Solved

IIS 7 Shared Config. with a Non-Domain web server. DFS Namespace

Posted on 2008-06-19
18
1,961 Views
Last Modified: 2012-05-05
I am setting up IIS7 and using shared configuration.  The shared configuration and conent files are on a DFS namespace share \\mydomain\data\webSites on a Windows 2008 server core machine which is also our domain controller.

Everything worked great while I had the web server as a member of the domain.  I used a domain account as the credentials to access the DFS share.  Now, I have been told that the box will also host an Edge Transport server for Exchange 2007 which should not be on a server which is joined to a domain.

Now I have a problem as to how I set up IIS7 shared configuration.  I cannot just add a local user to the web box and use it because the same user has to be created on the server with the share (which is our domain controller).  Any user I would set up on the DC would just be a domain user.

Am I stuck?  Any ideas?

Thank you.
0
Comment
Question by:funehmon
  • 9
  • 9
18 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 21825530
You might be able to get away with creating a user on both the domain and locally on the server which has the same username and password in both systems. This usually works, and will still allow both users to authenticate with each other.
0
 

Author Comment

by:funehmon
ID: 21825793
That seemed to do the trick.  I still got a lot of erros when I tried to look at any of the application settings, something like "cannot use credentials of virtual directory to login to UNC path".  I had to go to my ApplicationHost.config file on the UNC share and look for all instances of my old domain user account and replace it with the new user name.

Restarted IIS Manager and all looks good.

Thanks.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21825856
Good, thanks!
0
 

Author Comment

by:funehmon
ID: 21826185
Crud...turns out that didnt work.  It only let me in because I had navigated to the UNC share from explorer and provided domain credentials to view something else.  When i restarted the box...got the same thing.

Any other ideas?
0
 

Author Comment

by:funehmon
ID: 21826272
Even more strange is that IIS is still serving my pages and the content is on the same share as the configuration settings.  It seems that it's just IIS Manager not liking my credentials.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21826332
Where abouts are you entering the credentials in IIS manager?
0
 

Author Comment

by:funehmon
ID: 21830023
When i open IIS Manager and click on the server node, it says "There was an error when trying to connect. Do you want to retype your credentials and try again?" then "Details: Filename \\?\UNC\mydomain\data\Websites\administration.config....Cannot read configuration file"

If i hit yes, it says "Provide Credentials"..."Connecting to 'localhost'".  The username is a drop down box that is empty, and a password text box.

If I navigate to the unc share from windows, it does prompt for credentials.  Once provided, the IIS Manager allows me to view all of my configuration settings for each site.
0
 

Author Comment

by:funehmon
ID: 21848924
Matt, any thoughts?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21848954
So what about if you enter the credentials in that popup box to login. It might be that is required depending on the permissions granted over the administration.config files.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:funehmon
ID: 21848993
I've tried using the domain account that everything was originally configured under.  It will not let me use any domain user (or domain admin for that fact).  it just gives an error "could not connect to the specified computer"...."error: cannot read configuration file"
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849008
What about a local user account? Does that help?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849010
You might also want to check http://support.microsoft.com/kb/934515
0
 

Author Comment

by:funehmon
ID: 21849090
local user does the same thing. I have the same user set up on the domain and it has read/write privliges to the UNC share.

The link you provided doesnt quite fit the scenerio.  IIS is serving up the pages, with no errors.  Somewhere it is configured to use credentials that are letting it get to the UNC share.  

I just tried setting the UNC share up for EVERYONE to have read access.  Same error.  I can now navigate to the share through Explorer without providing a password.  Why is IIS manager throwing a fit?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849217
This is strange, to be honest, I'm a bit lost as to where to proceed from here. Short of trying to set up my own test rig with about 3 stations and trying to replicate everything you've done, I can't think of another way on troubleshooting this. Just a shot in the dark - what happens if you were to set up a second site, identical to this one - can you get into that one after re-creating it?
0
 

Author Comment

by:funehmon
ID: 21849287
I just restarted the box and was again prompted with a login box when trying to navigate through explorer.  The UNC share's parent is set up to not allow everyone, so I still cannot get to it.  This is definately an ACL problem.  I'll keep messing around with it until i get it..

Back to my original post though, is it best practices to take IIS7 server off of the domain?  I thought i read somewhere it was actually recommeneded to join the domain on IIS7.  What about running edge transport on the same server? It cannot be on the domain, but is running iis and edge transport on the same machine against best practices?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849320
They are both two potentially RAM and CPU demanding services, so could cause a problem if they're on the same box. Personally, I'd run them on separate boxes.
0
 

Author Comment

by:funehmon
ID: 21849888
The idea is that they could both be on the perimeter network and use the same box.  If the box is beefy enough, there is no other downside? What about security concerns running the two together?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849919
If it's powerful enough, then no, you shouldn't have too many problems. Only potential security concern would be if there were a bug in Exchange, for example, they could use that to gain access to IIS, but then again, even if they were on separate boxes in the DMZ , that could still be done. So no, not really any major security issues which can be avoided otherwise.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now