. I've seen a couple of posts in this thread by people who aren't seeing the expected behaviour with file permissions, the most recent one being just a few posts above. I saw the same thing, and realised that ASP.NET Impersonation
enabled by default on my install (IIS 7.5). Once I turned it on manually, everything worked as expected, but this wasn't mentioned in the installation instructions. Maybe it's something specific to later version of IIS, but it may be worth mentioning in later revisions to the documentation. Alternate port for Silverlight file access.
As has been previously mentioned by ASW1980
, I would find it handy to be able to run the site on a non-standard port and still have the Silverlight My Computer functionality. If it's possible to make that a configurable option in later version, that would be awesome. Problems with Application Request Routing
. This is a fairly obscure issue but I thought it worth mentioning. I was planning to publish HAP behind a reverse proxy using Application Request Routing
for IIS. This mostly worked, but downloading files did not work correctly as the download would drop part of the file (large files would be missing a few 100kB off of the end, small files would return 0 bytes). Tracing on the IIS side showed a 503 (Bad gateway) error being returned. The best lead I could find on this is that in cases where requests are proxied, data could be dropped if the ASP code sending the data calls Response.End before calling Response.Close. A small write-up on this is here
. I haven't gone digging through the source code to see if that is the case, but since you will be much more familiar with the code, I thought it worth mentioning even though it only happens over proxied connections. Security hardening.
I'm a bit of a security freak, and I get very nervous publishing external websites using a highly privileged account like Network Service, and would be even more nervous of doing so on a Domain Controller - especially with the domain admin account username and password sitting in Web.config. I know RM like to ignore a lot of best practice in this area since they require running IIS on their DCs for the RMMC, but if a malicious user managed to compromise HAP while running in this configuration, you could potentially lose the entire domain. I configured HAP to run under a completely separate standard user account, with no special privileges other than begin configured as an IIS worker, and use the same account for the LDAP queries. I have encountered no problems with this configuration at all when using the My Computer functionality, though I suspect I would need to grant delegation privileges to that account in the AD for password changes if I were using that part of HAP. Are there any other access rights that HAP would need for other parts of the product, to assist others who were as nervous about using privileged accounts as I am?