Adding Computer account to folder security

N

Norman George

Hi,

I have an IIS server that needs to access a backend SQL server database, as
well as another File folder on the same sql server. I have no problem
enabling kerberos delegation support to access the sql database using
impersonation.

However, with regard to the file folder access ( which is on the same SQL
server ) should I also add the IIS computer account to the security
permision of that File Folder as well ? Is this a proper approach?

Norman
 
G

Guest

It seems to me that, with impersonation, you only need to make sure that the
users for which your server will impersonate have to have NTFS permissions
for them defined at the folder. You shouldn't need to add the computer
account.
 
R

Roger Abell [MVP]

From what you have posted this cannot be answered.
You say "computer account" which to me means the machine$ account
in the domain, but you perhaps mean the IUSR_* account.
Just what identity needs access depends on the nature of the website
interface - anonymous or not and if not what types of authentication
are being used.
 
N

Norman George

Roger ,

On the IIS , we have ( on the web.config file ) enabled "Integrated
Security" and " Impersonation= true ". We are not using Anonymous. The IIS
has also been trusted for constrained delegation and only MSSQL service is
trusted.
If I need to grant access to a file folder on the same SQL , is there any
particular Service Type / SPN that need to be registered ? Someone told me
that if I just add the IIS's Computer Account ( Computer$ ) to the security
of the folder , then whoever has a local account on the IIS server , will be
granted access to the folder , and this is another alternate form of
delegation on the NTFS ?

Is this correct ?

Norman
 
R

Roger Abell [MVP]

What you outline at the end is something I have not heard of before,
and it does not sound correct. The file access probably comes over
the wire as the accessing account (creds of browsing user), so the
NTFS permissions should be anticipating the end users allowed access.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegation: the usual double hop question... 4
IIS Integrated Windows authentication and SQL Integrated security 2
cannot see folder security configuration 1
Public ASP.NET app and SQL Server security - best practices? 4
Kerberos authentication fails 3
Access and SQLServer Express 2005 3
IIS integrated windows authentification suddenly failes for some ? 3
De-impersonate to connect to SQL as Machine Account 1

Top