|
Posted by Roger Abell [MVP] on March 21, 2006, 9:24 am
Please log in for more thread options What you outline at the end is something I have not heard of before,
and it does not sound correct. The file access probably comes over
the wire as the accessing account (creds of browsing user), so the
NTFS permissions should be anticipating the end users allowed access.
> Roger ,
>
> On the IIS , we have ( on the web.config file ) enabled "Integrated
> Security" and " Impersonation= true ". We are not using Anonymous. The IIS
> has also been trusted for constrained delegation and only MSSQL service is
> trusted.
> If I need to grant access to a file folder on the same SQL , is there any
> particular Service Type / SPN that need to be registered ? Someone told me
> that if I just add the IIS's Computer Account ( Computer$ ) to the
> security of the folder , then whoever has a local account on the IIS
> server , will be granted access to the folder , and this is another
> alternate form of delegation on the NTFS ?
>
> Is this correct ?
>
> Norman
>
>> From what you have posted this cannot be answered.
>> You say "computer account" which to me means the machine$ account
>> in the domain, but you perhaps mean the IUSR_* account.
>> Just what identity needs access depends on the nature of the website
>> interface - anonymous or not and if not what types of authentication
>> are being used.
>>
>>> Hi,
>>>
>>> I have an IIS server that needs to access a backend SQL server database,
>>> as well as another File folder on the same sql server. I have no problem
>>> enabling kerberos delegation support to access the sql database using
>>> impersonation.
>>>
>>> However, with regard to the file folder access ( which is on the same
>>> SQL server ) should I also add the IIS computer account to the security
>>> permision of that File Folder as well ? Is this a proper approach?
>>>
>>> Norman
>>>
>>
>>
>
>
| 
XML Sitemap