Solution
=========
Change
Anonymous authentication to Enabled
Change Asp Net
Impersonation to Disabled
Analyze
=========
IIS, Windows Authentication and the Double Hop issue
In IIS, you run into an interesting situation when you need to
access another resource off of the IIS server and certain fairly common
situations occur. When using Integrated Security, anonymous access is
disabled, and impersonation is turned on, a security measure kicks in and
doesn't allow your site to access resources on any network servers. This
includes access to a UNC path directly from IIS or SQL Server using Windows
authentication.
The reason is because of a 'double hop' that authentication is
doing. When you authenticate to the IIS server using Integrated
Authentication, that uses up your first 'hop'. When IIS tries to access a
network device, that would be the double or second hop which is not
allowed. IIS cannot in turn pass on those credentials to the next network
device, otherwise the developer or administrator could abuse your credentials
and use them in ways that the site visitor didn't anticipate.
This doesn't occur with anonymous access or with impersonation
off because in that case IIS takes care of authenticating you and then it uses
a different user for local or network access. This means that the app pool
identity or anonymous user can make a network call as the first hop.
沒有留言:
張貼留言