problem with IIS6 pass-through authentication

Posted on 2005-05-03
Last Modified: 2008-06-13

I can't manage to get the "pass-through authentication" feature of IIS 6 working. This is the simple configuration:

step 1)

I create a folder on server "server_a" (win 2003 standard), NTFS security settings: only user "user_x" has full access, this folder is shared as "\\server_a\remote"

step 2)

On server "server_b" (win 2003 standard with IIS 6) I start the IIS manager, at the level "server_b/web sites/default web sites" I create a new "virtual directory" named "remote". The "web site content directory" is the UNC of the shared directory from step 1: "\\server_a\remote", in the windows "security credentials" I omit the username and password - instead I select the option "always use the authenticated user's credentials when validating the access to the network directory", in the window "virtual directory access permissions" I select "read" and "run scripts (as ASP)"

step 3)

then I configure the tab "directory security" of the new virtual directory: under "authentication and access control" I press the "edit" button and select only the option "integrated windows authentication" (no "anonymous access" and no "basic authentication")

Now logged in as "user_x" I try to access the shared folder on "server_a" via the IIS6 on "server_b" : http://server_b/remote (using IE6, WinXP SP2) ... unfortunately without success: first of all I get a window asking me for username and password (why ? I checked the option "integrated windows authentication" - so the system should know my credentials ?!?) but even if I enter my credentials I can't get access to that share: "HTTP Error 401.3 - You are not authorized to view this page".

As long as the resource is located locally on the webserver, the "pass-through authentication" feature works for me and entering a specific account as security credentials for the remote web resource (in step 2) is also working. BUT the "always use the authenticated user's credentials when validating the access to the network directory" thing does not ...

Maybe I missed something important in the configuration ?

Question by:yagamyster
    1 Comment
    LVL 2

    Accepted Solution

    You are running into a double-hop authentication problem. IIS doesn't have user_x's password. All it has is a token (presumably from a Domain Controller) that doesn't have permissions to access the remote resource.

    If you want to get this working using IWA, then you have two options:
    a) ensure that Kerberos authentication is used end-to-end and enable/configure delegation as appropriate [1]
    b) use NTLM between client and IIS server (that is the other part of IWA) but use protocol transition, so that the IIS server can still get a Kerberos service ticket on behalf of the user to access the remote file share [2]

    Alternatively, you will need to go with an insecure authentication protocol like Basic Authentication, where IIS can directly impersonate the user in question because it has access to the username, and the user's plaintext password.

    This is all covered in more detail in the IIS6 Security book I co-authored [3]. You can get the authentication information from this chapter:



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) ( is a much better solution when you need to p…
    Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now