Solved

IIS 7 Shared Config. with a Non-Domain web server. DFS Namespace

Posted on 2008-06-19
18
1,979 Views
Last Modified: 2012-05-05
I am setting up IIS7 and using shared configuration.  The shared configuration and conent files are on a DFS namespace share \\mydomain\data\webSites on a Windows 2008 server core machine which is also our domain controller.

Everything worked great while I had the web server as a member of the domain.  I used a domain account as the credentials to access the DFS share.  Now, I have been told that the box will also host an Edge Transport server for Exchange 2007 which should not be on a server which is joined to a domain.

Now I have a problem as to how I set up IIS7 shared configuration.  I cannot just add a local user to the web box and use it because the same user has to be created on the server with the share (which is our domain controller).  Any user I would set up on the DC would just be a domain user.

Am I stuck?  Any ideas?

Thank you.
0
Comment
Question by:funehmon
  • 9
  • 9
18 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 21825530
You might be able to get away with creating a user on both the domain and locally on the server which has the same username and password in both systems. This usually works, and will still allow both users to authenticate with each other.
0
 

Author Comment

by:funehmon
ID: 21825793
That seemed to do the trick.  I still got a lot of erros when I tried to look at any of the application settings, something like "cannot use credentials of virtual directory to login to UNC path".  I had to go to my ApplicationHost.config file on the UNC share and look for all instances of my old domain user account and replace it with the new user name.

Restarted IIS Manager and all looks good.

Thanks.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21825856
Good, thanks!
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:funehmon
ID: 21826185
Crud...turns out that didnt work.  It only let me in because I had navigated to the UNC share from explorer and provided domain credentials to view something else.  When i restarted the box...got the same thing.

Any other ideas?
0
 

Author Comment

by:funehmon
ID: 21826272
Even more strange is that IIS is still serving my pages and the content is on the same share as the configuration settings.  It seems that it's just IIS Manager not liking my credentials.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21826332
Where abouts are you entering the credentials in IIS manager?
0
 

Author Comment

by:funehmon
ID: 21830023
When i open IIS Manager and click on the server node, it says "There was an error when trying to connect. Do you want to retype your credentials and try again?" then "Details: Filename \\?\UNC\mydomain\data\Websites\administration.config....Cannot read configuration file"

If i hit yes, it says "Provide Credentials"..."Connecting to 'localhost'".  The username is a drop down box that is empty, and a password text box.

If I navigate to the unc share from windows, it does prompt for credentials.  Once provided, the IIS Manager allows me to view all of my configuration settings for each site.
0
 

Author Comment

by:funehmon
ID: 21848924
Matt, any thoughts?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21848954
So what about if you enter the credentials in that popup box to login. It might be that is required depending on the permissions granted over the administration.config files.
0
 

Author Comment

by:funehmon
ID: 21848993
I've tried using the domain account that everything was originally configured under.  It will not let me use any domain user (or domain admin for that fact).  it just gives an error "could not connect to the specified computer"...."error: cannot read configuration file"
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849008
What about a local user account? Does that help?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849010
You might also want to check http://support.microsoft.com/kb/934515
0
 

Author Comment

by:funehmon
ID: 21849090
local user does the same thing. I have the same user set up on the domain and it has read/write privliges to the UNC share.

The link you provided doesnt quite fit the scenerio.  IIS is serving up the pages, with no errors.  Somewhere it is configured to use credentials that are letting it get to the UNC share.  

I just tried setting the UNC share up for EVERYONE to have read access.  Same error.  I can now navigate to the share through Explorer without providing a password.  Why is IIS manager throwing a fit?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849217
This is strange, to be honest, I'm a bit lost as to where to proceed from here. Short of trying to set up my own test rig with about 3 stations and trying to replicate everything you've done, I can't think of another way on troubleshooting this. Just a shot in the dark - what happens if you were to set up a second site, identical to this one - can you get into that one after re-creating it?
0
 

Author Comment

by:funehmon
ID: 21849287
I just restarted the box and was again prompted with a login box when trying to navigate through explorer.  The UNC share's parent is set up to not allow everyone, so I still cannot get to it.  This is definately an ACL problem.  I'll keep messing around with it until i get it..

Back to my original post though, is it best practices to take IIS7 server off of the domain?  I thought i read somewhere it was actually recommeneded to join the domain on IIS7.  What about running edge transport on the same server? It cannot be on the domain, but is running iis and edge transport on the same machine against best practices?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849320
They are both two potentially RAM and CPU demanding services, so could cause a problem if they're on the same box. Personally, I'd run them on separate boxes.
0
 

Author Comment

by:funehmon
ID: 21849888
The idea is that they could both be on the perimeter network and use the same box.  If the box is beefy enough, there is no other downside? What about security concerns running the two together?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21849919
If it's powerful enough, then no, you shouldn't have too many problems. Only potential security concern would be if there were a bug in Exchange, for example, they could use that to gain access to IIS, but then again, even if they were on separate boxes in the DMZ , that could still be done. So no, not really any major security issues which can be avoided otherwise.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question