Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Having trouble getting IUSR anonymous web login to access files on another server on Windows Server 2008 domain

Posted on 2010-08-15
3
Medium Priority
?
1,032 Views
Last Modified: 2012-05-10
I have a web application that accesses files in a database folder that sits on a Windows Server 2008 R2 PDC.  The PDS has IIS installed and I can configure the app to run fine from that server. I can set the app to find the files via local drive letter or UNC to its own hard drive.  To get this to work I added permissions to the IUSR account for the folder with the database files.

I installed a Windows Server 2008 Web Server edition computer on the network.  I had this server join the domain by right-clicking My Computer and going to properties, then changing it from workgroup to domain login.  I installed the web application we're using to this server and configured it to access the database files on the PDC via the UNC path: \\MAINSERVER\SHARED\DATABASE.

Problem:  when I run the application it returns an error that seems to indicate that it doesn't have permissions to the database folder that's on the other server.  I went to the authentication item in IIS Manager on this server and verified that the anonymous login uses the IUSR account.  I assume this is the same AD account user that the PDC was using when I ran this and it worked.  

For testing purposes, I changed the anonymous user ID to use the administrator account and it worked.  So my next step was to create a new user in AD called webuser.  I added that user to the Administrators group.  But even being a member of the administrators group didn't allow this to work.
0
Comment
Question by:pcspcs
  • 2
3 Comments
 
LVL 5

Expert Comment

by:WebDOT
ID: 33445947
You were getting the error because Domain Controllers don't have local accounts.  Additionally, even if they DID have local accounts, they more than likely wouldn't allow a local account from another box to have permissions on files on there.

If the files are on a PDC (this seems like a poor idea to begin with) then the user will probably need to be a domain admin in order to access them. Making an anonymous web account a domain admin presents all sorts of security holes, so i would HIGHLY discourage this.
0
 

Author Comment

by:pcspcs
ID: 33446184
My intent was not to leave anyone as domain admin, but simply to troubleshoot to see where the problem is.  The real goal is to figure out why the built-in IUSR account will not access the database files when the user comes in via the web server.  My goal is to eventually turn off IIS on the PDC and force users to run this app from the web server itself. So if the IUSR account can access the database files when the user comes in via IIS on the PDC, why can they not do so when coming in via the web server with the app (which is an ISAPI app) configured to pull the database files via the UNC path?
0
 

Accepted Solution

by:
pcspcs earned 0 total points
ID: 33447550
Okay, I found the solution.  I didn't realize that IUSR was a local account and not a domain account.  All I had to do was create new domain user and set the anonymous login for that web site to use that user's account.  I did not need to make that user a domain admin at all.  All I needed to do was to assign it rights to the database folder.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question