[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2608
  • Last Modified:

problem with IIS6 pass-through authentication


I can't manage to get the "pass-through authentication" feature of IIS 6 working. This is the simple configuration:

step 1)

I create a folder on server "server_a" (win 2003 standard), NTFS security settings: only user "user_x" has full access, this folder is shared as "\\server_a\remote"

step 2)

On server "server_b" (win 2003 standard with IIS 6) I start the IIS manager, at the level "server_b/web sites/default web sites" I create a new "virtual directory" named "remote". The "web site content directory" is the UNC of the shared directory from step 1: "\\server_a\remote", in the windows "security credentials" I omit the username and password - instead I select the option "always use the authenticated user's credentials when validating the access to the network directory", in the window "virtual directory access permissions" I select "read" and "run scripts (as ASP)"

step 3)

then I configure the tab "directory security" of the new virtual directory: under "authentication and access control" I press the "edit" button and select only the option "integrated windows authentication" (no "anonymous access" and no "basic authentication")

Now logged in as "user_x" I try to access the shared folder on "server_a" via the IIS6 on "server_b" : http://server_b/remote (using IE6, WinXP SP2) ... unfortunately without success: first of all I get a window asking me for username and password (why ? I checked the option "integrated windows authentication" - so the system should know my credentials ?!?) but even if I enter my credentials I can't get access to that share: "HTTP Error 401.3 - You are not authorized to view this page".

As long as the resource is located locally on the webserver, the "pass-through authentication" feature works for me and entering a specific account as security credentials for the remote web resource (in step 2) is also working. BUT the "always use the authenticated user's credentials when validating the access to the network directory" thing does not ...

Maybe I missed something important in the configuration ?

1 Solution
You are running into a double-hop authentication problem. IIS doesn't have user_x's password. All it has is a token (presumably from a Domain Controller) that doesn't have permissions to access the remote resource.

If you want to get this working using IWA, then you have two options:
a) ensure that Kerberos authentication is used end-to-end and enable/configure delegation as appropriate [1]
b) use NTLM between client and IIS server (that is the other part of IWA) but use protocol transition, so that the IIS server can still get a Kerberos service ticket on behalf of the user to access the remote file share [2]

Alternatively, you will need to go with an insecure authentication protocol like Basic Authentication, where IIS can directly impersonate the user in question because it has access to the username, and the user's plaintext password.

This is all covered in more detail in the IIS6 Security book I co-authored [3]. You can get the authentication information from this chapter:


[1] http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx
[2] http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
[3] http://www.amazon.com/exec/obidos/ASIN/1931836256/adopenstati0f-20

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now