IIS Virtual Directory to access UNC Share

Posted on 2007-10-19
Last Modified: 2011-01-09
I've seen a few variations of this question here but I can't seem to get this to work.

I have a webserver running IIS 6 and an SBS2003 server that I want to use to share a folder. This folder will be used to store sensitive personal files inside our DMZ. The share should be set up as a Virtual Directory under the web site root.

What I tried was:

On the SBS2003 server:
1. Created a new user account on the SBS2003 server with username = webapp
2. Create the folder to be shared.
3. Modified permissions on the folder to give full access to the webapp user
4. Shared the folder as WebApp_Files
5. Modified the share permissions to give full access to the webapp user

On the IIS Web server:
1. Created a new Virtual Directory
2. Set the alias to "files"
3. Set the path to \\sbs2003name\WebApp_Files
4. Set the security credentials. Unchecked the "always use the authenticated user..." checkbox and entered the username and password for the webapp user on the SBS2003 machine
5. Set virtual directory access permissions to Read and Write

I can explore this virtual directory from within the IIS manager but when I try to serve a file from this path in the web application I get HTTP Error 500.

I get the idea from other stuff that I have read that this might be because IIS is trying to access the path using the anonymous user rather than the user that I have given permissions to (i.e. webapp).

I would rather find a way to force IIS to use this account to access the folder than create privileges for the IUSR account on the SBS server since I have a number of web applications that will need individual shares on this machine and I want to separate their permissions.

I am an developer rather than an IIS or SBS guru so I am floundering a little here. Please help!

Question by:CSB00001
    LVL 15

    Expert Comment

    Please try this out: -
    Go to IIS -> Website-> properties -> Home Directory -> Check "Remote Location" -> Find option "Connect as"-> Use Domain/webapp and its password to connect to that share.
    It will solve the issue. Also if it a secure data then go to IIS -> website -> Properties -> Security -> Check "always use the authenticated user".

    Kindly let me know version of and exact error you are receiving,  if you still get any error while connecting share folder.
    LVL 1

    Expert Comment

    Just change anonymous user/pass with "webapp" in IIS and check integrated security below.
    Then IIS will use this credential when accessing SBS.
    Wish good luck

    Author Comment

    Thank you for your responses but perhaps I didn't make this as clear as I should have. I am not hosting the entire site on the file server - only one virtual directory within the site. I can't set the anonymous user/pass on the web site to the webapp user as this account does not exist on the web server. As I understand it, when using forms authentication, access to the site directories etc is always made using this anonymous user.

    I created the virtual directory as "A share located on another computer" and specified that it should connect as the webapp user. Connection seems to be made okay and the permissions would seem to be fine for this user since I can navigate into this folder within the IIS Manager and see it's contents.

    However, navigating (via the browser) to any of the links that should retrieve or display files from the file system (there are some PDF docs for example) results in HTTP Error 500.

    My theory is that the virtual directory is "connected" using the webapp user that I specified in the virtual directory properties but, at request time, the web server is attempting to read these files using the access rights of the anonymous user which, naturally, has none.

    This is not an ASP error since there are no aspx pages etc on the file server (only text/binary content).
    LVL 1

    Expert Comment

    Would you like to check events log ?

    Author Comment

    I seem to have this working so thought I should document what I tried and the corresponding results in case someone else is trying to do this (can I possibly be the only person in the world who needs to make this work?)

    Achieving this has been a major nightmare as the Virtual Directory access does not appear to work exactly the way that the (minimal) documentation states.

    I had planned to create a new user account on the SBS2003 server and remove access permissions for all but this account from the physical folder as well as the logical share. The Virtual Directory properties of the web site would be set to access this share using the credentials of the SBS2003 user account. In effect, the web server would connect to and access this special folder using the supplied credentials even though the 'anonymous' IUSR account is being used to access the files (I'm using forms authentication).

    In practice, this resulted in HTTP Error 500 saying that the page does not exist. This seemed strange since the contents of the file system could be explored within the IIS manager. The Virtual Directory seemed to be mounted correctly (in Unix speak) but was not visible to the web server for some reason.

    All documentation that I could find was very superficial and implementation instructions did not contradict anything that I had done.

    I tried opening up the permissions on the SBS2003 server so that anybody could connect to this share. I tried various access tests from the web server by performing "map network drive" from this share using a variety of user credentials and was always able to connect to and browse the file system. Still received Error 500 when browsing however.

    I then checked the IIS Metabase (using cscript and adsutils.vbs get ....) to verify that the credentials being used for the virtual directory matched the credentials that I entered into the properties dialog. These settings did, in fact, match. I examined the event log security entries on the web server and it appeared to me that the connection to the SBSServer was being completed (i.e. no error) as the IUSR account using the remote account credentials. This should (in my humble opinion) have meant that the files are available to be served by the web server.

    I then checked the permissions settings in IIS Manager for this Virtual Directory. These settings appear to be published by the SBS2003 server and can't be set within the IIS Manager for this folder as you would do for 'normal' web app subfolders. The IUSR account is not listed in these permissions so it makes sense in a weird way that the contents of this folder are not visible to the anonymous user account. But how can you possibly give this account access? This account exists only on the web server (not on the SBS2003 server) ... am I supposed to create a mirror of this account on the SBS2003 server as well? I don't even know the password for this account and I don't want to go changing this on the web server just so I could enter the same credentials on the SBS2003 Server! (These 2 machines do not belong to a domain).

    I then tried changing the Virtual Directory 'connect as' settings to my personal (administrator) account which exists on both machines. The page was found! What's different? I tried (lots of) combinations of account security settings for the remote account in case the difference was some sort of remote access permissions. Even tried deleting the SBS2003 user and re-creating it as an administrator to see if this made it work. No difference. Based on those results I theorised that the problem is at the web server end. What is different there? Well ... the remote user did not have an account on the web server.

    I tried creating a matching account on the web server for this user. Set the Virtual Directory to use this account again and, magically, everything now worked. I went back and clamped down permissions on the SBS2003 server so that only the new user account had full access to the files and no other user had permissions on the shared folder. Everything still works.

    It seems like the critical step was to have a local account that matches the remote account. Don't know why. Perhaps the IIS permissions settings don't allow access to this folder if the designated remote user account does not match a local user even though we have specified that the Virtual Directory should connect as this remote user.

    I don't know if this is a bug (it sure seems strange) or just a limitation in my understanding of how IIS and Windows access permissions are controlled and defined.

    It works for now but I sure would like to find somebody who really knows what they are doing to provide details of the correct approach for this.
    LVL 1

    Accepted Solution

    As you discovered, there's not a lot of useful documentation on UNC share configurations so let me elaborate on why your solution works...

    What you are attempting is more common in a Web Farm environment with multiple web servers sharing files from a single file server using UNC paths.  This is usually achieved with all computers belonging to the same Active Directory domain.  This is the way I would ordinarily configure a Web Farm and as long as the Share User Name is fully qualified (e.g. MYDOMAIN\ShareUserName) then the configuration works without too much trouble.

    However, your configuration involves two independent computers.  ShareUserName has no security on your local web server so it can't access key directories such as Inetpub, system files or Temporary ASP.NET Files (for the benefit of those using ASP.NET).  It appears that IIS attempts to log on locally with the user credentials BEFORE using the share with the same credentials - hence Unknown Error 500 because the user does not exist.  Unfortunately the error is not logged in the Event log !!

    I came across this same problem when using a NAS (network attached storage using FreeNAS and VMWare) device that does not belong to a Windows domain.   Rather than use a fully qualified user name, I used the simple form of ShareUserName WITHOUT the domain prefix (drop the MYDOMAIN) AND made sure ShareUserName existed both locally on the web server and on the NAS box with exactly the same password.

    In summary,

    1.  Try to have both computers on the same domain so that the user account only needs to be created once in Active Directory. OR
    2.  Where user accounts are decentralised, you MUST create accounts with EXACTLY the same credentials on the Source and Target servers.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Using Quotation Marks in PHP This question ( seems to come up a lot for developers who are new to PHP.  And it got me thinking, "How can we explain the rule…
    If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
    Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now