Solved

IIS redirect to UNC - "You are not authorized to view this page" error

Posted on 2006-07-05
18
1,858 Views
Last Modified: 2008-01-09


IIS virtual directory 'connect as' to network location on another server.  The UNC is '\\I95\it\HR'.  IIS 'connect as' user is a domain account called IISUser.  This user has been given read and execute, list, and read permissions on the HR folder.

I can access this page - http://hr/managers.shtml and then there are links like the following, http://hr/Managers/Pre-Self%20Identity%20Form.PDF, which point to the 'Managers' sub folder in the HR directory.

When I click a link I get prompted with a 'Connecting to' login prompt 3 times, and when I use an account that does have access via NTFS - I still get an error message saying:

"You are not authorized to view this page"

This folder '..\Managers' has been secured using NTFS permissions so that only domain users in the correct GBL groups have access to the docs and pdfs that are linked.

Can someone tell me why IE is not passing the current user token so that if people are in the right groups they will be able to acces this location?  Or, if the user must be prompted, why is their domain credential not allowing them to access/open the docs and pdfs that are linked.

Is this an issue with the IIS security setting or the NTFS permissions?



0
Comment
Question by:baze68
  • 12
  • 5
18 Comments
 

Author Comment

by:baze68
ID: 17045640
Okay, so this appears to be NTFS related, not IIS.  When I give the the 'connect as' IISUser account NTFS read/list permissions on the 'managers' folder/file - everything works.

BUT, I don't want everyone to be able to access/pull the files from that folder.  So how do I set up the NTFS permissions and the IIS authentication on the 'Mangers' virtual directory to allow acces to just the users in the GBL groups that I have granted NTFS permissions?

Thanks in advance for your help.

0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17048182
This issue is related to what credentials IIS is passign to the UNC share and the NTFS permissions set on the shared content.

When you set a 'connect as' user ID *all* access to the share will be based on the 'connect as' user's credentials, however there are ways of having IIS pass the accessing user's credentials instead.

What version of IIS are you using?

Dave Dietz
0
 

Author Comment

by:baze68
ID: 17049675
Dave,

Thanks for responding.  This is IIS 5 running on a Windows 2000 (SP4) server.  The content is being housed on a Windows 2000 server also.  Windows 2000 native Active Directory domain.

Regards,
Patrick
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 500 total points
ID: 17050308
http://support.microsoft.com/?id=214806
How to Enable Pass-through Authentication for UNC Virtual Directories

This article should get you up and running.

Let me know if any of it is not clear of if you run into problems with it and I'll be happy to help.  :-)

Dave Dietz
0
 

Author Comment

by:baze68
ID: 17051025
Dave,

I looked over the linked document, but hav not implmented that yet.  I have made some progress, but maybe I still need to follow those instructions also.  Below is what I have done and what happens now:

On the 'Managers' virtual directory (..\Managers), I have unchecked 'Anonymous Access' and enabled ONLY 'Basic authentication'.  Now when I click a link that points to a file in that folder - i.e. 'http://hr/Managers/FORM%20HR%20NEW%20HIRE.doc' I get the username/password prompt.  If I put in a domain username/password that has NTFS permissions to that folder/file I can access it.  so this appears to be working correctly.

1.  Is there a way that IE can pass the currently logged on users' credentials so that they don't have to enter their username/password?  If so, is that what the linked document you sent does?

Thanks for your help,
Patrick
0
 

Author Comment

by:baze68
ID: 17051811
Interesting, the '..\Managers' folder has NTFS permissions that allow the 'Connect As' user (which is a domain user account called 'IISUser') to read/execute, list, and read.  There are also 3 global security groups that have been given the same access, and those groups have the user accounts that we want to allow to access that folder.

So with the IIS aithentication set to 'Basic auth', it prompts for username/password...even though the IIS 'connect as' user has access.  I assume that when you remove anonymous auth on that virtual directory that the 'connect as' user doesn't get used as the connecting credentials?

0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17053421
>>Is there a way that IE can pass the currently logged on users' credentials so that they don't have to enter their username/password?  

Yes, but that is client configuration and cannot be forced from the server side.  You can tell IE to send the logged in users credentials to sites in a particular zone (Intranet, Internet, etc) and it will automatically respond to Basic auth.

>>If so, is that what the linked document you sent does?

No.  :-)

>>I assume that when you remove anonymous auth on that virtual directory that the 'connect as' user doesn't get used as the connecting credentials?

You would assume incorrectly.  What this does is it causes IIS to ask the user for credentials to access the virtual directory.  Once the user has provided valid credentials IIS will then use the 'connect as' user credentials to access the actual contents of the virtual directory.

For this to work properly yopu will need to go through the document and make the changes to the Metabase to enable PassThrough authenticatioon.

If this is all within an Active Directory domain (users, computers and servers all in the same domain) you could try using Kerberos Delegation.  It is a little trickier to set up and absolutely will not work across the internet but it doesn't prompt for credentials.  I would suggest trying with Basic Passthrough first and then if circumstances dictate you may want to experiment with Kerberos.

Dave Dietz
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 17056240
It seems you are in the same lan.. if the server is joined to the domain then in IIS use integrated authentication.. this will autologon users to the unc if the have permissions on that unc.. if they get a popup and later they login after setting the credentials then in IE go to tools.. internet options..security.. change the internet custom level (click on the button) ... scroll to the bottom and selet automatically logon using  current username and password..
You can set this in a group policy object if you want it automatically propagated to the whole domain users..

regards
Michel
IIS MVP,MCDBA,MCAD,MCSA,CCNA
0
 

Author Comment

by:baze68
ID: 17058871
Dave,

Hmm, this is interesting.  Things seem to be working without setting up the Pass-through Authentication.  Users are getting prompted, and if they are not in the global security groups with NTFS permissions on the '..\Managers' folder they don't have access.  If they are in the right NTFS security groups they are granted access.

>> What this does is it causes IIS to ask the user for credentials to access the virtual directory.  Once the user has provided valid credentials IIS will then use the 'connect as' user credentials to access the actual contents of the virtual directory.

Based on my comment above - when IIS asks for user credentials to access the virt dir, it must take those and check the NTFS permissions first, and THEN if the user is allowed to access it must use the IIS 'connect as' user.  Is this correct?

If this is correct, then why would I need to use the Pass-through Authentication?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:baze68
ID: 17131116
Dave,

I am finally going thru the 'pass thru auth' document, but my IIS 5 server does not have the 'Adminsamples' directory listed in step 5, below:

5.      Open a command prompt, and change to the %systemroot%\System32\Inetsrv\Adminsamples directory. (Note: %systemroot% is usually winnt on most systems).

Thoughts/tips?

Thanks,
Patrick
0
 

Author Comment

by:baze68
ID: 17131191
Dave,

Okay, so I am also confused by Step 6.

6.      At the prompt, type the following:
adsutil set w3svc/#/root/*vdir*/UNCUserName ""
(where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)

How do I find out what the # of the web site is?  I have 11 web sites hosted on this IIS server currently.

The 'Managers' virtual directory that I am attempting to set up the pass thru auth on, is actually a virt dir under the human resources web site folder.  The human resources web site is actually a share located on another computer - so the home directory for that folder is '\\I95\it\HR'.   So is the virt dir going to be "../root/Managers/..." ?

Sorry to need such specifics.

Thanks,
Patrick
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17131974
The easiest way to find the site identifier in IIS 5 is to open the web site properties, click on 'properties...' in the logging section near the bottom and then look at the log file name at the bottom of the window that comes up.  The name will be something like W3SVC1\exyymmdd.log.  The '1' in W3SVC1 is the site identifier number you will want to use.

Assuming that the web site identifier is 1 the command line will look like the following:

adsutil set w3svc/1/root/managers/UNCUserName ""

The command doesn't care where the content is located physically, just where it resides in the Metabase.

Dave Dietz
0
 

Author Comment

by:baze68
ID: 17132311
Okay, so what if I don't have the 'Adminsamples' directory listed at the location they are describing?  I assume I just need to locate/install the adsutil tool?  Suggestions on this?
0
 

Author Comment

by:baze68
ID: 17132405
Okay, I found adsutil in 'C:\Inetpub\AdminScripts'
0
 

Author Comment

by:baze68
ID: 17132446
Okay, so when I ran the command - I get this error:

C:\Inetpub\AdminScripts>adsutil set w3svc/11/root/managers/UNCUserName ""

ErrNumber: -2147463162 (0x80005006)
Error Trying To SET the Property: UNCUserName

Any ideas?
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 17132634
I just reread the description and it sounds like the root fo the website is actualy pointing to a UNC path.

Try the command again but leave out the vdir name - it is likely inheriting the information from the root:

adsutil set w3svc/11/root/UNCUserName ""

Dave Dietz
0
 

Author Comment

by:baze68
ID: 17132797
Okay, well this time it appears to haev taken the comman - see below:

C:\Inetpub\AdminScripts>adsutil set w3svc/11/root/UNCUserName ""
UNCUserName                     : (STRING) ""

Now I just need to go finish the steps in the document and see if things are working.
0
 

Author Comment

by:baze68
ID: 17132882
Dave,

Well...I completed the steps in the article and stopped/restarted IIS.  It appears that the pass thru auth is now working, BUT...and this is a BIG BUT...the pass thru auth is now on the 'root' of the HR website.  So I guess the command really did need to be placed on the ./Managers virt directory.

I don't really need the entire HR site to be password protected - just the Managers section.  Any idea how I can reverse the steps and get it back to the old way?

Then, we will need to figure out why I got the error when I tried to run the comman against the Managers virt dir?

Thanks,
Patrick

0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
DNS issue 24 88
SpiceWorks - help desk system 2 55
IIs block files web.config 6 76
Exchange Activesync 441 in logs 2 71
Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now