IIS virtual directory 'connect as' to network location on another server. The UNC is '\\I95\it\HR'. IIS 'connect as' user is a domain account called IISUser. This user has been given read and execute, list, and read permissions on the HR folder.
I can access this page - http://hr/managers.shtml and then there are links like the following, http://hr/Managers/Pre-Sel
When I click a link I get prompted with a 'Connecting to' login prompt 3 times, and when I use an account that does have access via NTFS - I still get an error message saying:
"You are not authorized to view this page"
This folder '..\Managers' has been secured using NTFS permissions so that only domain users in the correct GBL groups have access to the docs and pdfs that are linked.
Can someone tell me why IE is not passing the current user token so that if people are in the right groups they will be able to acces this location? Or, if the user must be prompted, why is their domain credential not allowing them to access/open the docs and pdfs that are linked.
Is this an issue with the IIS security setting or the NTFS permissions?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
This issue is related to what credentials IIS is passign to the UNC share and the NTFS permissions set on the shared content.
When you set a 'connect as' user ID *all* access to the share will be based on the 'connect as' user's credentials, however there are ways of having IIS pass the accessing user's credentials instead.
What version of IIS are you using?
Dave Dietz
http://support.microsoft.c
How to Enable Pass-through Authentication for UNC Virtual Directories
This article should get you up and running.
Let me know if any of it is not clear of if you run into problems with it and I'll be happy to help. :-)
Dave Dietz
Dave,
I looked over the linked document, but hav not implmented that yet. I have made some progress, but maybe I still need to follow those instructions also. Below is what I have done and what happens now:
On the 'Managers' virtual directory (..\Managers), I have unchecked 'Anonymous Access' and enabled ONLY 'Basic authentication'. Now when I click a link that points to a file in that folder - i.e. 'http://hr/Managers/FORM%2
1. Is there a way that IE can pass the currently logged on users' credentials so that they don't have to enter their username/password? If so, is that what the linked document you sent does?
Thanks for your help,
Patrick
Interesting, the '..\Managers' folder has NTFS permissions that allow the 'Connect As' user (which is a domain user account called 'IISUser') to read/execute, list, and read. There are also 3 global security groups that have been given the same access, and those groups have the user accounts that we want to allow to access that folder.
So with the IIS aithentication set to 'Basic auth', it prompts for username/password...even though the IIS 'connect as' user has access. I assume that when you remove anonymous auth on that virtual directory that the 'connect as' user doesn't get used as the connecting credentials?
>>Is there a way that IE can pass the currently logged on users' credentials so that they don't have to enter their username/password?
Yes, but that is client configuration and cannot be forced from the server side. You can tell IE to send the logged in users credentials to sites in a particular zone (Intranet, Internet, etc) and it will automatically respond to Basic auth.
>>If so, is that what the linked document you sent does?
No. :-)
>>I assume that when you remove anonymous auth on that virtual directory that the 'connect as' user doesn't get used as the connecting credentials?
You would assume incorrectly. What this does is it causes IIS to ask the user for credentials to access the virtual directory. Once the user has provided valid credentials IIS will then use the 'connect as' user credentials to access the actual contents of the virtual directory.
For this to work properly yopu will need to go through the document and make the changes to the Metabase to enable PassThrough authenticatioon.
If this is all within an Active Directory domain (users, computers and servers all in the same domain) you could try using Kerberos Delegation. It is a little trickier to set up and absolutely will not work across the internet but it doesn't prompt for credentials. I would suggest trying with Basic Passthrough first and then if circumstances dictate you may want to experiment with Kerberos.
Dave Dietz
It seems you are in the same lan.. if the server is joined to the domain then in IIS use integrated authentication.. this will autologon users to the unc if the have permissions on that unc.. if they get a popup and later they login after setting the credentials then in IE go to tools.. internet options..security.. change the internet custom level (click on the button) ... scroll to the bottom and selet automatically logon using current username and password..
You can set this in a group policy object if you want it automatically propagated to the whole domain users..
regards
Michel
IIS MVP,MCDBA,MCAD,MCSA,CCNA
Dave,
Hmm, this is interesting. Things seem to be working without setting up the Pass-through Authentication. Users are getting prompted, and if they are not in the global security groups with NTFS permissions on the '..\Managers' folder they don't have access. If they are in the right NTFS security groups they are granted access.
>> What this does is it causes IIS to ask the user for credentials to access the virtual directory. Once the user has provided valid credentials IIS will then use the 'connect as' user credentials to access the actual contents of the virtual directory.
Based on my comment above - when IIS asks for user credentials to access the virt dir, it must take those and check the NTFS permissions first, and THEN if the user is allowed to access it must use the IIS 'connect as' user. Is this correct?
If this is correct, then why would I need to use the Pass-through Authentication?
Dave,
I am finally going thru the 'pass thru auth' document, but my IIS 5 server does not have the 'Adminsamples' directory listed in step 5, below:
5. Open a command prompt, and change to the %systemroot%\System32\Inet
Thoughts/tips?
Thanks,
Patrick
Dave,
Okay, so I am also confused by Step 6.
6. At the prompt, type the following:
adsutil set w3svc/#/root/*vdir*/UNCUse
(where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)
How do I find out what the # of the web site is? I have 11 web sites hosted on this IIS server currently.
The 'Managers' virtual directory that I am attempting to set up the pass thru auth on, is actually a virt dir under the human resources web site folder. The human resources web site is actually a share located on another computer - so the home directory for that folder is '\\I95\it\HR'. So is the virt dir going to be "../root/Managers/..." ?
Sorry to need such specifics.
Thanks,
Patrick
The easiest way to find the site identifier in IIS 5 is to open the web site properties, click on 'properties...' in the logging section near the bottom and then look at the log file name at the bottom of the window that comes up. The name will be something like W3SVC1\exyymmdd.log. The '1' in W3SVC1 is the site identifier number you will want to use.
Assuming that the web site identifier is 1 the command line will look like the following:
adsutil set w3svc/1/root/managers/UNCU
The command doesn't care where the content is located physically, just where it resides in the Metabase.
Dave Dietz
Dave,
Well...I completed the steps in the article and stopped/restarted IIS. It appears that the pass thru auth is now working, BUT...and this is a BIG BUT...the pass thru auth is now on the 'root' of the HR website. So I guess the command really did need to be placed on the ./Managers virt directory.
I don't really need the entire HR site to be password protected - just the Managers section. Any idea how I can reverse the steps and get it back to the old way?
Then, we will need to figure out why I got the error when I tried to run the comman against the Managers virt dir?
Thanks,
Patrick
Business Accounts
Answer for Membership
by: baze68Posted on 2006-07-05 at 12:33:36ID: 17045640
Okay, so this appears to be NTFS related, not IIS. When I give the the 'connect as' IISUser account NTFS read/list permissions on the 'managers' folder/file - everything works.
BUT, I don't want everyone to be able to access/pull the files from that folder. So how do I set up the NTFS permissions and the IIS authentication on the 'Mangers' virtual directory to allow acces to just the users in the GBL groups that I have granted NTFS permissions?
Thanks in advance for your help.