through a proxy server, or to access a
page that the IIS server is loading of a mapped network drive, or to
access a protected database on a remote SQL server (you can use this to
access an ASP script that queries a SQL database on the same machine if
the SQL database requires NT authentication). On an intranet, it's a very
compelling facility, and far easier to set up and maintain than an LDAP
directory for personal certificates.

Aengus