session nt authentication problems

Ok, so I set up the site in general to use NT authentication. AKA anonymous browsing is disabled. So you login, the script i believe then runs as the NT name, I used to think it was still iusr_computer name but i'll explain why in a second.....
here's how I'm doing it (well, how whoever wrote this does it, it's just an include i use)



Now, one of the subpages to this site. Writes out to another server, it is currently running under an application account. It works fine if i go strait to the site (NT authentication is disabled on this page so it can run on the app account) i can use it and it moves the files just fine. But, when i link to it from the current site that uses NT authentication, it errors saying permission is denyed.

I checked the IIS logs, and the error stats it's trying to login is as me (it shows my NT login). Which, bothers me, not only because do i have acccess and was runnign the script off my account before we switched it to the app account, but also why is my NT overriding the app account set int IIS manager? I know I'm creating the session variable, but I don't think that would override what the script is set to run at in IIS....

But in anycase, wether it was using my account, or the app, both should work, yet i get permission denied, so i figure the site must be using iusr.... but how is that possible if i set it up differently in IIS? and why would linking to it matter as opposed to just going strait to the page....

not to mention, there's another page that my nt and the app has access too, but we can link to that...it's not a page but a directory listing actually, but whatever, why does that one get through? what makes it so figgin special.... grrrr

alright kids, gather round it's lesson time

current setup
under wwwroot i have all my files.

when you enter a site that has anonymous browsing turned off, aka you enter your windows nt credentials blah blah blah, you get authenticated and it starts a header that says this user is now authenticated. And any page underneath that page, is then passed the header saying that you are NT authenticated. Now when i get to the site, that is in the same folder(root right now) it gets the header says, ok authenticated at the BROWSER level. Then it gets to the IIS level and says, well crap, you don't need to be authenticated, let's revert to the defaults! Here's where the fun part starts.

I was using an active X control to move these files to another server. active X defaults are different form IIS defaults. So it yes it did write my windows login as being what it was trying to loginto the server as BUT, if you look at security in event viewer it shows my machine iusr_machine account is trying to access the page (not my uniquer windows account... huh)... uh oh, red flag there.

Deeper investigation shows that the default for an active x control is the IUSR account, NOT the default i specified in IIS. How to get around this?....

Header stucture was invented to be a form of inheritence, if i have my first login NT page at the root level, every page on that specific site will get the header saying ok, this user is authenticated. I had the default.asp page redirect to a folder in my root called cc which had all my pages in there. The page that had to NOT be NT authenticated, remained in the root directory. Since the page moving files was behind the inhertience rule of the http header, it was able to user the default account specified for the webpage and active x control, as opposed to it saying, well we don't need NT authentication, lets use our own defaults and make unatratnag spend 3 days figuring out what the hell is going on in the internet these days.

good? got it? good!!