Federation Security Services GuideFederation Web Services Application SetupDeploy Federation Web Services as a Web ApplicationConfigure ServletExec to Work with Federation Web Services › Enable ServletExec to Write to the IIS File System

Previous Topic: Modify the AffWebServices.properties File for ServletExec

Next Topic: Ensure the IIS Default Web Site Exists
Enable ServletExec to Write to the IIS File System

The IIS Web server does not allow a plug-in to write to its file system unless it is configured with a user account that has proper rights to do so. Therefore, for ServletExec to write to the federation log files, the anonymous user account that you associate with ServletExec must have permissions to write to file system.

To enable the user account used by ServletExec to write to the IIS file system

  1. Open the IIS Internet Information Services Manager on the system where ServletExec is installed.
  2. Navigate to Web Sites, Default Web Site.

    The set of applications is displayed in the right pane.

  3. Select ServletExec and right-click Properties.
  4. Select the Directory Security tab in the Properties dialog.
  5. Click Edit in the Authentication and access control group box.

    The Authentication Methods dialog opens.

  6. Set the controls as follows.
    1. Select Enable Anonymous Access.

      For anonymous access, enter a name and password of a user account that has the permissions to right to the Windows file system. Refer to Windows documentation to grant this right to a user account. For example, you might use the IUSR Internet Guest account for anonymous access.

    2. Deselect Basic authentication.
    3. Deselect Integrated Windows authentication.
  7. If prompted, apply the security changes to all child components of the Web server.
  8. Restart the Web server.

The user account associated with ServletExec can now write to the IIS file system.

Additionally, you must give the anonymous user the right to act as part of the operating system.

To give the anonymous user account the right to act as part of the operating system

  1. Open Control Panel, Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment.

    The Local Security Settings dialog displays.

  2. Double-click Act as part of the operating system.

    The Act as part of the operating system Properties dialog opens.

  3. Add the anonymous user account to the Local Security Setting dialog.
  4. Click OK.
  5. Exit from the control panel.

Although it is optional, we strongly recommend that you, look at the Agent Configuration Object for the Web Agent protecting the IIS Web server and ensure that the SetRemoteUser parameter is set to yes to make sure that the anonymous user can write to the file system.

Copyright © 2010 CA. All rights reserved. Email CA about this topic