Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeGetting StartedGetting StartedInstalling DNN ...Installing DNN ...IUSR_machine and machine/ASPNET accounts IUSR_machine and machine/ASPNET accounts
Previous
 
Next
New Post
1/6/2006 7:47 PM
 
Chris Yauch

Joined: 5/18/2005
Posts: 15

Finally setup using 3.2.2, but have a few ? regarding the Windows IUSR_<machine> and <machine>/ASPNET user accounts. 

At work, we use a Win 2k server, with SQL Server 7 as the backend.  In order to use a computer, everyone at work has to abviously login an get validated to get on the domain.  We use either on our intranet depending on any restriction requirements. 

But at home, and in my IIS for DNN, both Anonymous and Windows Integrated Authentication are checked.  As I understand Microsoft, Anonymous is checked by IIS first.  If enabled, the user is passed as IUSR_<machine> regardless if WIA is checked.  If it is not checked, and WIA is selected, then the domain user account is passed.  Example ->  our network uses a 5 & 2 scheme (first 5 of lastname + first 2 of first name.  if last < 5 characters, first name fills void.)  So, John Smith's username would be SmithJo.  We would add this user name to Logins under the Security tab of SQL Server, and any database's he would be authorized to (would also use roles if needed if the database is large and does different things, but on the same data)(did I read this right?)  So, do I really need Windows Integrated Authentication enabled?

The second part is since the server I installed DNN onto is a server in my house, and will not be getting large amounts of traffic, what is the 'account' that is going to be hitting the server from the outside?  I am assuming IUSR_, and once it has touched DNN, <machine>/ASPNET takes over from there?  When, if, I create SP's and Roles in SQL Server, will I then need to use the <machine>/ASPNET login in order for DNN to execute the SP's? Or, will each person who registers on the site have to have that login added to SQL Server, and then to the database? 

I may be way off base here, but what I have read in the PDF files is vague at best on this issue (or maybe I have an older doc), but if there is something that explains interaction between DNN / IIS / SQL Server, I would love to take a look at it.  Thanks. 

R/

 
 
New Post
1/6/2006 10:00 PM
 
Chris Paterra


Joined: 4/5/2003
Posts: 4377

Please bear with me as I have the attention span of a toddler. 

I am not exactly sure how to answer because I am not sure what exactly you are asking, so please read the response here and let me know if this helps (this is my basic understanding w/ no research).

When a request is sent via IIS to a folder (your virtual directory or virtual webserver) It is the System account which does this.  The next step when it hits the folder is the windows security (popup for authentication).  Windows then checks to see if the anonymous access is enabled.  If so, the requesting user is treated as the IUSR_ account.  If anon ax is not enabled it then prompts for login and instead of being the IUSR_ account, it uses the account which you logged in with in that popup.  The ability of you as a user through the browser now uses this account against NTFS permissions for all calls(either ISUR_ or the logged in win act.).  For all calls which are done from the application itself, the system now users the ASPNET user (or Network Service on 2k3) which was kicked in the minute the site had a request via IIS.  The application also does calls to the .NET framework using the System account.  The seperation of the two accounts here is why some items in a dnn folder's install require special perms for ASPNET or Network services, and the rest just need it for the ISUR_. 

Now, for your SQL Server.  I would like a bit of backing on this one, but I think the way it works is (if you are not using SQL Server authentication, but using windows/Trusted Connection), it attempts to connect to SQL Server via the System account.  What this means to us is that if you are using a trusted connection to go against a SQL Server, it has nothing to do with the window account and therefore doesn't require additional users in SQL Server.  Personally, I prefer to do the SQL authentication and create a new user in SQL Server for each database and DNN install.

 

Chris Paterra

Get direct answers to your questions in the Community Exchange.
 
New Post
1/7/2006 12:27 AM
 
Chris Yauch

Joined: 5/18/2005
Posts: 15
Crispy wrote

Please bear with me as I have the attention span of a toddler. 

I am not exactly sure how to answer because I am not sure what exactly you are asking, so please read the response here and let me know if this helps (this is my basic understanding w/ no research).

When a request is sent via IIS to a folder (your virtual directory or virtual webserver) It is the System account which does this.  The next step when it hits the folder is the windows security (popup for authentication).  Windows then checks to see if the anonymous access is enabled.  If so, the requesting user is treated as the IUSR_ account.  If anon ax is not enabled it then prompts for login and instead of being the IUSR_ account, it uses the account which you logged in with in that popup. 

Yes, however, depending how you have users setup (at work we have the user <domain>/USERS (and USERS is everyone who is a user in that domain), the popup asking for name, pass, and domain may or may not come up.

 The ability of you as a user through the browser now uses this account against NTFS permissions for all calls(either ISUR_ or the logged in win act.).  For all calls which are done from the application itself, the system now users the ASPNET user (or Network Service on 2k3) which was kicked in the minute the site had a request via IIS.  The application also does calls to the .NET framework using the System account.  The seperation of the two accounts here is why some items in a dnn folder's install require special perms for ASPNET or Network services, and the rest just need it for the ISUR_. 

Yep, so at least I understand that correctly when I read Microsoft's explanation on their website.  I don't have a doctoral in linguisitcs, so my head starts to hurt if I read too much at MS

Now, for your SQL Server.  I would like a bit of backing on this one, but I think the way it works is (if you are not using SQL Server authentication, but using windows/Trusted Connection), it attempts to connect to SQL Server via the System account.  What this means to us is that if you are using a trusted connection to go against a SQL Server, it has nothing to do with the window account and therefore doesn't require additional users in SQL Server.  Personally, I prefer to do the SQL authentication and create a new user in SQL Server for each database and DNN install.

Again, speaking in terms of where I work at, when we connect to the SQL server (we use SQL Server 7), I think we do use a Trusted Connection.  I can't remote in at the moment because the shipyard is shutdown for the x-mas holidays, and major replacement of power and LAN cabling due to Hurricane Katrina.  Since I am not a SQL Server guru, please forgive me if I am way off base, but I know that somehow the person's login is passed to SQL, and I want to say its by the SESSION("login") variable, but again I can't verify that with the connectionString.inc files or the SQL Server Reg properties at this moment.  Digress---I do know the users login is grabbed upon initial hit of the global.asa file, and there is also code in there that generates a password and sets SESSION("uPass")  for them.  After adding a user, we exec ussp_setPass that creates a pass using the same algorithm as the global.asa.  Sooo, maybe we aren't using Trusted after all.  I wish I could login to check it.....

 

If we decide to use DNN on our intranet, I am assuming that we will be able to still grab the person's unique login upon initial page hit (Visual Studio .NET uses global.aspx = Visual Studio 6.0 global.asa?), set the password, and continue on as normal.  My main concern is that if I am John Doe the Electrical Foreman, I do not need to be seeing Payroll Data, nor do I need to see what work is not being completed on one of the destroyer hulls.  Since we have 4 facilities in 2 states, and 17,000 employees in our sector (not counting other sectors associated with us), it would not be feasible to have everyone register on the site. 

If possible, I would like to maybe IM / e-mail you when I can remote in, grab some code and a few screenshots.  That way, I can show exactly how IT has us setup, and what would be the best way to config a possible DNN? 

 

Thanks.

 
 
 Page 1 of 1
Previous
 
Next
HomeHomeGetting StartedGetting StartedInstalling DNN ...Installing DNN ...IUSR_machine and machine/ASPNET accounts IUSR_machine and machine/ASPNET accounts


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out