Link to home
Start Free TrialLog in
Avatar of gagned
gagnedFlag for Canada

asked on

IIS 7.5 WEBDAV access to user folders on backend FILESERVER

Hello Experts, I’ve been working at this for a few days now and would like to call upon your knowledge for a little help.

My Goal :

to setup our employees’ home folders so that they are  accessible from the internet using webdav and  IIS 7.5.  Specifically to map drive’s from an employee’s home windows computer over the internet and/or use webdav enabled “apps” to connect to their folders on a mobile device.  Using an https url

Our environment :

Our employees all have personal folders on a file server (2003 SP2 32bit) that is accessed over the local network.  Security is setup for the users using Active Directory and the logon scripts and home folder mappings.  Folder security on the file server is already all in place with each user having access to their respective folder and this has been going great for years.
We have a single web server.  2008 R2 64bit IIS7.5 with webdav and windows authentication installed.  It is a member of the windows domain (we have one windows domain only).  The web server is published to the internet using ISA 2006.  Our public  internet domain www.domain.com , among others, points to the ISA server(public ip) and has publishing rules for all our websites and applications that run on our web server (internal ip).
I have registered a sub domain files.domain.com for the webdav url.  It points to ISA server.  I’ve setup the publishing rules on ISA as per all our other domains and setup IIS on our web server to display a simple page to the internet to test that all was in working condition for this url.
Our domain controller is Server 2008 64bit does AD, DNS, ect…  and is 2008 native mode if it helps anything.

Where I’m at

:
On the webserver in IIS I have created a new website, it points to a local empty folder on the web server C:\inetpub\wwwroot\files.  The app pool identity for this site runs under a domain admin account(for the moment for testing) that has full permission over the root of the user folders and all user folders on the file server.  .Net version is set to unmanaged code, pipeline mode is classic.  The only Authentication provider activated is windows authentication with kernel mode checked.  Webdav is also activated for the site and has an authoring rule of all users read write and source.  I added a virtual directory to the website called webdav that points to the root of the user folders on the file server.  Unc path is //FILESERVER/users.  Connect as in the basic settings is set to (app user pass through).  The UNC path is also setup as a share with domain/group of all employees with read and modify
In IIS I can see all the user folders, but if I try and map a drive or brows to the folders in IE or use a webdav enabled app using http://files.domain.com/webdav/user, I get 401.x after being asked for credentials three times without success.

The machine account DOMAIN/WEBSERVER$ is trusted for delegation.  The domain account used for the apppool is trusted for delegation.  When it comes to setting up SPN’s and delagation, I get a lil confused over what needs to be setup on which server and for what account.
I ran these two command on the webserver :

setspn –a HTTP/files.domain.com WEBSERVER
And
setspn –a HTTP/files.domain.com domain/apppooluser

Nothing was run on the file server.

 I have played around with delegconfig v2 and a whole bunch of different configurations without success.  The only way I can get it to work is if I set the ‘connect as’ credentials for the Virtual directory to a domain account with full access to all the folders, but this is not a solution as all the folders become available to all the users.

Points for anyone who can help me fine tune these settings and get this to work.

PS.  I also have tomcat 6 running on the webserver for our java apps, but have not even considered it as a solution YET.
Avatar of scomeau
scomeau

Gagned, I have almost the exact same setup, except that my file server/domain controller is the same box (2008 x64 w/IIS installed). I also use ISA 2006.

Make sure you have individual websites configured for each WebDAV folder in IIS: i.e. user1=https://files.rootdomain.com/user1, user2=https://files.rootdomain.com/user2.

With Windows 7, you can actually test WebDAV by mapping a drive directly using: https://files.domain.com/user1. Try that internally before you go external.

Also make sure you have the right Certs installed in ISA for the listener that match the one in IIS.

It sounds like you have the right permissions setup, but again, test internally first, then Publically (outside of ISA).

BTW, we use the free iPad WebDAV Nav and it works great. My only issue is that on a home (personally owned) PC, we cannot map a drive directly natively in Windows 7 (except using WebDrive software or via the browser).  But, on a machine that already is on our domain, the new Windows 7 map drive command has the WebDAV built in and it works fine.
Avatar of gagned

ASKER

scomeau, Thanks for the reply, At least i know what i am trying to achieve is possible.  You mentioned that your file server has IIS installed on it.  Is this needed to get this to work?  Did you have to set any SPN's on your file server?  I am testing everythign internaly to start and without HTTPS.  once i get it working internaly, i will go outside.  Then setup SSL.
Thansk again.
SPN?  Not sure what you mean.  We have IIS on that main server, but it could be on any server.  The IIS on our main File Server also points to other servers with shares we access with WebDAV.

Oh, I just remembered one thing, sorry about that, for the folders that you will share with WebDAV, make sure the Security settings have the following accounts and rights on those folders:
1). The file server name with IIS on it with full rights  (i.e. add FSX:Full Control)
2). IIS_IUSRS user from the domain with full rights (i.e. DOMAIN\IIS_IUSRS: Full Control).

This bites me in the behind every time I create a new one and forget to add that machine and user account.  If the folder is also an NT share, you don't have to worry about the shared permissions, but the NTFS ones have to be there.  This took me a while to discover.
Avatar of gagned

ASKER

scomeau, can you confirm this for me?  

When you creat a new website or virtual directory for a new webdav folder is the path to the folder you use a unc path I.E //servername/folder or a local path I.E C:\inetpub\wwwroot\folder.

If they are UNC path, then i am very excited to know how you got it to work.

Oh and do you get web.config files created in your folders by IIS?

Thanks again.

P.S  I don't have a DOMAIN/IIS_IUSRS group that i can setup on the folder.
If the folder was local (on the machine), I used the drive letter, however, for the other server shares, UNC was fine.  For the non-local server, I also used the Connect As setting - I couldn't get the Application User/Pass Through setting to work on a UNC'd folder.

This was the site I followed: http://learn.iis.net/page.aspx/350/installing-and-configuring-webdav-on-iis/

The only thing I had to set on the folders being WebDAV'd was the adding of the local server to each folder (the IIS_IUSRS group only had to be on the local server folders also but not on the remote ones).  I think this article may have helped: http://888rock.blogspot.com/2010/03/enable-webdav-on-iis-75-windows-2008.html

I can't seem to find the article about getting the IIS Server Machine Name on the NTFS permissions for the WebDAV folder...  It's been a few years. I'll search and post if I find it.  When I upgraded to Server 2008 x64, it was very different from what was on 2003 (which was much easier).
Avatar of gagned

ASKER

Thanks, I allready read those articles and they were helpfull in getting me to the point i'm at now.  I think i might be getting closer to a usable solution with your help.  What type of rights did the account you used for the connect as for the UNC folders have?  Are u able to lock down security for certain users on a folder by folder basis if you use a domain account in the connect as option?

I think that if you use application user/passthrough in teh connect as option you need to setup impersonation, delegation and set the SPN's (service principal name) as i had mentioned earlier.  Ideally that would be the way i would like it work.

Thanks again, i appreciate your replys
I used a full blown admin (it was a general service account with full admin rights) - Hmmm, but that is on a folder we don't care much about (media).  Let me play with this a bit more and try another non-local folder and see if I can get the pass-through to work.

Our setup is somewhat convoluted since we also use DFS-R and I have the IIS/WebDAV running on a file server where it replicates (-R) to other servers. So, if someone needs data on a folder that is on another server, the data is replicated on the IIS/WebDAV server so local access replicates to the other server.  Our bandwidth between sites where other servers reside is insanely fast so replication between networks is unusually instantaneous. This may give me an unfair advantage in all of this...  Let me test more.
ASKER CERTIFIED SOLUTION
Avatar of scomeau
scomeau

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gagned

ASKER

Hey Thanks scomeau, I will look at that link, i don't believe i've seen taht one yet.

I had my wanted setup working internaly using winows auth (kerberos), i was just able to test from outside now and i couldn't get the browser or map drive to access folders.  I will have to look into it some more.

Just want to let you know that As Far As I Know, webdav nav does not support kerberos authentication and that i havn't found any apps that support webdav and kerberos YET.

So i might have to look into your solution as a workaround to using kerberos.

Cheers!
Let me know how it goes.  You can get the Windows credentials to work, just have to use Basic Authentication.... I don't like it either, but I couldn't get it to work otherwise.  All the best!
Avatar of gagned

ASKER

scomeau, using you advice, I got it to work using basic authentication.  I'm not 100% sure if i will be able to use this as a solution as using basic authentication does not allow the user creating a file to be the owner of the file and this lets them bypass their quota.  If there were mobile apps supporting kerberos authentication, i think i would be good to go, however it is not the case.
Thansk for your help with this challenge i was facing.
I had the same problem, but I had a hidden share that ended with a $
My share was named \\server\homedrvs$ and inside that share all the user folders reside.
You can only see the user folder if you know the hidden share and have access to the user folder.
I think that WebDav did not understand the $ at the end of the share name.

I solved it by creating DFS folder that linked to my hidden share.
Then I created a Virtual Folder in IIS and linked the DFS share.
This was especially useful for use with iPad in our organisation. The app Webdav Nav is the app the we are using and now it works like a charm.

Most of the setup was based on this tutorial:
http://community.spiceworks.com/how_to/show/1945-access-your-file-server-from-your-ipad-iphone 
Although I did not allow for directory listing for my domain users...