[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1195
  • Last Modified:

IIS 7 - Path not found - UNC Path

I'm getting a painful issue where I have moved an old asp custom written application that lists files in directories that has been moved to an IIS 7 server and i'm getting an "Path not found" error when executing the fso.GetFolder() function.

Outline:
- IIS 7
- 2008 Server 64-bit
- 32-bit is Enabled in ASP
- Windows Authentication Only (Kernel-mode Enabled) (Negotiate, NTLM)
- Impesonate (Enabled)

The unique thing about this is that if I access the server on the current domain network it all works fine and the user can see the files list through the asp page but if I access the site from the external internet url it fails.

Internal Network:
- http://webservername/                                               = Works fine
- http://webservername.domainname.com/                  = Works fine
- http://externalname.domainname.com/                      = Works fine

From the Internet
- http://externalname.domainname.com/                      = Fails with "Path not found"

If I run a processmonitor on the w3wp.exe process I can see the following:

***** WORKING *****
Date & Time:      10/09/2010 3:19:33 PM
Event Class:      File System
Operation:      CreateFile
Result:      SUCCESS
Path:      \\servername\sales$\projectfolders\lists\documents
TID:      1932
Duration:      0.0004655
Desired Access:      Read Attributes
Disposition:      Open
Options:      Open Reparse Point
Attributes:      n/a
ShareMode:      Read, Write, Delete
AllocationSize:      n/a
Impersonating:      DOMAIN\myusername
OpenResult:      Opened

***** FAILED *****
Date & Time:      10/09/2010 2:46:54 PM
Event Class:      File System
Operation:      CreateFile
Result:      ACCESS DENIED
Path:      \\servername\sales$\projectfolders\lists\documents
TID:      1156
Duration:      0.0059476
Desired Access:      Read Attributes
Disposition:      Open
Options:      Open Reparse Point
Attributes:      n/a
ShareMode:      Read, Write, Delete
AllocationSize:      n/a
Impersonating:      DOMAIN\myusername

I've checked SPN's that they look fine.  I can't see any easy way to debug kernel-mode authentication as authdiag is not designed to run with IIS 7.  Any input would be appreciated.

thanks,

Michael





0
mreggio
Asked:
mreggio
  • 2
1 Solution
 
rsimseeCommented:
It's working internally because you are authenticating via your originating windows domain account which has access to the file in question.

When you try to access the same file from an external site, your authentication is no longer valid and you become anonymous and use the IUSR_servername account.  Any file or folder that you want to be able to access anonymously must have the IUSR account added to it's ACL.

Be careful with this however, anybody who connects to the server anonymously would also have these rights.  If you really want to do something like this externally, you should authenticate with a username / password first.
0
 
mreggioAuthor Commented:
Anonymous is not in use on this site at all.  If you check the file assecc ddebug I posted in the question you will see that its Impersonating a domain account.   When any user accesses the site it authenticates them with a domain account.
0
 
mreggioAuthor Commented:
I worked this out.  Was a security token issue when connecting between servers.  External Kerberos authentication requests cannot be passed between servers if the request is from and external source.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now