Link to home
Start Free TrialLog in
Avatar of baze68
baze68

asked on

IIS redirect to UNC - "You are not authorized to view this page" error



IIS virtual directory 'connect as' to network location on another server.  The UNC is '\\I95\it\HR'.  IIS 'connect as' user is a domain account called IISUser.  This user has been given read and execute, list, and read permissions on the HR folder.

I can access this page - http://hr/managers.shtml and then there are links like the following, http://hr/Managers/Pre-Self%20Identity%20Form.PDF, which point to the 'Managers' sub folder in the HR directory.

When I click a link I get prompted with a 'Connecting to' login prompt 3 times, and when I use an account that does have access via NTFS - I still get an error message saying:

"You are not authorized to view this page"

This folder '..\Managers' has been secured using NTFS permissions so that only domain users in the correct GBL groups have access to the docs and pdfs that are linked.

Can someone tell me why IE is not passing the current user token so that if people are in the right groups they will be able to acces this location?  Or, if the user must be prompted, why is their domain credential not allowing them to access/open the docs and pdfs that are linked.

Is this an issue with the IIS security setting or the NTFS permissions?



Avatar of baze68
baze68

ASKER

Okay, so this appears to be NTFS related, not IIS.  When I give the the 'connect as' IISUser account NTFS read/list permissions on the 'managers' folder/file - everything works.

BUT, I don't want everyone to be able to access/pull the files from that folder.  So how do I set up the NTFS permissions and the IIS authentication on the 'Mangers' virtual directory to allow acces to just the users in the GBL groups that I have granted NTFS permissions?

Thanks in advance for your help.

This issue is related to what credentials IIS is passign to the UNC share and the NTFS permissions set on the shared content.

When you set a 'connect as' user ID *all* access to the share will be based on the 'connect as' user's credentials, however there are ways of having IIS pass the accessing user's credentials instead.

What version of IIS are you using?

Dave Dietz
Avatar of baze68

ASKER

Dave,

Thanks for responding.  This is IIS 5 running on a Windows 2000 (SP4) server.  The content is being housed on a Windows 2000 server also.  Windows 2000 native Active Directory domain.

Regards,
Patrick
ASKER CERTIFIED SOLUTION
Avatar of Dave_Dietz
Dave_Dietz
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of baze68

ASKER

Dave,

I looked over the linked document, but hav not implmented that yet.  I have made some progress, but maybe I still need to follow those instructions also.  Below is what I have done and what happens now:

On the 'Managers' virtual directory (..\Managers), I have unchecked 'Anonymous Access' and enabled ONLY 'Basic authentication'.  Now when I click a link that points to a file in that folder - i.e. 'http://hr/Managers/FORM%20HR%20NEW%20HIRE.doc' I get the username/password prompt.  If I put in a domain username/password that has NTFS permissions to that folder/file I can access it.  so this appears to be working correctly.

1.  Is there a way that IE can pass the currently logged on users' credentials so that they don't have to enter their username/password?  If so, is that what the linked document you sent does?

Thanks for your help,
Patrick
Avatar of baze68

ASKER

Interesting, the '..\Managers' folder has NTFS permissions that allow the 'Connect As' user (which is a domain user account called 'IISUser') to read/execute, list, and read.  There are also 3 global security groups that have been given the same access, and those groups have the user accounts that we want to allow to access that folder.

So with the IIS aithentication set to 'Basic auth', it prompts for username/password...even though the IIS 'connect as' user has access.  I assume that when you remove anonymous auth on that virtual directory that the 'connect as' user doesn't get used as the connecting credentials?

>>Is there a way that IE can pass the currently logged on users' credentials so that they don't have to enter their username/password?  

Yes, but that is client configuration and cannot be forced from the server side.  You can tell IE to send the logged in users credentials to sites in a particular zone (Intranet, Internet, etc) and it will automatically respond to Basic auth.

>>If so, is that what the linked document you sent does?

No.  :-)

>>I assume that when you remove anonymous auth on that virtual directory that the 'connect as' user doesn't get used as the connecting credentials?

You would assume incorrectly.  What this does is it causes IIS to ask the user for credentials to access the virtual directory.  Once the user has provided valid credentials IIS will then use the 'connect as' user credentials to access the actual contents of the virtual directory.

For this to work properly yopu will need to go through the document and make the changes to the Metabase to enable PassThrough authenticatioon.

If this is all within an Active Directory domain (users, computers and servers all in the same domain) you could try using Kerberos Delegation.  It is a little trickier to set up and absolutely will not work across the internet but it doesn't prompt for credentials.  I would suggest trying with Basic Passthrough first and then if circumstances dictate you may want to experiment with Kerberos.

Dave Dietz
Avatar of Michel Sakr
It seems you are in the same lan.. if the server is joined to the domain then in IIS use integrated authentication.. this will autologon users to the unc if the have permissions on that unc.. if they get a popup and later they login after setting the credentials then in IE go to tools.. internet options..security.. change the internet custom level (click on the button) ... scroll to the bottom and selet automatically logon using  current username and password..
You can set this in a group policy object if you want it automatically propagated to the whole domain users..

regards
Michel
IIS MVP,MCDBA,MCAD,MCSA,CCNA
Avatar of baze68

ASKER

Dave,

Hmm, this is interesting.  Things seem to be working without setting up the Pass-through Authentication.  Users are getting prompted, and if they are not in the global security groups with NTFS permissions on the '..\Managers' folder they don't have access.  If they are in the right NTFS security groups they are granted access.

>> What this does is it causes IIS to ask the user for credentials to access the virtual directory.  Once the user has provided valid credentials IIS will then use the 'connect as' user credentials to access the actual contents of the virtual directory.

Based on my comment above - when IIS asks for user credentials to access the virt dir, it must take those and check the NTFS permissions first, and THEN if the user is allowed to access it must use the IIS 'connect as' user.  Is this correct?

If this is correct, then why would I need to use the Pass-through Authentication?
Avatar of baze68

ASKER

Dave,

I am finally going thru the 'pass thru auth' document, but my IIS 5 server does not have the 'Adminsamples' directory listed in step 5, below:

5.      Open a command prompt, and change to the %systemroot%\System32\Inetsrv\Adminsamples directory. (Note: %systemroot% is usually winnt on most systems).

Thoughts/tips?

Thanks,
Patrick
Avatar of baze68

ASKER

Dave,

Okay, so I am also confused by Step 6.

6.      At the prompt, type the following:
adsutil set w3svc/#/root/*vdir*/UNCUserName "" 
(where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)

How do I find out what the # of the web site is?  I have 11 web sites hosted on this IIS server currently.

The 'Managers' virtual directory that I am attempting to set up the pass thru auth on, is actually a virt dir under the human resources web site folder.  The human resources web site is actually a share located on another computer - so the home directory for that folder is '\\I95\it\HR'.   So is the virt dir going to be "../root/Managers/..." ?

Sorry to need such specifics.

Thanks,
Patrick
The easiest way to find the site identifier in IIS 5 is to open the web site properties, click on 'properties...' in the logging section near the bottom and then look at the log file name at the bottom of the window that comes up.  The name will be something like W3SVC1\exyymmdd.log.  The '1' in W3SVC1 is the site identifier number you will want to use.

Assuming that the web site identifier is 1 the command line will look like the following:

adsutil set w3svc/1/root/managers/UNCUserName ""

The command doesn't care where the content is located physically, just where it resides in the Metabase.

Dave Dietz
Avatar of baze68

ASKER

Okay, so what if I don't have the 'Adminsamples' directory listed at the location they are describing?  I assume I just need to locate/install the adsutil tool?  Suggestions on this?
Avatar of baze68

ASKER

Okay, I found adsutil in 'C:\Inetpub\AdminScripts'
Avatar of baze68

ASKER

Okay, so when I ran the command - I get this error:

C:\Inetpub\AdminScripts>adsutil set w3svc/11/root/managers/UNCUserName ""

ErrNumber: -2147463162 (0x80005006)
Error Trying To SET the Property: UNCUserName

Any ideas?
I just reread the description and it sounds like the root fo the website is actualy pointing to a UNC path.

Try the command again but leave out the vdir name - it is likely inheriting the information from the root:

adsutil set w3svc/11/root/UNCUserName ""

Dave Dietz
Avatar of baze68

ASKER

Okay, well this time it appears to haev taken the comman - see below:

C:\Inetpub\AdminScripts>adsutil set w3svc/11/root/UNCUserName ""
UNCUserName                     : (STRING) ""

Now I just need to go finish the steps in the document and see if things are working.
Avatar of baze68

ASKER

Dave,

Well...I completed the steps in the article and stopped/restarted IIS.  It appears that the pass thru auth is now working, BUT...and this is a BIG BUT...the pass thru auth is now on the 'root' of the HR website.  So I guess the command really did need to be placed on the ./Managers virt directory.

I don't really need the entire HR site to be password protected - just the Managers section.  Any idea how I can reverse the steps and get it back to the old way?

Then, we will need to figure out why I got the error when I tried to run the comman against the Managers virt dir?

Thanks,
Patrick