Access Denied connecting to remote share through IIS

Access Denied connecting to remote share through IIS

am 13.11.2006 17:47:01 von Hrocks

I am accessing a document through a front end web application. The access
pulls the document from a file share on another server. I continue to get the
IIS credentials prompt and process monitor shows this:

Operation: Create File
Result: Access Denied
Path: \\server\ITContent\Active\06\59\65\DTA System Design
Access: Generic Read
Disposition: Open
Options:
Attributes: RE
ShareMode: Read, Write, Delete
AllocationSize: n/a
Impersonating: Domain\Username

The web server itself is using Integrated Auth only. I have verified that I
have full control on the file share as well as the network service which is
running the application pool, system, everyone, etc. No matter how i set the
permissions i still get this access denied message in process explorer. Can
anyone point me in a direction to troubleshoot this thing? Thanks.

Re: Access Denied connecting to remote share through IIS

am 14.11.2006 00:27:07 von David Wang

This is the classic double-hop scenario, and failure for Integrated
Authentication (NTLM protocol) is by-design.

Ways to get it to work are:
1. Configure IIS to use Kerberos on the backend and setup Constrained
Delegation. If Webserver is IIS5/W2K, you also need to use Kerberos to
authenticate to the frontend Web Application.
2. Configure IIS to use Basic authentication. This weakened protocol
allows implicit delegation
3. Use Custom Authentication which works like #2 but with proprietary
protocol.


The reason this fails is simple. Just because a user authenticates to
the frontend web application does NOT mean the web application can use
that user's credential to contact their bank and withdraw all their
money IN THEIR NAME. The user should control who has access to
impresonate them, and the bank should be able to control who they
trust.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang



Hrocks wrote:
> I am accessing a document through a front end web application. The access
> pulls the document from a file share on another server. I continue to get the
> IIS credentials prompt and process monitor shows this:
>
> Operation: Create File
> Result: Access Denied
> Path: \\server\ITContent\Active\06\59\65\DTA System Design
> Access: Generic Read
> Disposition: Open
> Options:
> Attributes: RE
> ShareMode: Read, Write, Delete
> AllocationSize: n/a
> Impersonating: Domain\Username
>
> The web server itself is using Integrated Auth only. I have verified that I
> have full control on the file share as well as the network service which is
> running the application pool, system, everyone, etc. No matter how i set the
> permissions i still get this access denied message in process explorer. Can
> anyone point me in a direction to troubleshoot this thing? Thanks.