Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

IIS 7 Shared Config. with a Non-Domain web server. DFS Namespace

Posted on 2008-06-19
18
Medium Priority
?
2,032 Views
Last Modified: 2012-05-05
I am setting up IIS7 and using shared configuration.  The shared configuration and conent files are on a DFS namespace share \\mydomain\data\webSites on a Windows 2008 server core machine which is also our domain controller.

Everything worked great while I had the web server as a member of the domain.  I used a domain account as the credentials to access the DFS share.  Now, I have been told that the box will also host an Edge Transport server for Exchange 2007 which should not be on a server which is joined to a domain.

Now I have a problem as to how I set up IIS7 shared configuration.  I cannot just add a local user to the web box and use it because the same user has to be created on the server with the share (which is our domain controller).  Any user I would set up on the DC would just be a domain user.

Am I stuck?  Any ideas?

Thank you.
0
Comment
Question by:funehmon
  • 9
  • 9
18 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 750 total points
ID: 21825530
You might be able to get away with creating a user on both the domain and locally on the server which has the same username and password in both systems. This usually works, and will still allow both users to authenticate with each other.
0
 

Author Comment

by:funehmon
ID: 21825793
That seemed to do the trick.  I still got a lot of erros when I tried to look at any of the application settings, something like "cannot use credentials of virtual directory to login to UNC path".  I had to go to my ApplicationHost.config file on the UNC share and look for all instances of my old domain user account and replace it with the new user name.

Restarted IIS Manager and all looks good.

Thanks.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21825856
Good, thanks!
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:funehmon
ID: 21826185
Crud...turns out that didnt work.  It only let me in because I had navigated to the UNC share from explorer and provided domain credentials to view something else.  When i restarted the box...got the same thing.

Any other ideas?
0
 

Author Comment

by:funehmon
ID: 21826272
Even more strange is that IIS is still serving my pages and the content is on the same share as the configuration settings.  It seems that it's just IIS Manager not liking my credentials.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21826332
Where abouts are you entering the credentials in IIS manager?
0
 

Author Comment

by:funehmon
ID: 21830023
When i open IIS Manager and click on the server node, it says "There was an error when trying to connect. Do you want to retype your credentials and try again?" then "Details: Filename \\?\UNC\mydomain\data\Websites\administration.config....Cannot read configuration file"

If i hit yes, it says "Provide Credentials"..."Connecting to 'localhost'".  The username is a drop down box that is empty, and a password text box.

If I navigate to the unc share from windows, it does prompt for credentials.  Once provided, the IIS Manager allows me to view all of my configuration settings for each site.
0
 

Author Comment

by:funehmon
ID: 21848924
Matt, any thoughts?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21848954
So what about if you enter the credentials in that popup box to login. It might be that is required depending on the permissions granted over the administration.config files.
0
 

Author Comment

by:funehmon
ID: 21848993
I've tried using the domain account that everything was originally configured under.  It will not let me use any domain user (or domain admin for that fact).  it just gives an error "could not connect to the specified computer"...."error: cannot read configuration file"
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849008
What about a local user account? Does that help?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849010
You might also want to check http://support.microsoft.com/kb/934515
0
 

Author Comment

by:funehmon
ID: 21849090
local user does the same thing. I have the same user set up on the domain and it has read/write privliges to the UNC share.

The link you provided doesnt quite fit the scenerio.  IIS is serving up the pages, with no errors.  Somewhere it is configured to use credentials that are letting it get to the UNC share.  

I just tried setting the UNC share up for EVERYONE to have read access.  Same error.  I can now navigate to the share through Explorer without providing a password.  Why is IIS manager throwing a fit?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849217
This is strange, to be honest, I'm a bit lost as to where to proceed from here. Short of trying to set up my own test rig with about 3 stations and trying to replicate everything you've done, I can't think of another way on troubleshooting this. Just a shot in the dark - what happens if you were to set up a second site, identical to this one - can you get into that one after re-creating it?
0
 

Author Comment

by:funehmon
ID: 21849287
I just restarted the box and was again prompted with a login box when trying to navigate through explorer.  The UNC share's parent is set up to not allow everyone, so I still cannot get to it.  This is definately an ACL problem.  I'll keep messing around with it until i get it..

Back to my original post though, is it best practices to take IIS7 server off of the domain?  I thought i read somewhere it was actually recommeneded to join the domain on IIS7.  What about running edge transport on the same server? It cannot be on the domain, but is running iis and edge transport on the same machine against best practices?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849320
They are both two potentially RAM and CPU demanding services, so could cause a problem if they're on the same box. Personally, I'd run them on separate boxes.
0
 

Author Comment

by:funehmon
ID: 21849888
The idea is that they could both be on the perimeter network and use the same box.  If the box is beefy enough, there is no other downside? What about security concerns running the two together?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849919
If it's powerful enough, then no, you shouldn't have too many problems. Only potential security concern would be if there were a bug in Exchange, for example, they could use that to gain access to IIS, but then again, even if they were on separate boxes in the DMZ , that could still be done. So no, not really any major security issues which can be avoided otherwise.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question