IIS 7 Shared Config. with a Non-Domain web server. DFS Namespace

I am setting up IIS7 and using shared configuration.  The shared configuration and conent files are on a DFS namespace share \\mydomain\data\webSites on a Windows 2008 server core machine which is also our domain controller.

Everything worked great while I had the web server as a member of the domain.  I used a domain account as the credentials to access the DFS share.  Now, I have been told that the box will also host an Edge Transport server for Exchange 2007 which should not be on a server which is joined to a domain.

Now I have a problem as to how I set up IIS7 shared configuration.  I cannot just add a local user to the web box and use it because the same user has to be created on the server with the share (which is our domain controller).  Any user I would set up on the DC would just be a domain user.

Am I stuck?  Any ideas?

Thank you.
funehmonAsked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:
You might be able to get away with creating a user on both the domain and locally on the server which has the same username and password in both systems. This usually works, and will still allow both users to authenticate with each other.
0
 
funehmonAuthor Commented:
That seemed to do the trick.  I still got a lot of erros when I tried to look at any of the application settings, something like "cannot use credentials of virtual directory to login to UNC path".  I had to go to my ApplicationHost.config file on the UNC share and look for all instances of my old domain user account and replace it with the new user name.

Restarted IIS Manager and all looks good.

Thanks.
0
 
tigermattCommented:
Good, thanks!
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
funehmonAuthor Commented:
Crud...turns out that didnt work.  It only let me in because I had navigated to the UNC share from explorer and provided domain credentials to view something else.  When i restarted the box...got the same thing.

Any other ideas?
0
 
funehmonAuthor Commented:
Even more strange is that IIS is still serving my pages and the content is on the same share as the configuration settings.  It seems that it's just IIS Manager not liking my credentials.
0
 
tigermattCommented:
Where abouts are you entering the credentials in IIS manager?
0
 
funehmonAuthor Commented:
When i open IIS Manager and click on the server node, it says "There was an error when trying to connect. Do you want to retype your credentials and try again?" then "Details: Filename \\?\UNC\mydomain\data\Websites\administration.config....Cannot read configuration file"

If i hit yes, it says "Provide Credentials"..."Connecting to 'localhost'".  The username is a drop down box that is empty, and a password text box.

If I navigate to the unc share from windows, it does prompt for credentials.  Once provided, the IIS Manager allows me to view all of my configuration settings for each site.
0
 
funehmonAuthor Commented:
Matt, any thoughts?
0
 
tigermattCommented:
So what about if you enter the credentials in that popup box to login. It might be that is required depending on the permissions granted over the administration.config files.
0
 
funehmonAuthor Commented:
I've tried using the domain account that everything was originally configured under.  It will not let me use any domain user (or domain admin for that fact).  it just gives an error "could not connect to the specified computer"...."error: cannot read configuration file"
0
 
tigermattCommented:
What about a local user account? Does that help?
0
 
tigermattCommented:
You might also want to check http://support.microsoft.com/kb/934515
0
 
funehmonAuthor Commented:
local user does the same thing. I have the same user set up on the domain and it has read/write privliges to the UNC share.

The link you provided doesnt quite fit the scenerio.  IIS is serving up the pages, with no errors.  Somewhere it is configured to use credentials that are letting it get to the UNC share.  

I just tried setting the UNC share up for EVERYONE to have read access.  Same error.  I can now navigate to the share through Explorer without providing a password.  Why is IIS manager throwing a fit?
0
 
tigermattCommented:
This is strange, to be honest, I'm a bit lost as to where to proceed from here. Short of trying to set up my own test rig with about 3 stations and trying to replicate everything you've done, I can't think of another way on troubleshooting this. Just a shot in the dark - what happens if you were to set up a second site, identical to this one - can you get into that one after re-creating it?
0
 
funehmonAuthor Commented:
I just restarted the box and was again prompted with a login box when trying to navigate through explorer.  The UNC share's parent is set up to not allow everyone, so I still cannot get to it.  This is definately an ACL problem.  I'll keep messing around with it until i get it..

Back to my original post though, is it best practices to take IIS7 server off of the domain?  I thought i read somewhere it was actually recommeneded to join the domain on IIS7.  What about running edge transport on the same server? It cannot be on the domain, but is running iis and edge transport on the same machine against best practices?
0
 
tigermattCommented:
They are both two potentially RAM and CPU demanding services, so could cause a problem if they're on the same box. Personally, I'd run them on separate boxes.
0
 
funehmonAuthor Commented:
The idea is that they could both be on the perimeter network and use the same box.  If the box is beefy enough, there is no other downside? What about security concerns running the two together?
0
 
tigermattCommented:
If it's powerful enough, then no, you shouldn't have too many problems. Only potential security concern would be if there were a bug in Exchange, for example, they could use that to gain access to IIS, but then again, even if they were on separate boxes in the DMZ , that could still be done. So no, not really any major security issues which can be avoided otherwise.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.