Virtual Directory to a remote UNC not working properly

Setup:
IIS 6.0, Windows 2003 sp1 server.
Web server and UNC server are on the same domain.
Using 'Integrated Windows and Digest Authentication on both the Intranet
site and the virtual directory on the web server.

Problem:
When trying to access a file on the virtual directory from outside the
domain or on the domain I get the following message "You are not authorized
to view this page...
You do not have permission to view this directory or page due to the access
control list (ACL) that is configured for this resource on the web server.
HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
requested resource (IIS).

If I access a file on the UNC from within the domain without using the
virtual dir I have no problems. If I access a file on the UNC from outside
the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
make sure the path or internet address is correct.

Any direction or insight would be appreciated!
--
Dave

Re: Virtual Directory to a remote UNC not working properly

Can you describe what you are trying to do so that we can help you with
correct configuration? It sounds like you have a web server and a NAS
file server in your Intranet, and you are trying to make the files on
the NAS file server available via the web server, to people both inside
your Intranet and on the Internet.

The behaviors you describe are actually all normal and by-design.

> When trying to access a file on the virtual directory from outside the
> domain or on the domain I get the following message "You are not authorized
> to view this page...
This is because of "double hop" using NTLM with a UNC Virtual
Directory. Lots of people hit this, and there are well documented ways
to make this scenario work. Please search for those solutions.


> If I access a file on the UNC from within the domain without using the
> virtual dir I have no problems. If I access a file on the UNC from outside
> the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> make sure the path or internet address is correct.
This is because the name "flnas01" is not known to the computer/browser
outside the domain.

If you got that error by clicking on a link on a web page, it means
your web page content is incorrect because it has a UNC file reference
(which is valid only on the Intranet OR if you expose the flnas01
server to the entire world outside your domain). If you want the web
page to work outside the domain, you will have to find a suitable way
to expose your flnas01 server outside the domain, which may not be what
you want.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




dhoops wrote:
> Setup:
> IIS 6.0, Windows 2003 sp1 server.
> Web server and UNC server are on the same domain.
> Using 'Integrated Windows and Digest Authentication on both the Intranet
> site and the virtual directory on the web server.
>
> Problem:
> When trying to access a file on the virtual directory from outside the
> domain or on the domain I get the following message "You are not authorized
> to view this page...
> You do not have permission to view this directory or page due to the access
> control list (ACL) that is configured for this resource on the web server.
> HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> requested resource (IIS).
>
> If I access a file on the UNC from within the domain without using the
> virtual dir I have no problems. If I access a file on the UNC from outside
> the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> make sure the path or internet address is correct.
>
> Any direction or insight would be appreciated!
> --
> Dave

Re: Virtual Directory to a remote UNC not working properly

David,

Thanks for the reply. What you wrote below is exactly what i am trying to
do... ie Make files from the NAS file server available to users on the inside
on the (Intranet) and from the outside on the (Internet) via our web server
in general... These files are linked through pages on the web site.

It appears my security is not setup correctly?

--
Dave


"David Wang" wrote:

> Can you describe what you are trying to do so that we can help you with
> correct configuration? It sounds like you have a web server and a NAS
> file server in your Intranet, and you are trying to make the files on
> the NAS file server available via the web server, to people both inside
> your Intranet and on the Internet.
>
> The behaviors you describe are actually all normal and by-design.
>
> > When trying to access a file on the virtual directory from outside the
> > domain or on the domain I get the following message "You are not authorized
> > to view this page...
> This is because of "double hop" using NTLM with a UNC Virtual
> Directory. Lots of people hit this, and there are well documented ways
> to make this scenario work. Please search for those solutions.
>
>
> > If I access a file on the UNC from within the domain without using the
> > virtual dir I have no problems. If I access a file on the UNC from outside
> > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > make sure the path or internet address is correct.
> This is because the name "flnas01" is not known to the computer/browser
> outside the domain.
>
> If you got that error by clicking on a link on a web page, it means
> your web page content is incorrect because it has a UNC file reference
> (which is valid only on the Intranet OR if you expose the flnas01
> server to the entire world outside your domain). If you want the web
> page to work outside the domain, you will have to find a suitable way
> to expose your flnas01 server outside the domain, which may not be what
> you want.
>
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> dhoops wrote:
> > Setup:
> > IIS 6.0, Windows 2003 sp1 server.
> > Web server and UNC server are on the same domain.
> > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > site and the virtual directory on the web server.
> >
> > Problem:
> > When trying to access a file on the virtual directory from outside the
> > domain or on the domain I get the following message "You are not authorized
> > to view this page...
> > You do not have permission to view this directory or page due to the access
> > control list (ACL) that is configured for this resource on the web server.
> > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > requested resource (IIS).
> >
> > If I access a file on the UNC from within the domain without using the
> > virtual dir I have no problems. If I access a file on the UNC from outside
> > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > make sure the path or internet address is correct.
> >
> > Any direction or insight would be appreciated!
> > --
> > Dave
>
>

Re: Virtual Directory to a remote UNC not working properly

Thanks for the info. Some more requirements need to be gathered before
determining the correct configuration.

- Your web pages cannot contain file:// or \\flnas01 links if you want
it to work from Internet.

If your web page MUST contain file:// or \\flnas01 links, then you will
need to open more holes in the firewall to allow RPC and UNC ports as
well as publish your flnas01 server to be accessible via the Internet.
Obviously, this sort of web page does NOT do what you want - make files
on NAS server available via Web Server (instead, it is making your NAS
server available via the Internet because your Web Server exposed its
name), and this approach is also heavily discouraged due to security
concerns.

It is easier and safer to configure a UNC vdir on IIS to point to
\\flnas01 UNC shares on NAS, and for your web pages to use
http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
OF \\flnas01 links). This single page will work from both Intranet and
Internet with minimal security concerns.

If you do the above, but you want to optimize Intranet traffic to not
go through http://public.webserver.IP.address/unc-vdir, then you should
create two websites, one internal and the other external. This takes
more effort to maintain, and your router may not be smart enough to
support it.
- Internal website: web page uses \\flnas01 links, and bound to
http://internalWebServer
- External website: web page uses
http://public.webserver.IP.address/unc-vdir links, and bound to
http://public.webserver.IP.address


- In order for a vdir pointing to UNC share to work, it has to use an
Authentication protocol that supports Delegation. NTLM/Digest do not,
so your current failure is by-design. Choice of each protocol has its
plus and minus, and correct choice depends on your needs. The following
URL provides an excellent background and motivation:

http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx

Applying that knowledge to your particular needs:
- Anonymous authentication works, but it means ALL users accessing
NAS server via the web server appear as the configured Anonymous User
on IIS, preventing repudiation (i.e. auditing who accessed what files
on the NAS). You may not care about the auditing, in which case
Anonymous authentication is easiest.
- Basic authentication works, but it passes username/password in the
clear, so you must protect it with SSL. This means you have to purchase
an SSL Server Certificate and maintain it. If you control all Web
Browsers used by your users, you can avoid paying for SSL Server
Certificate by creating your own SSL Certificate and inserting it into
the Trusted Root Store of all Web Browser machines (remember, you can
do this because you control all Web Browsers - if you do not control
all Web Browsers of your users, this approach does not work
effectively).
- Kerberos works, but it requires setting up Active Directory and
configuring Delegation.

Since you want the solution to work both for Internet and Intranet, the
following choices are simplest:
- If you want to expose NAS over Web Server and you do not care to know
what user accessed which files (i.e. any user can access any file on
the NAS), then use Anonymous Authentication on IIS, configure its
Anonymous User to be a user that you also ACL the NAS UNC share.
- If you want to expose NAS over Web Server and you DO care about which
user access which files (i.e. users can only access the files ACL'd to
them on the NAS), then use Basic over SSL
- If you want to expose NAS over Web Server, you care about which user
access which files, and you have an Active Directory already, then
configure Protocol Transitioning and you can use any authentication
protocol on IIS (including NTLM).

There are other solutions, of more complexity, offering different
security-based tradeoffs.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



dhoops wrote:
> David,
>
> Thanks for the reply. What you wrote below is exactly what i am trying to
> do... ie Make files from the NAS file server available to users on the inside
> on the (Intranet) and from the outside on the (Internet) via our web server
> in general... These files are linked through pages on the web site.
>
> It appears my security is not setup correctly?
>
> --
> Dave
>
>
> "David Wang" wrote:
>
> > Can you describe what you are trying to do so that we can help you with
> > correct configuration? It sounds like you have a web server and a NAS
> > file server in your Intranet, and you are trying to make the files on
> > the NAS file server available via the web server, to people both inside
> > your Intranet and on the Internet.
> >
> > The behaviors you describe are actually all normal and by-design.
> >
> > > When trying to access a file on the virtual directory from outside the
> > > domain or on the domain I get the following message "You are not authorized
> > > to view this page...
> > This is because of "double hop" using NTLM with a UNC Virtual
> > Directory. Lots of people hit this, and there are well documented ways
> > to make this scenario work. Please search for those solutions.
> >
> >
> > > If I access a file on the UNC from within the domain without using the
> > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > make sure the path or internet address is correct.
> > This is because the name "flnas01" is not known to the computer/browser
> > outside the domain.
> >
> > If you got that error by clicking on a link on a web page, it means
> > your web page content is incorrect because it has a UNC file reference
> > (which is valid only on the Intranet OR if you expose the flnas01
> > server to the entire world outside your domain). If you want the web
> > page to work outside the domain, you will have to find a suitable way
> > to expose your flnas01 server outside the domain, which may not be what
> > you want.
> >
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> >
> >
> > dhoops wrote:
> > > Setup:
> > > IIS 6.0, Windows 2003 sp1 server.
> > > Web server and UNC server are on the same domain.
> > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > site and the virtual directory on the web server.
> > >
> > > Problem:
> > > When trying to access a file on the virtual directory from outside the
> > > domain or on the domain I get the following message "You are not authorized
> > > to view this page...
> > > You do not have permission to view this directory or page due to the access
> > > control list (ACL) that is configured for this resource on the web server.
> > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > requested resource (IIS).
> > >
> > > If I access a file on the UNC from within the domain without using the
> > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > make sure the path or internet address is correct.
> > >
> > > Any direction or insight would be appreciated!
> > > --
> > > Dave
> >
> >

Re: Virtual Directory to a remote UNC not working properly

David,

Thanks for all this great info! I do have a couple of questions for clarity
sake:

1. When connecting to the NAS file via
'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
I actually be entering the following:
'http://public.webserver.IP.address,(where address is ip address of the
webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
such as 'Public'/then the rest of the path on the NAS drive ?

2. Since we have active directory setup on our network you said all I need
to do is configure 'Protocol Transitioning' and then I can use any
authentication protocol on IIS... Where do I configure 'Protocol
Transitioining' ?

Thanks-Dave
--
Dave


"David Wang" wrote:

> Thanks for the info. Some more requirements need to be gathered before
> determining the correct configuration.
>
> - Your web pages cannot contain file:// or \\flnas01 links if you want
> it to work from Internet.
>
> If your web page MUST contain file:// or \\flnas01 links, then you will
> need to open more holes in the firewall to allow RPC and UNC ports as
> well as publish your flnas01 server to be accessible via the Internet.
> Obviously, this sort of web page does NOT do what you want - make files
> on NAS server available via Web Server (instead, it is making your NAS
> server available via the Internet because your Web Server exposed its
> name), and this approach is also heavily discouraged due to security
> concerns.
>
> It is easier and safer to configure a UNC vdir on IIS to point to
> \\flnas01 UNC shares on NAS, and for your web pages to use
> http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> OF \\flnas01 links). This single page will work from both Intranet and
> Internet with minimal security concerns.
>
> If you do the above, but you want to optimize Intranet traffic to not
> go through http://public.webserver.IP.address/unc-vdir, then you should
> create two websites, one internal and the other external. This takes
> more effort to maintain, and your router may not be smart enough to
> support it.
> - Internal website: web page uses \\flnas01 links, and bound to
> http://internalWebServer
> - External website: web page uses
> http://public.webserver.IP.address/unc-vdir links, and bound to
> http://public.webserver.IP.address
>
>
> - In order for a vdir pointing to UNC share to work, it has to use an
> Authentication protocol that supports Delegation. NTLM/Digest do not,
> so your current failure is by-design. Choice of each protocol has its
> plus and minus, and correct choice depends on your needs. The following
> URL provides an excellent background and motivation:
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
>
> Applying that knowledge to your particular needs:
> - Anonymous authentication works, but it means ALL users accessing
> NAS server via the web server appear as the configured Anonymous User
> on IIS, preventing repudiation (i.e. auditing who accessed what files
> on the NAS). You may not care about the auditing, in which case
> Anonymous authentication is easiest.
> - Basic authentication works, but it passes username/password in the
> clear, so you must protect it with SSL. This means you have to purchase
> an SSL Server Certificate and maintain it. If you control all Web
> Browsers used by your users, you can avoid paying for SSL Server
> Certificate by creating your own SSL Certificate and inserting it into
> the Trusted Root Store of all Web Browser machines (remember, you can
> do this because you control all Web Browsers - if you do not control
> all Web Browsers of your users, this approach does not work
> effectively).
> - Kerberos works, but it requires setting up Active Directory and
> configuring Delegation.
>
> Since you want the solution to work both for Internet and Intranet, the
> following choices are simplest:
> - If you want to expose NAS over Web Server and you do not care to know
> what user accessed which files (i.e. any user can access any file on
> the NAS), then use Anonymous Authentication on IIS, configure its
> Anonymous User to be a user that you also ACL the NAS UNC share.
> - If you want to expose NAS over Web Server and you DO care about which
> user access which files (i.e. users can only access the files ACL'd to
> them on the NAS), then use Basic over SSL
> - If you want to expose NAS over Web Server, you care about which user
> access which files, and you have an Active Directory already, then
> configure Protocol Transitioning and you can use any authentication
> protocol on IIS (including NTLM).
>
> There are other solutions, of more complexity, offering different
> security-based tradeoffs.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> dhoops wrote:
> > David,
> >
> > Thanks for the reply. What you wrote below is exactly what i am trying to
> > do... ie Make files from the NAS file server available to users on the inside
> > on the (Intranet) and from the outside on the (Internet) via our web server
> > in general... These files are linked through pages on the web site.
> >
> > It appears my security is not setup correctly?
> >
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > Can you describe what you are trying to do so that we can help you with
> > > correct configuration? It sounds like you have a web server and a NAS
> > > file server in your Intranet, and you are trying to make the files on
> > > the NAS file server available via the web server, to people both inside
> > > your Intranet and on the Internet.
> > >
> > > The behaviors you describe are actually all normal and by-design.
> > >
> > > > When trying to access a file on the virtual directory from outside the
> > > > domain or on the domain I get the following message "You are not authorized
> > > > to view this page...
> > > This is because of "double hop" using NTLM with a UNC Virtual
> > > Directory. Lots of people hit this, and there are well documented ways
> > > to make this scenario work. Please search for those solutions.
> > >
> > >
> > > > If I access a file on the UNC from within the domain without using the
> > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > make sure the path or internet address is correct.
> > > This is because the name "flnas01" is not known to the computer/browser
> > > outside the domain.
> > >
> > > If you got that error by clicking on a link on a web page, it means
> > > your web page content is incorrect because it has a UNC file reference
> > > (which is valid only on the Intranet OR if you expose the flnas01
> > > server to the entire world outside your domain). If you want the web
> > > page to work outside the domain, you will have to find a suitable way
> > > to expose your flnas01 server outside the domain, which may not be what
> > > you want.
> > >
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > >
> > >
> > > dhoops wrote:
> > > > Setup:
> > > > IIS 6.0, Windows 2003 sp1 server.
> > > > Web server and UNC server are on the same domain.
> > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > site and the virtual directory on the web server.
> > > >
> > > > Problem:
> > > > When trying to access a file on the virtual directory from outside the
> > > > domain or on the domain I get the following message "You are not authorized
> > > > to view this page...
> > > > You do not have permission to view this directory or page due to the access
> > > > control list (ACL) that is configured for this resource on the web server.
> > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > requested resource (IIS).
> > > >
> > > > If I access a file on the UNC from within the domain without using the
> > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > make sure the path or internet address is correct.
> > > >
> > > > Any direction or insight would be appreciated!
> > > > --
> > > > Dave
> > >
> > >
>
>

Re: Virtual Directory to a remote UNC not working properly

1. Yes. Syntax works as
http://server-to-communicate-HTTP-with/virtual-URI

So, you should give the public IP of the webserver handling the Website
containing the UNC Vdir, and then the vdir mapping you provided
(/Public goes to \\flnas01\...), and then the rest of the directory
structure follows from that vdir mapping.

2. Read the NAS and IIS6 URL of my prior email. It has all necessary
configuration details and links on how to configure


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


dhoops wrote:
> David,
>
> Thanks for all this great info! I do have a couple of questions for clarity
> sake:
>
> 1. When connecting to the NAS file via
> 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> I actually be entering the following:
> 'http://public.webserver.IP.address,(where address is ip address of the
> webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> such as 'Public'/then the rest of the path on the NAS drive ?
>
> 2. Since we have active directory setup on our network you said all I need
> to do is configure 'Protocol Transitioning' and then I can use any
> authentication protocol on IIS... Where do I configure 'Protocol
> Transitioining' ?
>
> Thanks-Dave
> --
> Dave
>
>
> "David Wang" wrote:
>
> > Thanks for the info. Some more requirements need to be gathered before
> > determining the correct configuration.
> >
> > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > it to work from Internet.
> >
> > If your web page MUST contain file:// or \\flnas01 links, then you will
> > need to open more holes in the firewall to allow RPC and UNC ports as
> > well as publish your flnas01 server to be accessible via the Internet.
> > Obviously, this sort of web page does NOT do what you want - make files
> > on NAS server available via Web Server (instead, it is making your NAS
> > server available via the Internet because your Web Server exposed its
> > name), and this approach is also heavily discouraged due to security
> > concerns.
> >
> > It is easier and safer to configure a UNC vdir on IIS to point to
> > \\flnas01 UNC shares on NAS, and for your web pages to use
> > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > OF \\flnas01 links). This single page will work from both Intranet and
> > Internet with minimal security concerns.
> >
> > If you do the above, but you want to optimize Intranet traffic to not
> > go through http://public.webserver.IP.address/unc-vdir, then you should
> > create two websites, one internal and the other external. This takes
> > more effort to maintain, and your router may not be smart enough to
> > support it.
> > - Internal website: web page uses \\flnas01 links, and bound to
> > http://internalWebServer
> > - External website: web page uses
> > http://public.webserver.IP.address/unc-vdir links, and bound to
> > http://public.webserver.IP.address
> >
> >
> > - In order for a vdir pointing to UNC share to work, it has to use an
> > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > so your current failure is by-design. Choice of each protocol has its
> > plus and minus, and correct choice depends on your needs. The following
> > URL provides an excellent background and motivation:
> >
> > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> >
> > Applying that knowledge to your particular needs:
> > - Anonymous authentication works, but it means ALL users accessing
> > NAS server via the web server appear as the configured Anonymous User
> > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > on the NAS). You may not care about the auditing, in which case
> > Anonymous authentication is easiest.
> > - Basic authentication works, but it passes username/password in the
> > clear, so you must protect it with SSL. This means you have to purchase
> > an SSL Server Certificate and maintain it. If you control all Web
> > Browsers used by your users, you can avoid paying for SSL Server
> > Certificate by creating your own SSL Certificate and inserting it into
> > the Trusted Root Store of all Web Browser machines (remember, you can
> > do this because you control all Web Browsers - if you do not control
> > all Web Browsers of your users, this approach does not work
> > effectively).
> > - Kerberos works, but it requires setting up Active Directory and
> > configuring Delegation.
> >
> > Since you want the solution to work both for Internet and Intranet, the
> > following choices are simplest:
> > - If you want to expose NAS over Web Server and you do not care to know
> > what user accessed which files (i.e. any user can access any file on
> > the NAS), then use Anonymous Authentication on IIS, configure its
> > Anonymous User to be a user that you also ACL the NAS UNC share.
> > - If you want to expose NAS over Web Server and you DO care about which
> > user access which files (i.e. users can only access the files ACL'd to
> > them on the NAS), then use Basic over SSL
> > - If you want to expose NAS over Web Server, you care about which user
> > access which files, and you have an Active Directory already, then
> > configure Protocol Transitioning and you can use any authentication
> > protocol on IIS (including NTLM).
> >
> > There are other solutions, of more complexity, offering different
> > security-based tradeoffs.
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> >
> > dhoops wrote:
> > > David,
> > >
> > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > do... ie Make files from the NAS file server available to users on the inside
> > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > in general... These files are linked through pages on the web site.
> > >
> > > It appears my security is not setup correctly?
> > >
> > > --
> > > Dave
> > >
> > >
> > > "David Wang" wrote:
> > >
> > > > Can you describe what you are trying to do so that we can help you with
> > > > correct configuration? It sounds like you have a web server and a NAS
> > > > file server in your Intranet, and you are trying to make the files on
> > > > the NAS file server available via the web server, to people both inside
> > > > your Intranet and on the Internet.
> > > >
> > > > The behaviors you describe are actually all normal and by-design.
> > > >
> > > > > When trying to access a file on the virtual directory from outside the
> > > > > domain or on the domain I get the following message "You are not authorized
> > > > > to view this page...
> > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > Directory. Lots of people hit this, and there are well documented ways
> > > > to make this scenario work. Please search for those solutions.
> > > >
> > > >
> > > > > If I access a file on the UNC from within the domain without using the
> > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > make sure the path or internet address is correct.
> > > > This is because the name "flnas01" is not known to the computer/browser
> > > > outside the domain.
> > > >
> > > > If you got that error by clicking on a link on a web page, it means
> > > > your web page content is incorrect because it has a UNC file reference
> > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > server to the entire world outside your domain). If you want the web
> > > > page to work outside the domain, you will have to find a suitable way
> > > > to expose your flnas01 server outside the domain, which may not be what
> > > > you want.
> > > >
> > > >
> > > >
> > > > //David
> > > > http://w3-4u.blogspot.com
> > > > http://blogs.msdn.com/David.Wang
> > > > //
> > > >
> > > >
> > > >
> > > >
> > > > dhoops wrote:
> > > > > Setup:
> > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > Web server and UNC server are on the same domain.
> > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > site and the virtual directory on the web server.
> > > > >
> > > > > Problem:
> > > > > When trying to access a file on the virtual directory from outside the
> > > > > domain or on the domain I get the following message "You are not authorized
> > > > > to view this page...
> > > > > You do not have permission to view this directory or page due to the access
> > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > requested resource (IIS).
> > > > >
> > > > > If I access a file on the UNC from within the domain without using the
> > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > make sure the path or internet address is correct.
> > > > >
> > > > > Any direction or insight would be appreciated!
> > > > > --
> > > > > Dave
> > > >
> > > >
> >
> >

Re: Virtual Directory to a remote UNC not working properly

David,

Thanks for the feedback and direction on my 2 questions.

I am in the process of making the changes and I have been reading the doc on
configuring IIS with remote stored content.

I'll let you know how it works out!
--
Dave


"David Wang" wrote:

> 1. Yes. Syntax works as
> http://server-to-communicate-HTTP-with/virtual-URI
>
> So, you should give the public IP of the webserver handling the Website
> containing the UNC Vdir, and then the vdir mapping you provided
> (/Public goes to \\flnas01\...), and then the rest of the directory
> structure follows from that vdir mapping.
>
> 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> configuration details and links on how to configure
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> dhoops wrote:
> > David,
> >
> > Thanks for all this great info! I do have a couple of questions for clarity
> > sake:
> >
> > 1. When connecting to the NAS file via
> > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > I actually be entering the following:
> > 'http://public.webserver.IP.address,(where address is ip address of the
> > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > such as 'Public'/then the rest of the path on the NAS drive ?
> >
> > 2. Since we have active directory setup on our network you said all I need
> > to do is configure 'Protocol Transitioning' and then I can use any
> > authentication protocol on IIS... Where do I configure 'Protocol
> > Transitioining' ?
> >
> > Thanks-Dave
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > Thanks for the info. Some more requirements need to be gathered before
> > > determining the correct configuration.
> > >
> > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > it to work from Internet.
> > >
> > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > well as publish your flnas01 server to be accessible via the Internet.
> > > Obviously, this sort of web page does NOT do what you want - make files
> > > on NAS server available via Web Server (instead, it is making your NAS
> > > server available via the Internet because your Web Server exposed its
> > > name), and this approach is also heavily discouraged due to security
> > > concerns.
> > >
> > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > OF \\flnas01 links). This single page will work from both Intranet and
> > > Internet with minimal security concerns.
> > >
> > > If you do the above, but you want to optimize Intranet traffic to not
> > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > create two websites, one internal and the other external. This takes
> > > more effort to maintain, and your router may not be smart enough to
> > > support it.
> > > - Internal website: web page uses \\flnas01 links, and bound to
> > > http://internalWebServer
> > > - External website: web page uses
> > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > http://public.webserver.IP.address
> > >
> > >
> > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > so your current failure is by-design. Choice of each protocol has its
> > > plus and minus, and correct choice depends on your needs. The following
> > > URL provides an excellent background and motivation:
> > >
> > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > >
> > > Applying that knowledge to your particular needs:
> > > - Anonymous authentication works, but it means ALL users accessing
> > > NAS server via the web server appear as the configured Anonymous User
> > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > on the NAS). You may not care about the auditing, in which case
> > > Anonymous authentication is easiest.
> > > - Basic authentication works, but it passes username/password in the
> > > clear, so you must protect it with SSL. This means you have to purchase
> > > an SSL Server Certificate and maintain it. If you control all Web
> > > Browsers used by your users, you can avoid paying for SSL Server
> > > Certificate by creating your own SSL Certificate and inserting it into
> > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > do this because you control all Web Browsers - if you do not control
> > > all Web Browsers of your users, this approach does not work
> > > effectively).
> > > - Kerberos works, but it requires setting up Active Directory and
> > > configuring Delegation.
> > >
> > > Since you want the solution to work both for Internet and Intranet, the
> > > following choices are simplest:
> > > - If you want to expose NAS over Web Server and you do not care to know
> > > what user accessed which files (i.e. any user can access any file on
> > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > - If you want to expose NAS over Web Server and you DO care about which
> > > user access which files (i.e. users can only access the files ACL'd to
> > > them on the NAS), then use Basic over SSL
> > > - If you want to expose NAS over Web Server, you care about which user
> > > access which files, and you have an Active Directory already, then
> > > configure Protocol Transitioning and you can use any authentication
> > > protocol on IIS (including NTLM).
> > >
> > > There are other solutions, of more complexity, offering different
> > > security-based tradeoffs.
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > >
> > > dhoops wrote:
> > > > David,
> > > >
> > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > do... ie Make files from the NAS file server available to users on the inside
> > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > in general... These files are linked through pages on the web site.
> > > >
> > > > It appears my security is not setup correctly?
> > > >
> > > > --
> > > > Dave
> > > >
> > > >
> > > > "David Wang" wrote:
> > > >
> > > > > Can you describe what you are trying to do so that we can help you with
> > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > file server in your Intranet, and you are trying to make the files on
> > > > > the NAS file server available via the web server, to people both inside
> > > > > your Intranet and on the Internet.
> > > > >
> > > > > The behaviors you describe are actually all normal and by-design.
> > > > >
> > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > to view this page...
> > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > to make this scenario work. Please search for those solutions.
> > > > >
> > > > >
> > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > make sure the path or internet address is correct.
> > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > outside the domain.
> > > > >
> > > > > If you got that error by clicking on a link on a web page, it means
> > > > > your web page content is incorrect because it has a UNC file reference
> > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > server to the entire world outside your domain). If you want the web
> > > > > page to work outside the domain, you will have to find a suitable way
> > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > you want.
> > > > >
> > > > >
> > > > >
> > > > > //David
> > > > > http://w3-4u.blogspot.com
> > > > > http://blogs.msdn.com/David.Wang
> > > > > //
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > dhoops wrote:
> > > > > > Setup:
> > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > Web server and UNC server are on the same domain.
> > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > site and the virtual directory on the web server.
> > > > > >
> > > > > > Problem:
> > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > to view this page...
> > > > > > You do not have permission to view this directory or page due to the access
> > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > requested resource (IIS).
> > > > > >
> > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > make sure the path or internet address is correct.
> > > > > >
> > > > > > Any direction or insight would be appreciated!
> > > > > > --
> > > > > > Dave
> > > > >
> > > > >
> > >
> > >
>
>

Re: Virtual Directory to a remote UNC not working properly

David,

Would you verify my following assumptions:

1. I want this to work so when users are on the inside (Intranet) they do
not have to login... Which is how it currently works. When users are coming
in from the outside (Internet) they will have to login only once when they
enter the site and not when they access a vir-dir file...

Will this be OK if all my vir-dir (NAS) links have a public web address?

Since we are using Active directory, can the above scenario be accomplished
with 'Integrated Windows' authentication? or 'Digest' authentication? or do I
need both turned on to make this work?

I am reading the documentation but i'm just a little unclear on this aspect.

Thanks.
--
Dave


"David Wang" wrote:

> 1. Yes. Syntax works as
> http://server-to-communicate-HTTP-with/virtual-URI
>
> So, you should give the public IP of the webserver handling the Website
> containing the UNC Vdir, and then the vdir mapping you provided
> (/Public goes to \\flnas01\...), and then the rest of the directory
> structure follows from that vdir mapping.
>
> 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> configuration details and links on how to configure
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> dhoops wrote:
> > David,
> >
> > Thanks for all this great info! I do have a couple of questions for clarity
> > sake:
> >
> > 1. When connecting to the NAS file via
> > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > I actually be entering the following:
> > 'http://public.webserver.IP.address,(where address is ip address of the
> > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > such as 'Public'/then the rest of the path on the NAS drive ?
> >
> > 2. Since we have active directory setup on our network you said all I need
> > to do is configure 'Protocol Transitioning' and then I can use any
> > authentication protocol on IIS... Where do I configure 'Protocol
> > Transitioining' ?
> >
> > Thanks-Dave
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > Thanks for the info. Some more requirements need to be gathered before
> > > determining the correct configuration.
> > >
> > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > it to work from Internet.
> > >
> > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > well as publish your flnas01 server to be accessible via the Internet.
> > > Obviously, this sort of web page does NOT do what you want - make files
> > > on NAS server available via Web Server (instead, it is making your NAS
> > > server available via the Internet because your Web Server exposed its
> > > name), and this approach is also heavily discouraged due to security
> > > concerns.
> > >
> > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > OF \\flnas01 links). This single page will work from both Intranet and
> > > Internet with minimal security concerns.
> > >
> > > If you do the above, but you want to optimize Intranet traffic to not
> > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > create two websites, one internal and the other external. This takes
> > > more effort to maintain, and your router may not be smart enough to
> > > support it.
> > > - Internal website: web page uses \\flnas01 links, and bound to
> > > http://internalWebServer
> > > - External website: web page uses
> > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > http://public.webserver.IP.address
> > >
> > >
> > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > so your current failure is by-design. Choice of each protocol has its
> > > plus and minus, and correct choice depends on your needs. The following
> > > URL provides an excellent background and motivation:
> > >
> > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > >
> > > Applying that knowledge to your particular needs:
> > > - Anonymous authentication works, but it means ALL users accessing
> > > NAS server via the web server appear as the configured Anonymous User
> > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > on the NAS). You may not care about the auditing, in which case
> > > Anonymous authentication is easiest.
> > > - Basic authentication works, but it passes username/password in the
> > > clear, so you must protect it with SSL. This means you have to purchase
> > > an SSL Server Certificate and maintain it. If you control all Web
> > > Browsers used by your users, you can avoid paying for SSL Server
> > > Certificate by creating your own SSL Certificate and inserting it into
> > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > do this because you control all Web Browsers - if you do not control
> > > all Web Browsers of your users, this approach does not work
> > > effectively).
> > > - Kerberos works, but it requires setting up Active Directory and
> > > configuring Delegation.
> > >
> > > Since you want the solution to work both for Internet and Intranet, the
> > > following choices are simplest:
> > > - If you want to expose NAS over Web Server and you do not care to know
> > > what user accessed which files (i.e. any user can access any file on
> > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > - If you want to expose NAS over Web Server and you DO care about which
> > > user access which files (i.e. users can only access the files ACL'd to
> > > them on the NAS), then use Basic over SSL
> > > - If you want to expose NAS over Web Server, you care about which user
> > > access which files, and you have an Active Directory already, then
> > > configure Protocol Transitioning and you can use any authentication
> > > protocol on IIS (including NTLM).
> > >
> > > There are other solutions, of more complexity, offering different
> > > security-based tradeoffs.
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > >
> > > dhoops wrote:
> > > > David,
> > > >
> > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > do... ie Make files from the NAS file server available to users on the inside
> > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > in general... These files are linked through pages on the web site.
> > > >
> > > > It appears my security is not setup correctly?
> > > >
> > > > --
> > > > Dave
> > > >
> > > >
> > > > "David Wang" wrote:
> > > >
> > > > > Can you describe what you are trying to do so that we can help you with
> > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > file server in your Intranet, and you are trying to make the files on
> > > > > the NAS file server available via the web server, to people both inside
> > > > > your Intranet and on the Internet.
> > > > >
> > > > > The behaviors you describe are actually all normal and by-design.
> > > > >
> > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > to view this page...
> > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > to make this scenario work. Please search for those solutions.
> > > > >
> > > > >
> > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > make sure the path or internet address is correct.
> > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > outside the domain.
> > > > >
> > > > > If you got that error by clicking on a link on a web page, it means
> > > > > your web page content is incorrect because it has a UNC file reference
> > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > server to the entire world outside your domain). If you want the web
> > > > > page to work outside the domain, you will have to find a suitable way
> > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > you want.
> > > > >
> > > > >
> > > > >
> > > > > //David
> > > > > http://w3-4u.blogspot.com
> > > > > http://blogs.msdn.com/David.Wang
> > > > > //
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > dhoops wrote:
> > > > > > Setup:
> > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > Web server and UNC server are on the same domain.
> > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > site and the virtual directory on the web server.
> > > > > >
> > > > > > Problem:
> > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > to view this page...
> > > > > > You do not have permission to view this directory or page due to the access
> > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > requested resource (IIS).
> > > > > >
> > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > make sure the path or internet address is correct.
> > > > > >
> > > > > > Any direction or insight would be appreciated!
> > > > > > --
> > > > > > Dave
> > > > >
> > > > >
> > >
> > >
>
>

Re: Virtual Directory to a remote UNC not working properly

David,

I have broken through! Woo Hoo!!

My current authentication method on the Web Server is only set to Integrated
Windows and I have configured Active directory to have the Web Server
delegate for all protocols...

When I tested from an outside address I only had to logon to the site and
then accessing the file on the nas drive worked with no additional logon.

When I tested internally I did not have to logon to the site, but when I
accessed the file on the nas drive I had to logon with my username and
password to access the file... I said save my password and from that point on
I did not have to logon again from the Intranet (internally).

Will other users have to do this or is there a config setting i can employ
to avoid having a logon dialog pop-up when accessing nas files from the
intranet???

Thanks.
--
Dave


"David Wang" wrote:

> 1. Yes. Syntax works as
> http://server-to-communicate-HTTP-with/virtual-URI
>
> So, you should give the public IP of the webserver handling the Website
> containing the UNC Vdir, and then the vdir mapping you provided
> (/Public goes to \\flnas01\...), and then the rest of the directory
> structure follows from that vdir mapping.
>
> 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> configuration details and links on how to configure
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> dhoops wrote:
> > David,
> >
> > Thanks for all this great info! I do have a couple of questions for clarity
> > sake:
> >
> > 1. When connecting to the NAS file via
> > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > I actually be entering the following:
> > 'http://public.webserver.IP.address,(where address is ip address of the
> > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > such as 'Public'/then the rest of the path on the NAS drive ?
> >
> > 2. Since we have active directory setup on our network you said all I need
> > to do is configure 'Protocol Transitioning' and then I can use any
> > authentication protocol on IIS... Where do I configure 'Protocol
> > Transitioining' ?
> >
> > Thanks-Dave
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > Thanks for the info. Some more requirements need to be gathered before
> > > determining the correct configuration.
> > >
> > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > it to work from Internet.
> > >
> > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > well as publish your flnas01 server to be accessible via the Internet.
> > > Obviously, this sort of web page does NOT do what you want - make files
> > > on NAS server available via Web Server (instead, it is making your NAS
> > > server available via the Internet because your Web Server exposed its
> > > name), and this approach is also heavily discouraged due to security
> > > concerns.
> > >
> > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > OF \\flnas01 links). This single page will work from both Intranet and
> > > Internet with minimal security concerns.
> > >
> > > If you do the above, but you want to optimize Intranet traffic to not
> > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > create two websites, one internal and the other external. This takes
> > > more effort to maintain, and your router may not be smart enough to
> > > support it.
> > > - Internal website: web page uses \\flnas01 links, and bound to
> > > http://internalWebServer
> > > - External website: web page uses
> > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > http://public.webserver.IP.address
> > >
> > >
> > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > so your current failure is by-design. Choice of each protocol has its
> > > plus and minus, and correct choice depends on your needs. The following
> > > URL provides an excellent background and motivation:
> > >
> > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > >
> > > Applying that knowledge to your particular needs:
> > > - Anonymous authentication works, but it means ALL users accessing
> > > NAS server via the web server appear as the configured Anonymous User
> > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > on the NAS). You may not care about the auditing, in which case
> > > Anonymous authentication is easiest.
> > > - Basic authentication works, but it passes username/password in the
> > > clear, so you must protect it with SSL. This means you have to purchase
> > > an SSL Server Certificate and maintain it. If you control all Web
> > > Browsers used by your users, you can avoid paying for SSL Server
> > > Certificate by creating your own SSL Certificate and inserting it into
> > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > do this because you control all Web Browsers - if you do not control
> > > all Web Browsers of your users, this approach does not work
> > > effectively).
> > > - Kerberos works, but it requires setting up Active Directory and
> > > configuring Delegation.
> > >
> > > Since you want the solution to work both for Internet and Intranet, the
> > > following choices are simplest:
> > > - If you want to expose NAS over Web Server and you do not care to know
> > > what user accessed which files (i.e. any user can access any file on
> > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > - If you want to expose NAS over Web Server and you DO care about which
> > > user access which files (i.e. users can only access the files ACL'd to
> > > them on the NAS), then use Basic over SSL
> > > - If you want to expose NAS over Web Server, you care about which user
> > > access which files, and you have an Active Directory already, then
> > > configure Protocol Transitioning and you can use any authentication
> > > protocol on IIS (including NTLM).
> > >
> > > There are other solutions, of more complexity, offering different
> > > security-based tradeoffs.
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > >
> > > dhoops wrote:
> > > > David,
> > > >
> > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > do... ie Make files from the NAS file server available to users on the inside
> > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > in general... These files are linked through pages on the web site.
> > > >
> > > > It appears my security is not setup correctly?
> > > >
> > > > --
> > > > Dave
> > > >
> > > >
> > > > "David Wang" wrote:
> > > >
> > > > > Can you describe what you are trying to do so that we can help you with
> > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > file server in your Intranet, and you are trying to make the files on
> > > > > the NAS file server available via the web server, to people both inside
> > > > > your Intranet and on the Internet.
> > > > >
> > > > > The behaviors you describe are actually all normal and by-design.
> > > > >
> > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > to view this page...
> > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > to make this scenario work. Please search for those solutions.
> > > > >
> > > > >
> > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > make sure the path or internet address is correct.
> > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > outside the domain.
> > > > >
> > > > > If you got that error by clicking on a link on a web page, it means
> > > > > your web page content is incorrect because it has a UNC file reference
> > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > server to the entire world outside your domain). If you want the web
> > > > > page to work outside the domain, you will have to find a suitable way
> > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > you want.
> > > > >
> > > > >
> > > > >
> > > > > //David
> > > > > http://w3-4u.blogspot.com
> > > > > http://blogs.msdn.com/David.Wang
> > > > > //
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > dhoops wrote:
> > > > > > Setup:
> > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > Web server and UNC server are on the same domain.
> > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > site and the virtual directory on the web server.
> > > > > >
> > > > > > Problem:
> > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > to view this page...
> > > > > > You do not have permission to view this directory or page due to the access
> > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > requested resource (IIS).
> > > > > >
> > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > make sure the path or internet address is correct.
> > > > > >
> > > > > > Any direction or insight would be appreciated!
> > > > > > --
> > > > > > Dave
> > > > >
> > > > >
> > >
> > >
>
>

Re: Virtual Directory to a remote UNC not working properly

The reason you get a login popup from Intranet is because browsers do
not auto-login to Internet address by default.

What is going on is this:
- From Internet - when you access http://public.webserver.ip/ , web
browser does not auto-login by default and pop up the login dialog box.
After logging in, it eventually accesses a page with NAS URL that looks
like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
under the authentication to http://public.webserver.ip/ hence no
additional logins
- From Intranet - when you access http://internalWebServerIP/ , web
browser auto-login by default for Intranet. After logging in, it
eventually accesses a page with NAS URL that looks like
http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
is in Internet Zone by default and browser does not auto-login, thus
you get a login dialog box

In other words, using a NAS URL of
http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
login dialog box regardless of where the user came from BECAUSE it is
considered a dotted IP-address and a part of Internet Zone which does
not auto-login.

I do not understand why you do not create NAS URLs using relative links
that look like:


Because that is no longer a dotted-IP address and would fall under
auto-login in Intranet and manual login on Internet.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



dhoops wrote:
> David,
>
> I have broken through! Woo Hoo!!
>
> My current authentication method on the Web Server is only set to Integrated
> Windows and I have configured Active directory to have the Web Server
> delegate for all protocols...
>
> When I tested from an outside address I only had to logon to the site and
> then accessing the file on the nas drive worked with no additional logon.
>
> When I tested internally I did not have to logon to the site, but when I
> accessed the file on the nas drive I had to logon with my username and
> password to access the file... I said save my password and from that point on
> I did not have to logon again from the Intranet (internally).
>
> Will other users have to do this or is there a config setting i can employ
> to avoid having a logon dialog pop-up when accessing nas files from the
> intranet???
>
> Thanks.
> --
> Dave
>
>
> "David Wang" wrote:
>
> > 1. Yes. Syntax works as
> > http://server-to-communicate-HTTP-with/virtual-URI
> >
> > So, you should give the public IP of the webserver handling the Website
> > containing the UNC Vdir, and then the vdir mapping you provided
> > (/Public goes to \\flnas01\...), and then the rest of the directory
> > structure follows from that vdir mapping.
> >
> > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> > configuration details and links on how to configure
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> > dhoops wrote:
> > > David,
> > >
> > > Thanks for all this great info! I do have a couple of questions for clarity
> > > sake:
> > >
> > > 1. When connecting to the NAS file via
> > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > > I actually be entering the following:
> > > 'http://public.webserver.IP.address,(where address is ip address of the
> > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > > such as 'Public'/then the rest of the path on the NAS drive ?
> > >
> > > 2. Since we have active directory setup on our network you said all I need
> > > to do is configure 'Protocol Transitioning' and then I can use any
> > > authentication protocol on IIS... Where do I configure 'Protocol
> > > Transitioining' ?
> > >
> > > Thanks-Dave
> > > --
> > > Dave
> > >
> > >
> > > "David Wang" wrote:
> > >
> > > > Thanks for the info. Some more requirements need to be gathered before
> > > > determining the correct configuration.
> > > >
> > > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > > it to work from Internet.
> > > >
> > > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > > well as publish your flnas01 server to be accessible via the Internet.
> > > > Obviously, this sort of web page does NOT do what you want - make files
> > > > on NAS server available via Web Server (instead, it is making your NAS
> > > > server available via the Internet because your Web Server exposed its
> > > > name), and this approach is also heavily discouraged due to security
> > > > concerns.
> > > >
> > > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > > OF \\flnas01 links). This single page will work from both Intranet and
> > > > Internet with minimal security concerns.
> > > >
> > > > If you do the above, but you want to optimize Intranet traffic to not
> > > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > > create two websites, one internal and the other external. This takes
> > > > more effort to maintain, and your router may not be smart enough to
> > > > support it.
> > > > - Internal website: web page uses \\flnas01 links, and bound to
> > > > http://internalWebServer
> > > > - External website: web page uses
> > > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > > http://public.webserver.IP.address
> > > >
> > > >
> > > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > > so your current failure is by-design. Choice of each protocol has its
> > > > plus and minus, and correct choice depends on your needs. The following
> > > > URL provides an excellent background and motivation:
> > > >
> > > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > > >
> > > > Applying that knowledge to your particular needs:
> > > > - Anonymous authentication works, but it means ALL users accessing
> > > > NAS server via the web server appear as the configured Anonymous User
> > > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > > on the NAS). You may not care about the auditing, in which case
> > > > Anonymous authentication is easiest.
> > > > - Basic authentication works, but it passes username/password in the
> > > > clear, so you must protect it with SSL. This means you have to purchase
> > > > an SSL Server Certificate and maintain it. If you control all Web
> > > > Browsers used by your users, you can avoid paying for SSL Server
> > > > Certificate by creating your own SSL Certificate and inserting it into
> > > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > > do this because you control all Web Browsers - if you do not control
> > > > all Web Browsers of your users, this approach does not work
> > > > effectively).
> > > > - Kerberos works, but it requires setting up Active Directory and
> > > > configuring Delegation.
> > > >
> > > > Since you want the solution to work both for Internet and Intranet, the
> > > > following choices are simplest:
> > > > - If you want to expose NAS over Web Server and you do not care to know
> > > > what user accessed which files (i.e. any user can access any file on
> > > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > > - If you want to expose NAS over Web Server and you DO care about which
> > > > user access which files (i.e. users can only access the files ACL'd to
> > > > them on the NAS), then use Basic over SSL
> > > > - If you want to expose NAS over Web Server, you care about which user
> > > > access which files, and you have an Active Directory already, then
> > > > configure Protocol Transitioning and you can use any authentication
> > > > protocol on IIS (including NTLM).
> > > >
> > > > There are other solutions, of more complexity, offering different
> > > > security-based tradeoffs.
> > > >
> > > >
> > > > //David
> > > > http://w3-4u.blogspot.com
> > > > http://blogs.msdn.com/David.Wang
> > > > //
> > > >
> > > >
> > > >
> > > > dhoops wrote:
> > > > > David,
> > > > >
> > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > > do... ie Make files from the NAS file server available to users on the inside
> > > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > > in general... These files are linked through pages on the web site.
> > > > >
> > > > > It appears my security is not setup correctly?
> > > > >
> > > > > --
> > > > > Dave
> > > > >
> > > > >
> > > > > "David Wang" wrote:
> > > > >
> > > > > > Can you describe what you are trying to do so that we can help you with
> > > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > > file server in your Intranet, and you are trying to make the files on
> > > > > > the NAS file server available via the web server, to people both inside
> > > > > > your Intranet and on the Internet.
> > > > > >
> > > > > > The behaviors you describe are actually all normal and by-design.
> > > > > >
> > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > to view this page...
> > > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > > to make this scenario work. Please search for those solutions.
> > > > > >
> > > > > >
> > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > make sure the path or internet address is correct.
> > > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > > outside the domain.
> > > > > >
> > > > > > If you got that error by clicking on a link on a web page, it means
> > > > > > your web page content is incorrect because it has a UNC file reference
> > > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > > server to the entire world outside your domain). If you want the web
> > > > > > page to work outside the domain, you will have to find a suitable way
> > > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > > you want.
> > > > > >
> > > > > >
> > > > > >
> > > > > > //David
> > > > > > http://w3-4u.blogspot.com
> > > > > > http://blogs.msdn.com/David.Wang
> > > > > > //
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > dhoops wrote:
> > > > > > > Setup:
> > > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > > Web server and UNC server are on the same domain.
> > > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > > site and the virtual directory on the web server.
> > > > > > >
> > > > > > > Problem:
> > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > to view this page...
> > > > > > > You do not have permission to view this directory or page due to the access
> > > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > > requested resource (IIS).
> > > > > > >
> > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > make sure the path or internet address is correct.
> > > > > > >
> > > > > > > Any direction or insight would be appreciated!
> > > > > > > --
> > > > > > > Dave
> > > > > >
> > > > > >
> > > >
> > > >
> >
> >

Re: Virtual Directory to a remote UNC not working properly

Thanks David!

I will try creating relative links for the UNC-vdir to resolve this issue.

--
Dave


"David Wang" wrote:

> The reason you get a login popup from Intranet is because browsers do
> not auto-login to Internet address by default.
>
> What is going on is this:
> - From Internet - when you access http://public.webserver.ip/ , web
> browser does not auto-login by default and pop up the login dialog box.
> After logging in, it eventually accesses a page with NAS URL that looks
> like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
> under the authentication to http://public.webserver.ip/ hence no
> additional logins
> - From Intranet - when you access http://internalWebServerIP/ , web
> browser auto-login by default for Intranet. After logging in, it
> eventually accesses a page with NAS URL that looks like
> http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
> is in Internet Zone by default and browser does not auto-login, thus
> you get a login dialog box
>
> In other words, using a NAS URL of
> http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
> login dialog box regardless of where the user came from BECAUSE it is
> considered a dotted IP-address and a part of Internet Zone which does
> not auto-login.
>
> I do not understand why you do not create NAS URLs using relative links
> that look like:
>
>
> Because that is no longer a dotted-IP address and would fall under
> auto-login in Intranet and manual login on Internet.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> dhoops wrote:
> > David,
> >
> > I have broken through! Woo Hoo!!
> >
> > My current authentication method on the Web Server is only set to Integrated
> > Windows and I have configured Active directory to have the Web Server
> > delegate for all protocols...
> >
> > When I tested from an outside address I only had to logon to the site and
> > then accessing the file on the nas drive worked with no additional logon.
> >
> > When I tested internally I did not have to logon to the site, but when I
> > accessed the file on the nas drive I had to logon with my username and
> > password to access the file... I said save my password and from that point on
> > I did not have to logon again from the Intranet (internally).
> >
> > Will other users have to do this or is there a config setting i can employ
> > to avoid having a logon dialog pop-up when accessing nas files from the
> > intranet???
> >
> > Thanks.
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > 1. Yes. Syntax works as
> > > http://server-to-communicate-HTTP-with/virtual-URI
> > >
> > > So, you should give the public IP of the webserver handling the Website
> > > containing the UNC Vdir, and then the vdir mapping you provided
> > > (/Public goes to \\flnas01\...), and then the rest of the directory
> > > structure follows from that vdir mapping.
> > >
> > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> > > configuration details and links on how to configure
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > > dhoops wrote:
> > > > David,
> > > >
> > > > Thanks for all this great info! I do have a couple of questions for clarity
> > > > sake:
> > > >
> > > > 1. When connecting to the NAS file via
> > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > > > I actually be entering the following:
> > > > 'http://public.webserver.IP.address,(where address is ip address of the
> > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > > > such as 'Public'/then the rest of the path on the NAS drive ?
> > > >
> > > > 2. Since we have active directory setup on our network you said all I need
> > > > to do is configure 'Protocol Transitioning' and then I can use any
> > > > authentication protocol on IIS... Where do I configure 'Protocol
> > > > Transitioining' ?
> > > >
> > > > Thanks-Dave
> > > > --
> > > > Dave
> > > >
> > > >
> > > > "David Wang" wrote:
> > > >
> > > > > Thanks for the info. Some more requirements need to be gathered before
> > > > > determining the correct configuration.
> > > > >
> > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > > > it to work from Internet.
> > > > >
> > > > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > > > well as publish your flnas01 server to be accessible via the Internet.
> > > > > Obviously, this sort of web page does NOT do what you want - make files
> > > > > on NAS server available via Web Server (instead, it is making your NAS
> > > > > server available via the Internet because your Web Server exposed its
> > > > > name), and this approach is also heavily discouraged due to security
> > > > > concerns.
> > > > >
> > > > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > > > OF \\flnas01 links). This single page will work from both Intranet and
> > > > > Internet with minimal security concerns.
> > > > >
> > > > > If you do the above, but you want to optimize Intranet traffic to not
> > > > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > > > create two websites, one internal and the other external. This takes
> > > > > more effort to maintain, and your router may not be smart enough to
> > > > > support it.
> > > > > - Internal website: web page uses \\flnas01 links, and bound to
> > > > > http://internalWebServer
> > > > > - External website: web page uses
> > > > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > > > http://public.webserver.IP.address
> > > > >
> > > > >
> > > > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > > > so your current failure is by-design. Choice of each protocol has its
> > > > > plus and minus, and correct choice depends on your needs. The following
> > > > > URL provides an excellent background and motivation:
> > > > >
> > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > > > >
> > > > > Applying that knowledge to your particular needs:
> > > > > - Anonymous authentication works, but it means ALL users accessing
> > > > > NAS server via the web server appear as the configured Anonymous User
> > > > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > > > on the NAS). You may not care about the auditing, in which case
> > > > > Anonymous authentication is easiest.
> > > > > - Basic authentication works, but it passes username/password in the
> > > > > clear, so you must protect it with SSL. This means you have to purchase
> > > > > an SSL Server Certificate and maintain it. If you control all Web
> > > > > Browsers used by your users, you can avoid paying for SSL Server
> > > > > Certificate by creating your own SSL Certificate and inserting it into
> > > > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > > > do this because you control all Web Browsers - if you do not control
> > > > > all Web Browsers of your users, this approach does not work
> > > > > effectively).
> > > > > - Kerberos works, but it requires setting up Active Directory and
> > > > > configuring Delegation.
> > > > >
> > > > > Since you want the solution to work both for Internet and Intranet, the
> > > > > following choices are simplest:
> > > > > - If you want to expose NAS over Web Server and you do not care to know
> > > > > what user accessed which files (i.e. any user can access any file on
> > > > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > > > - If you want to expose NAS over Web Server and you DO care about which
> > > > > user access which files (i.e. users can only access the files ACL'd to
> > > > > them on the NAS), then use Basic over SSL
> > > > > - If you want to expose NAS over Web Server, you care about which user
> > > > > access which files, and you have an Active Directory already, then
> > > > > configure Protocol Transitioning and you can use any authentication
> > > > > protocol on IIS (including NTLM).
> > > > >
> > > > > There are other solutions, of more complexity, offering different
> > > > > security-based tradeoffs.
> > > > >
> > > > >
> > > > > //David
> > > > > http://w3-4u.blogspot.com
> > > > > http://blogs.msdn.com/David.Wang
> > > > > //
> > > > >
> > > > >
> > > > >
> > > > > dhoops wrote:
> > > > > > David,
> > > > > >
> > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > > > do... ie Make files from the NAS file server available to users on the inside
> > > > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > > > in general... These files are linked through pages on the web site.
> > > > > >
> > > > > > It appears my security is not setup correctly?
> > > > > >
> > > > > > --
> > > > > > Dave
> > > > > >
> > > > > >
> > > > > > "David Wang" wrote:
> > > > > >
> > > > > > > Can you describe what you are trying to do so that we can help you with
> > > > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > > > file server in your Intranet, and you are trying to make the files on
> > > > > > > the NAS file server available via the web server, to people both inside
> > > > > > > your Intranet and on the Internet.
> > > > > > >
> > > > > > > The behaviors you describe are actually all normal and by-design.
> > > > > > >
> > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > to view this page...
> > > > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > > > to make this scenario work. Please search for those solutions.
> > > > > > >
> > > > > > >
> > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > make sure the path or internet address is correct.
> > > > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > > > outside the domain.
> > > > > > >
> > > > > > > If you got that error by clicking on a link on a web page, it means
> > > > > > > your web page content is incorrect because it has a UNC file reference
> > > > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > > > server to the entire world outside your domain). If you want the web
> > > > > > > page to work outside the domain, you will have to find a suitable way
> > > > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > > > you want.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > //David
> > > > > > > http://w3-4u.blogspot.com
> > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > //
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > dhoops wrote:
> > > > > > > > Setup:
> > > > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > > > Web server and UNC server are on the same domain.
> > > > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > > > site and the virtual directory on the web server.
> > > > > > > >
> > > > > > > > Problem:
> > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > to view this page...
> > > > > > > > You do not have permission to view this directory or page due to the access
> > > > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > > > requested resource (IIS).
> > > > > > > >
> > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > make sure the path or internet address is correct.
> > > > > > > >
> > > > > > > > Any direction or insight would be appreciated!
> > > > > > > > --
> > > > > > > > Dave
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > >
> > >
>
>

Re: Virtual Directory to a remote UNC not working properly

David,

I like the idea of using the src="/unc-vdir/somefile.ext">SomeFile.ext...
Currently I use the following xml to code to display the my pages in
question...


And this works fine with the new security settings i've implemented except
for the unwanted logins in the Intranet screnarios...

I need to find a way to embed the html code you've suggested in my xml
code... I do not know the exact syntax, but I think you can use a element
![cdata[ ]] to accomplish this... Any thoughts?

--
Dave


"David Wang" wrote:

> The reason you get a login popup from Intranet is because browsers do
> not auto-login to Internet address by default.
>
> What is going on is this:
> - From Internet - when you access http://public.webserver.ip/ , web
> browser does not auto-login by default and pop up the login dialog box.
> After logging in, it eventually accesses a page with NAS URL that looks
> like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
> under the authentication to http://public.webserver.ip/ hence no
> additional logins
> - From Intranet - when you access http://internalWebServerIP/ , web
> browser auto-login by default for Intranet. After logging in, it
> eventually accesses a page with NAS URL that looks like
> http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
> is in Internet Zone by default and browser does not auto-login, thus
> you get a login dialog box
>
> In other words, using a NAS URL of
> http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
> login dialog box regardless of where the user came from BECAUSE it is
> considered a dotted IP-address and a part of Internet Zone which does
> not auto-login.
>
> I do not understand why you do not create NAS URLs using relative links
> that look like:
>
>
> Because that is no longer a dotted-IP address and would fall under
> auto-login in Intranet and manual login on Internet.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> dhoops wrote:
> > David,
> >
> > I have broken through! Woo Hoo!!
> >
> > My current authentication method on the Web Server is only set to Integrated
> > Windows and I have configured Active directory to have the Web Server
> > delegate for all protocols...
> >
> > When I tested from an outside address I only had to logon to the site and
> > then accessing the file on the nas drive worked with no additional logon.
> >
> > When I tested internally I did not have to logon to the site, but when I
> > accessed the file on the nas drive I had to logon with my username and
> > password to access the file... I said save my password and from that point on
> > I did not have to logon again from the Intranet (internally).
> >
> > Will other users have to do this or is there a config setting i can employ
> > to avoid having a logon dialog pop-up when accessing nas files from the
> > intranet???
> >
> > Thanks.
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > 1. Yes. Syntax works as
> > > http://server-to-communicate-HTTP-with/virtual-URI
> > >
> > > So, you should give the public IP of the webserver handling the Website
> > > containing the UNC Vdir, and then the vdir mapping you provided
> > > (/Public goes to \\flnas01\...), and then the rest of the directory
> > > structure follows from that vdir mapping.
> > >
> > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> > > configuration details and links on how to configure
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > > dhoops wrote:
> > > > David,
> > > >
> > > > Thanks for all this great info! I do have a couple of questions for clarity
> > > > sake:
> > > >
> > > > 1. When connecting to the NAS file via
> > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > > > I actually be entering the following:
> > > > 'http://public.webserver.IP.address,(where address is ip address of the
> > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > > > such as 'Public'/then the rest of the path on the NAS drive ?
> > > >
> > > > 2. Since we have active directory setup on our network you said all I need
> > > > to do is configure 'Protocol Transitioning' and then I can use any
> > > > authentication protocol on IIS... Where do I configure 'Protocol
> > > > Transitioining' ?
> > > >
> > > > Thanks-Dave
> > > > --
> > > > Dave
> > > >
> > > >
> > > > "David Wang" wrote:
> > > >
> > > > > Thanks for the info. Some more requirements need to be gathered before
> > > > > determining the correct configuration.
> > > > >
> > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > > > it to work from Internet.
> > > > >
> > > > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > > > well as publish your flnas01 server to be accessible via the Internet.
> > > > > Obviously, this sort of web page does NOT do what you want - make files
> > > > > on NAS server available via Web Server (instead, it is making your NAS
> > > > > server available via the Internet because your Web Server exposed its
> > > > > name), and this approach is also heavily discouraged due to security
> > > > > concerns.
> > > > >
> > > > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > > > OF \\flnas01 links). This single page will work from both Intranet and
> > > > > Internet with minimal security concerns.
> > > > >
> > > > > If you do the above, but you want to optimize Intranet traffic to not
> > > > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > > > create two websites, one internal and the other external. This takes
> > > > > more effort to maintain, and your router may not be smart enough to
> > > > > support it.
> > > > > - Internal website: web page uses \\flnas01 links, and bound to
> > > > > http://internalWebServer
> > > > > - External website: web page uses
> > > > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > > > http://public.webserver.IP.address
> > > > >
> > > > >
> > > > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > > > so your current failure is by-design. Choice of each protocol has its
> > > > > plus and minus, and correct choice depends on your needs. The following
> > > > > URL provides an excellent background and motivation:
> > > > >
> > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > > > >
> > > > > Applying that knowledge to your particular needs:
> > > > > - Anonymous authentication works, but it means ALL users accessing
> > > > > NAS server via the web server appear as the configured Anonymous User
> > > > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > > > on the NAS). You may not care about the auditing, in which case
> > > > > Anonymous authentication is easiest.
> > > > > - Basic authentication works, but it passes username/password in the
> > > > > clear, so you must protect it with SSL. This means you have to purchase
> > > > > an SSL Server Certificate and maintain it. If you control all Web
> > > > > Browsers used by your users, you can avoid paying for SSL Server
> > > > > Certificate by creating your own SSL Certificate and inserting it into
> > > > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > > > do this because you control all Web Browsers - if you do not control
> > > > > all Web Browsers of your users, this approach does not work
> > > > > effectively).
> > > > > - Kerberos works, but it requires setting up Active Directory and
> > > > > configuring Delegation.
> > > > >
> > > > > Since you want the solution to work both for Internet and Intranet, the
> > > > > following choices are simplest:
> > > > > - If you want to expose NAS over Web Server and you do not care to know
> > > > > what user accessed which files (i.e. any user can access any file on
> > > > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > > > - If you want to expose NAS over Web Server and you DO care about which
> > > > > user access which files (i.e. users can only access the files ACL'd to
> > > > > them on the NAS), then use Basic over SSL
> > > > > - If you want to expose NAS over Web Server, you care about which user
> > > > > access which files, and you have an Active Directory already, then
> > > > > configure Protocol Transitioning and you can use any authentication
> > > > > protocol on IIS (including NTLM).
> > > > >
> > > > > There are other solutions, of more complexity, offering different
> > > > > security-based tradeoffs.
> > > > >
> > > > >
> > > > > //David
> > > > > http://w3-4u.blogspot.com
> > > > > http://blogs.msdn.com/David.Wang
> > > > > //
> > > > >
> > > > >
> > > > >
> > > > > dhoops wrote:
> > > > > > David,
> > > > > >
> > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > > > do... ie Make files from the NAS file server available to users on the inside
> > > > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > > > in general... These files are linked through pages on the web site.
> > > > > >
> > > > > > It appears my security is not setup correctly?
> > > > > >
> > > > > > --
> > > > > > Dave
> > > > > >
> > > > > >
> > > > > > "David Wang" wrote:
> > > > > >
> > > > > > > Can you describe what you are trying to do so that we can help you with
> > > > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > > > file server in your Intranet, and you are trying to make the files on
> > > > > > > the NAS file server available via the web server, to people both inside
> > > > > > > your Intranet and on the Internet.
> > > > > > >
> > > > > > > The behaviors you describe are actually all normal and by-design.
> > > > > > >
> > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > to view this page...
> > > > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > > > to make this scenario work. Please search for those solutions.
> > > > > > >
> > > > > > >
> > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > make sure the path or internet address is correct.
> > > > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > > > outside the domain.
> > > > > > >
> > > > > > > If you got that error by clicking on a link on a web page, it means
> > > > > > > your web page content is incorrect because it has a UNC file reference
> > > > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > > > server to the entire world outside your domain). If you want the web
> > > > > > > page to work outside the domain, you will have to find a suitable way
> > > > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > > > you want.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > //David
> > > > > > > http://w3-4u.blogspot.com
> > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > //
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > dhoops wrote:
> > > > > > > > Setup:
> > > > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > > > Web server and UNC server are on the same domain.
> > > > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > > > site and the virtual directory on the web server.
> > > > > > > >
> > > > > > > > Problem:
> > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > to view this page...
> > > > > > > > You do not have permission to view this directory or page due to the access
> > > > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > > > requested resource (IIS).
> > > > > > > >
> > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > make sure the path or internet address is correct.
> > > > > > > >
> > > > > > > > Any direction or insight would be appreciated!
> > > > > > > > --
> > > > > > > > Dave
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > >
> > >
>
>

Re: Virtual Directory to a remote UNC not working properly

David,

Disregard my prior email...

I have resolved my issue... The following xml code resolves the login issue
both from the internet and intranet...



This uses the unc-vdir path and references back to the root of the default
site, which works for both the intranet and internet. Thanks for all your
help!

Have a good holiday!

--
Dave


"David Wang" wrote:

> The reason you get a login popup from Intranet is because browsers do
> not auto-login to Internet address by default.
>
> What is going on is this:
> - From Internet - when you access http://public.webserver.ip/ , web
> browser does not auto-login by default and pop up the login dialog box.
> After logging in, it eventually accesses a page with NAS URL that looks
> like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
> under the authentication to http://public.webserver.ip/ hence no
> additional logins
> - From Intranet - when you access http://internalWebServerIP/ , web
> browser auto-login by default for Intranet. After logging in, it
> eventually accesses a page with NAS URL that looks like
> http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
> is in Internet Zone by default and browser does not auto-login, thus
> you get a login dialog box
>
> In other words, using a NAS URL of
> http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
> login dialog box regardless of where the user came from BECAUSE it is
> considered a dotted IP-address and a part of Internet Zone which does
> not auto-login.
>
> I do not understand why you do not create NAS URLs using relative links
> that look like:
>
>
> Because that is no longer a dotted-IP address and would fall under
> auto-login in Intranet and manual login on Internet.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> dhoops wrote:
> > David,
> >
> > I have broken through! Woo Hoo!!
> >
> > My current authentication method on the Web Server is only set to Integrated
> > Windows and I have configured Active directory to have the Web Server
> > delegate for all protocols...
> >
> > When I tested from an outside address I only had to logon to the site and
> > then accessing the file on the nas drive worked with no additional logon.
> >
> > When I tested internally I did not have to logon to the site, but when I
> > accessed the file on the nas drive I had to logon with my username and
> > password to access the file... I said save my password and from that point on
> > I did not have to logon again from the Intranet (internally).
> >
> > Will other users have to do this or is there a config setting i can employ
> > to avoid having a logon dialog pop-up when accessing nas files from the
> > intranet???
> >
> > Thanks.
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > 1. Yes. Syntax works as
> > > http://server-to-communicate-HTTP-with/virtual-URI
> > >
> > > So, you should give the public IP of the webserver handling the Website
> > > containing the UNC Vdir, and then the vdir mapping you provided
> > > (/Public goes to \\flnas01\...), and then the rest of the directory
> > > structure follows from that vdir mapping.
> > >
> > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> > > configuration details and links on how to configure
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > > dhoops wrote:
> > > > David,
> > > >
> > > > Thanks for all this great info! I do have a couple of questions for clarity
> > > > sake:
> > > >
> > > > 1. When connecting to the NAS file via
> > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > > > I actually be entering the following:
> > > > 'http://public.webserver.IP.address,(where address is ip address of the
> > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > > > such as 'Public'/then the rest of the path on the NAS drive ?
> > > >
> > > > 2. Since we have active directory setup on our network you said all I need
> > > > to do is configure 'Protocol Transitioning' and then I can use any
> > > > authentication protocol on IIS... Where do I configure 'Protocol
> > > > Transitioining' ?
> > > >
> > > > Thanks-Dave
> > > > --
> > > > Dave
> > > >
> > > >
> > > > "David Wang" wrote:
> > > >
> > > > > Thanks for the info. Some more requirements need to be gathered before
> > > > > determining the correct configuration.
> > > > >
> > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > > > it to work from Internet.
> > > > >
> > > > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > > > well as publish your flnas01 server to be accessible via the Internet.
> > > > > Obviously, this sort of web page does NOT do what you want - make files
> > > > > on NAS server available via Web Server (instead, it is making your NAS
> > > > > server available via the Internet because your Web Server exposed its
> > > > > name), and this approach is also heavily discouraged due to security
> > > > > concerns.
> > > > >
> > > > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > > > OF \\flnas01 links). This single page will work from both Intranet and
> > > > > Internet with minimal security concerns.
> > > > >
> > > > > If you do the above, but you want to optimize Intranet traffic to not
> > > > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > > > create two websites, one internal and the other external. This takes
> > > > > more effort to maintain, and your router may not be smart enough to
> > > > > support it.
> > > > > - Internal website: web page uses \\flnas01 links, and bound to
> > > > > http://internalWebServer
> > > > > - External website: web page uses
> > > > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > > > http://public.webserver.IP.address
> > > > >
> > > > >
> > > > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > > > so your current failure is by-design. Choice of each protocol has its
> > > > > plus and minus, and correct choice depends on your needs. The following
> > > > > URL provides an excellent background and motivation:
> > > > >
> > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > > > >
> > > > > Applying that knowledge to your particular needs:
> > > > > - Anonymous authentication works, but it means ALL users accessing
> > > > > NAS server via the web server appear as the configured Anonymous User
> > > > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > > > on the NAS). You may not care about the auditing, in which case
> > > > > Anonymous authentication is easiest.
> > > > > - Basic authentication works, but it passes username/password in the
> > > > > clear, so you must protect it with SSL. This means you have to purchase
> > > > > an SSL Server Certificate and maintain it. If you control all Web
> > > > > Browsers used by your users, you can avoid paying for SSL Server
> > > > > Certificate by creating your own SSL Certificate and inserting it into
> > > > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > > > do this because you control all Web Browsers - if you do not control
> > > > > all Web Browsers of your users, this approach does not work
> > > > > effectively).
> > > > > - Kerberos works, but it requires setting up Active Directory and
> > > > > configuring Delegation.
> > > > >
> > > > > Since you want the solution to work both for Internet and Intranet, the
> > > > > following choices are simplest:
> > > > > - If you want to expose NAS over Web Server and you do not care to know
> > > > > what user accessed which files (i.e. any user can access any file on
> > > > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > > > - If you want to expose NAS over Web Server and you DO care about which
> > > > > user access which files (i.e. users can only access the files ACL'd to
> > > > > them on the NAS), then use Basic over SSL
> > > > > - If you want to expose NAS over Web Server, you care about which user
> > > > > access which files, and you have an Active Directory already, then
> > > > > configure Protocol Transitioning and you can use any authentication
> > > > > protocol on IIS (including NTLM).
> > > > >
> > > > > There are other solutions, of more complexity, offering different
> > > > > security-based tradeoffs.
> > > > >
> > > > >
> > > > > //David
> > > > > http://w3-4u.blogspot.com
> > > > > http://blogs.msdn.com/David.Wang
> > > > > //
> > > > >
> > > > >
> > > > >
> > > > > dhoops wrote:
> > > > > > David,
> > > > > >
> > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > > > do... ie Make files from the NAS file server available to users on the inside
> > > > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > > > in general... These files are linked through pages on the web site.
> > > > > >
> > > > > > It appears my security is not setup correctly?
> > > > > >
> > > > > > --
> > > > > > Dave
> > > > > >
> > > > > >
> > > > > > "David Wang" wrote:
> > > > > >
> > > > > > > Can you describe what you are trying to do so that we can help you with
> > > > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > > > file server in your Intranet, and you are trying to make the files on
> > > > > > > the NAS file server available via the web server, to people both inside
> > > > > > > your Intranet and on the Internet.
> > > > > > >
> > > > > > > The behaviors you describe are actually all normal and by-design.
> > > > > > >
> > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > to view this page...
> > > > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > > > to make this scenario work. Please search for those solutions.
> > > > > > >
> > > > > > >
> > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > make sure the path or internet address is correct.
> > > > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > > > outside the domain.
> > > > > > >
> > > > > > > If you got that error by clicking on a link on a web page, it means
> > > > > > > your web page content is incorrect because it has a UNC file reference
> > > > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > > > server to the entire world outside your domain). If you want the web
> > > > > > > page to work outside the domain, you will have to find a suitable way
> > > > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > > > you want.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > //David
> > > > > > > http://w3-4u.blogspot.com
> > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > //
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > dhoops wrote:
> > > > > > > > Setup:
> > > > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > > > Web server and UNC server are on the same domain.
> > > > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > > > site and the virtual directory on the web server.
> > > > > > > >
> > > > > > > > Problem:
> > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > to view this page...
> > > > > > > > You do not have permission to view this directory or page due to the access
> > > > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > > > requested resource (IIS).
> > > > > > > >
> > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > make sure the path or internet address is correct.
> > > > > > > >
> > > > > > > > Any direction or insight would be appreciated!
> > > > > > > > --
> > > > > > > > Dave
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > >
> > >
>
>

Re: Virtual Directory to a remote UNC not working properly

I recommend that you use:


Because it:
1. matches up with your actual URL. I recommend against using parent
paths (../ ).
2. Please use "/" instead of "\" (which was originally in front of
"Contacts") in a URL

It is a common mistake, and some programs will automatically flip "\"
to "/" (and vice versa) depending on situation, but not all programs.
So it is a good habit to know.

Basically, "\" is commonly used as the Windows directory separator, so
it only applies when you are providing a name for a File on a Windows
machine. "/" is commonly used as the URL segment separator as well as
on filesystems of on Unix or Linux.

In this case, you are providing a name for URL. Thus you should use "/"
and not "\".


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


dhoops wrote:
> David,
>
> Disregard my prior email...
>
> I have resolved my issue... The following xml code resolves the login issue
> both from the internet and intranet...
>
>
>
> This uses the unc-vdir path and references back to the root of the default
> site, which works for both the intranet and internet. Thanks for all your
> help!
>
> Have a good holiday!
>
> --
> Dave
>
>
> "David Wang" wrote:
>
> > The reason you get a login popup from Intranet is because browsers do
> > not auto-login to Internet address by default.
> >
> > What is going on is this:
> > - From Internet - when you access http://public.webserver.ip/ , web
> > browser does not auto-login by default and pop up the login dialog box.
> > After logging in, it eventually accesses a page with NAS URL that looks
> > like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
> > under the authentication to http://public.webserver.ip/ hence no
> > additional logins
> > - From Intranet - when you access http://internalWebServerIP/ , web
> > browser auto-login by default for Intranet. After logging in, it
> > eventually accesses a page with NAS URL that looks like
> > http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
> > is in Internet Zone by default and browser does not auto-login, thus
> > you get a login dialog box
> >
> > In other words, using a NAS URL of
> > http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
> > login dialog box regardless of where the user came from BECAUSE it is
> > considered a dotted IP-address and a part of Internet Zone which does
> > not auto-login.
> >
> > I do not understand why you do not create NAS URLs using relative links
> > that look like:
> >
> >
> > Because that is no longer a dotted-IP address and would fall under
> > auto-login in Intranet and manual login on Internet.
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> >
> > dhoops wrote:
> > > David,
> > >
> > > I have broken through! Woo Hoo!!
> > >
> > > My current authentication method on the Web Server is only set to Integrated
> > > Windows and I have configured Active directory to have the Web Server
> > > delegate for all protocols...
> > >
> > > When I tested from an outside address I only had to logon to the site and
> > > then accessing the file on the nas drive worked with no additional logon.
> > >
> > > When I tested internally I did not have to logon to the site, but when I
> > > accessed the file on the nas drive I had to logon with my username and
> > > password to access the file... I said save my password and from that point on
> > > I did not have to logon again from the Intranet (internally).
> > >
> > > Will other users have to do this or is there a config setting i can employ
> > > to avoid having a logon dialog pop-up when accessing nas files from the
> > > intranet???
> > >
> > > Thanks.
> > > --
> > > Dave
> > >
> > >
> > > "David Wang" wrote:
> > >
> > > > 1. Yes. Syntax works as
> > > > http://server-to-communicate-HTTP-with/virtual-URI
> > > >
> > > > So, you should give the public IP of the webserver handling the Website
> > > > containing the UNC Vdir, and then the vdir mapping you provided
> > > > (/Public goes to \\flnas01\...), and then the rest of the directory
> > > > structure follows from that vdir mapping.
> > > >
> > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> > > > configuration details and links on how to configure
> > > >
> > > >
> > > > //David
> > > > http://w3-4u.blogspot.com
> > > > http://blogs.msdn.com/David.Wang
> > > > //
> > > >
> > > >
> > > > dhoops wrote:
> > > > > David,
> > > > >
> > > > > Thanks for all this great info! I do have a couple of questions for clarity
> > > > > sake:
> > > > >
> > > > > 1. When connecting to the NAS file via
> > > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > > > > I actually be entering the following:
> > > > > 'http://public.webserver.IP.address,(where address is ip address of the
> > > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > > > > such as 'Public'/then the rest of the path on the NAS drive ?
> > > > >
> > > > > 2. Since we have active directory setup on our network you said all I need
> > > > > to do is configure 'Protocol Transitioning' and then I can use any
> > > > > authentication protocol on IIS... Where do I configure 'Protocol
> > > > > Transitioining' ?
> > > > >
> > > > > Thanks-Dave
> > > > > --
> > > > > Dave
> > > > >
> > > > >
> > > > > "David Wang" wrote:
> > > > >
> > > > > > Thanks for the info. Some more requirements need to be gathered before
> > > > > > determining the correct configuration.
> > > > > >
> > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > > > > it to work from Internet.
> > > > > >
> > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > > > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > > > > well as publish your flnas01 server to be accessible via the Internet.
> > > > > > Obviously, this sort of web page does NOT do what you want - make files
> > > > > > on NAS server available via Web Server (instead, it is making your NAS
> > > > > > server available via the Internet because your Web Server exposed its
> > > > > > name), and this approach is also heavily discouraged due to security
> > > > > > concerns.
> > > > > >
> > > > > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > > > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > > > > OF \\flnas01 links). This single page will work from both Intranet and
> > > > > > Internet with minimal security concerns.
> > > > > >
> > > > > > If you do the above, but you want to optimize Intranet traffic to not
> > > > > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > > > > create two websites, one internal and the other external. This takes
> > > > > > more effort to maintain, and your router may not be smart enough to
> > > > > > support it.
> > > > > > - Internal website: web page uses \\flnas01 links, and bound to
> > > > > > http://internalWebServer
> > > > > > - External website: web page uses
> > > > > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > > > > http://public.webserver.IP.address
> > > > > >
> > > > > >
> > > > > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > > > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > > > > so your current failure is by-design. Choice of each protocol has its
> > > > > > plus and minus, and correct choice depends on your needs. The following
> > > > > > URL provides an excellent background and motivation:
> > > > > >
> > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > > > > >
> > > > > > Applying that knowledge to your particular needs:
> > > > > > - Anonymous authentication works, but it means ALL users accessing
> > > > > > NAS server via the web server appear as the configured Anonymous User
> > > > > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > > > > on the NAS). You may not care about the auditing, in which case
> > > > > > Anonymous authentication is easiest.
> > > > > > - Basic authentication works, but it passes username/password in the
> > > > > > clear, so you must protect it with SSL. This means you have to purchase
> > > > > > an SSL Server Certificate and maintain it. If you control all Web
> > > > > > Browsers used by your users, you can avoid paying for SSL Server
> > > > > > Certificate by creating your own SSL Certificate and inserting it into
> > > > > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > > > > do this because you control all Web Browsers - if you do not control
> > > > > > all Web Browsers of your users, this approach does not work
> > > > > > effectively).
> > > > > > - Kerberos works, but it requires setting up Active Directory and
> > > > > > configuring Delegation.
> > > > > >
> > > > > > Since you want the solution to work both for Internet and Intranet, the
> > > > > > following choices are simplest:
> > > > > > - If you want to expose NAS over Web Server and you do not care to know
> > > > > > what user accessed which files (i.e. any user can access any file on
> > > > > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > > > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > > > > - If you want to expose NAS over Web Server and you DO care about which
> > > > > > user access which files (i.e. users can only access the files ACL'd to
> > > > > > them on the NAS), then use Basic over SSL
> > > > > > - If you want to expose NAS over Web Server, you care about which user
> > > > > > access which files, and you have an Active Directory already, then
> > > > > > configure Protocol Transitioning and you can use any authentication
> > > > > > protocol on IIS (including NTLM).
> > > > > >
> > > > > > There are other solutions, of more complexity, offering different
> > > > > > security-based tradeoffs.
> > > > > >
> > > > > >
> > > > > > //David
> > > > > > http://w3-4u.blogspot.com
> > > > > > http://blogs.msdn.com/David.Wang
> > > > > > //
> > > > > >
> > > > > >
> > > > > >
> > > > > > dhoops wrote:
> > > > > > > David,
> > > > > > >
> > > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > > > > do... ie Make files from the NAS file server available to users on the inside
> > > > > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > > > > in general... These files are linked through pages on the web site.
> > > > > > >
> > > > > > > It appears my security is not setup correctly?
> > > > > > >
> > > > > > > --
> > > > > > > Dave
> > > > > > >
> > > > > > >
> > > > > > > "David Wang" wrote:
> > > > > > >
> > > > > > > > Can you describe what you are trying to do so that we can help you with
> > > > > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > > > > file server in your Intranet, and you are trying to make the files on
> > > > > > > > the NAS file server available via the web server, to people both inside
> > > > > > > > your Intranet and on the Internet.
> > > > > > > >
> > > > > > > > The behaviors you describe are actually all normal and by-design.
> > > > > > > >
> > > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > > to view this page...
> > > > > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > > > > to make this scenario work. Please search for those solutions.
> > > > > > > >
> > > > > > > >
> > > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > > make sure the path or internet address is correct.
> > > > > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > > > > outside the domain.
> > > > > > > >
> > > > > > > > If you got that error by clicking on a link on a web page, it means
> > > > > > > > your web page content is incorrect because it has a UNC file reference
> > > > > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > > > > server to the entire world outside your domain). If you want the web
> > > > > > > > page to work outside the domain, you will have to find a suitable way
> > > > > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > > > > you want.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > //David
> > > > > > > > http://w3-4u.blogspot.com
> > > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > > //
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > dhoops wrote:
> > > > > > > > > Setup:
> > > > > > > > > IIS 6.0, Windows 2003 sp1 server.
> > > > > > > > > Web server and UNC server are on the same domain.
> > > > > > > > > Using 'Integrated Windows and Digest Authentication on both the Intranet
> > > > > > > > > site and the virtual directory on the web server.
> > > > > > > > >
> > > > > > > > > Problem:
> > > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > > to view this page...
> > > > > > > > > You do not have permission to view this directory or page due to the access
> > > > > > > > > control list (ACL) that is configured for this resource on the web server.
> > > > > > > > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > > > > > > > > requested resource (IIS).
> > > > > > > > >
> > > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > > make sure the path or internet address is correct.
> > > > > > > > >
> > > > > > > > > Any direction or insight would be appreciated!
> > > > > > > > > --
> > > > > > > > > Dave
> > > > > > > >
> > > > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> >
> >

Re: Virtual Directory to a remote UNC not working properly

David,

Thanks for the feedback!

I will implement your suggestions to make the site more global and not just
windows oriented.

In addition, I want to thank you for your help and direction on this entire
security project. You greatly simplified things for me.
--
Dave


"David Wang" wrote:

> I recommend that you use:
>
>
> Because it:
> 1. matches up with your actual URL. I recommend against using parent
> paths (../ ).
> 2. Please use "/" instead of "\" (which was originally in front of
> "Contacts") in a URL
>
> It is a common mistake, and some programs will automatically flip "\"
> to "/" (and vice versa) depending on situation, but not all programs.
> So it is a good habit to know.
>
> Basically, "\" is commonly used as the Windows directory separator, so
> it only applies when you are providing a name for a File on a Windows
> machine. "/" is commonly used as the URL segment separator as well as
> on filesystems of on Unix or Linux.
>
> In this case, you are providing a name for URL. Thus you should use "/"
> and not "\".
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> dhoops wrote:
> > David,
> >
> > Disregard my prior email...
> >
> > I have resolved my issue... The following xml code resolves the login issue
> > both from the internet and intranet...
> >
> >
> >
> > This uses the unc-vdir path and references back to the root of the default
> > site, which works for both the intranet and internet. Thanks for all your
> > help!
> >
> > Have a good holiday!
> >
> > --
> > Dave
> >
> >
> > "David Wang" wrote:
> >
> > > The reason you get a login popup from Intranet is because browsers do
> > > not auto-login to Internet address by default.
> > >
> > > What is going on is this:
> > > - From Internet - when you access http://public.webserver.ip/ , web
> > > browser does not auto-login by default and pop up the login dialog box.
> > > After logging in, it eventually accesses a page with NAS URL that looks
> > > like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
> > > under the authentication to http://public.webserver.ip/ hence no
> > > additional logins
> > > - From Intranet - when you access http://internalWebServerIP/ , web
> > > browser auto-login by default for Intranet. After logging in, it
> > > eventually accesses a page with NAS URL that looks like
> > > http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
> > > is in Internet Zone by default and browser does not auto-login, thus
> > > you get a login dialog box
> > >
> > > In other words, using a NAS URL of
> > > http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
> > > login dialog box regardless of where the user came from BECAUSE it is
> > > considered a dotted IP-address and a part of Internet Zone which does
> > > not auto-login.
> > >
> > > I do not understand why you do not create NAS URLs using relative links
> > > that look like:
> > >
> > >
> > > Because that is no longer a dotted-IP address and would fall under
> > > auto-login in Intranet and manual login on Internet.
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > >
> > > dhoops wrote:
> > > > David,
> > > >
> > > > I have broken through! Woo Hoo!!
> > > >
> > > > My current authentication method on the Web Server is only set to Integrated
> > > > Windows and I have configured Active directory to have the Web Server
> > > > delegate for all protocols...
> > > >
> > > > When I tested from an outside address I only had to logon to the site and
> > > > then accessing the file on the nas drive worked with no additional logon.
> > > >
> > > > When I tested internally I did not have to logon to the site, but when I
> > > > accessed the file on the nas drive I had to logon with my username and
> > > > password to access the file... I said save my password and from that point on
> > > > I did not have to logon again from the Intranet (internally).
> > > >
> > > > Will other users have to do this or is there a config setting i can employ
> > > > to avoid having a logon dialog pop-up when accessing nas files from the
> > > > intranet???
> > > >
> > > > Thanks.
> > > > --
> > > > Dave
> > > >
> > > >
> > > > "David Wang" wrote:
> > > >
> > > > > 1. Yes. Syntax works as
> > > > > http://server-to-communicate-HTTP-with/virtual-URI
> > > > >
> > > > > So, you should give the public IP of the webserver handling the Website
> > > > > containing the UNC Vdir, and then the vdir mapping you provided
> > > > > (/Public goes to \\flnas01\...), and then the rest of the directory
> > > > > structure follows from that vdir mapping.
> > > > >
> > > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> > > > > configuration details and links on how to configure
> > > > >
> > > > >
> > > > > //David
> > > > > http://w3-4u.blogspot.com
> > > > > http://blogs.msdn.com/David.Wang
> > > > > //
> > > > >
> > > > >
> > > > > dhoops wrote:
> > > > > > David,
> > > > > >
> > > > > > Thanks for all this great info! I do have a couple of questions for clarity
> > > > > > sake:
> > > > > >
> > > > > > 1. When connecting to the NAS file via
> > > > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > > > > > I actually be entering the following:
> > > > > > 'http://public.webserver.IP.address,(where address is ip address of the
> > > > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > > > > > such as 'Public'/then the rest of the path on the NAS drive ?
> > > > > >
> > > > > > 2. Since we have active directory setup on our network you said all I need
> > > > > > to do is configure 'Protocol Transitioning' and then I can use any
> > > > > > authentication protocol on IIS... Where do I configure 'Protocol
> > > > > > Transitioining' ?
> > > > > >
> > > > > > Thanks-Dave
> > > > > > --
> > > > > > Dave
> > > > > >
> > > > > >
> > > > > > "David Wang" wrote:
> > > > > >
> > > > > > > Thanks for the info. Some more requirements need to be gathered before
> > > > > > > determining the correct configuration.
> > > > > > >
> > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > > > > > it to work from Internet.
> > > > > > >
> > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > > > > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > > > > > well as publish your flnas01 server to be accessible via the Internet.
> > > > > > > Obviously, this sort of web page does NOT do what you want - make files
> > > > > > > on NAS server available via Web Server (instead, it is making your NAS
> > > > > > > server available via the Internet because your Web Server exposed its
> > > > > > > name), and this approach is also heavily discouraged due to security
> > > > > > > concerns.
> > > > > > >
> > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > > > > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > > > > > OF \\flnas01 links). This single page will work from both Intranet and
> > > > > > > Internet with minimal security concerns.
> > > > > > >
> > > > > > > If you do the above, but you want to optimize Intranet traffic to not
> > > > > > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > > > > > create two websites, one internal and the other external. This takes
> > > > > > > more effort to maintain, and your router may not be smart enough to
> > > > > > > support it.
> > > > > > > - Internal website: web page uses \\flnas01 links, and bound to
> > > > > > > http://internalWebServer
> > > > > > > - External website: web page uses
> > > > > > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > > > > > http://public.webserver.IP.address
> > > > > > >
> > > > > > >
> > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > > > > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > > > > > so your current failure is by-design. Choice of each protocol has its
> > > > > > > plus and minus, and correct choice depends on your needs. The following
> > > > > > > URL provides an excellent background and motivation:
> > > > > > >
> > > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > > > > > >
> > > > > > > Applying that knowledge to your particular needs:
> > > > > > > - Anonymous authentication works, but it means ALL users accessing
> > > > > > > NAS server via the web server appear as the configured Anonymous User
> > > > > > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > > > > > on the NAS). You may not care about the auditing, in which case
> > > > > > > Anonymous authentication is easiest.
> > > > > > > - Basic authentication works, but it passes username/password in the
> > > > > > > clear, so you must protect it with SSL. This means you have to purchase
> > > > > > > an SSL Server Certificate and maintain it. If you control all Web
> > > > > > > Browsers used by your users, you can avoid paying for SSL Server
> > > > > > > Certificate by creating your own SSL Certificate and inserting it into
> > > > > > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > > > > > do this because you control all Web Browsers - if you do not control
> > > > > > > all Web Browsers of your users, this approach does not work
> > > > > > > effectively).
> > > > > > > - Kerberos works, but it requires setting up Active Directory and
> > > > > > > configuring Delegation.
> > > > > > >
> > > > > > > Since you want the solution to work both for Internet and Intranet, the
> > > > > > > following choices are simplest:
> > > > > > > - If you want to expose NAS over Web Server and you do not care to know
> > > > > > > what user accessed which files (i.e. any user can access any file on
> > > > > > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > > > > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > > > > > - If you want to expose NAS over Web Server and you DO care about which
> > > > > > > user access which files (i.e. users can only access the files ACL'd to
> > > > > > > them on the NAS), then use Basic over SSL
> > > > > > > - If you want to expose NAS over Web Server, you care about which user
> > > > > > > access which files, and you have an Active Directory already, then
> > > > > > > configure Protocol Transitioning and you can use any authentication
> > > > > > > protocol on IIS (including NTLM).
> > > > > > >
> > > > > > > There are other solutions, of more complexity, offering different
> > > > > > > security-based tradeoffs.
> > > > > > >
> > > > > > >
> > > > > > > //David
> > > > > > > http://w3-4u.blogspot.com
> > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > //
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > dhoops wrote:
> > > > > > > > David,
> > > > > > > >
> > > > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > > > > > do... ie Make files from the NAS file server available to users on the inside
> > > > > > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > > > > > in general... These files are linked through pages on the web site.
> > > > > > > >
> > > > > > > > It appears my security is not setup correctly?
> > > > > > > >
> > > > > > > > --
> > > > > > > > Dave
> > > > > > > >
> > > > > > > >
> > > > > > > > "David Wang" wrote:
> > > > > > > >
> > > > > > > > > Can you describe what you are trying to do so that we can help you with
> > > > > > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > > > > > file server in your Intranet, and you are trying to make the files on
> > > > > > > > > the NAS file server available via the web server, to people both inside
> > > > > > > > > your Intranet and on the Internet.
> > > > > > > > >
> > > > > > > > > The behaviors you describe are actually all normal and by-design.
> > > > > > > > >
> > > > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > > > to view this page...
> > > > > > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > > > > > to make this scenario work. Please search for those solutions.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > > > make sure the path or internet address is correct.
> > > > > > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > > > > > outside the domain.
> > > > > > > > >
> > > > > > > > > If you got that error by clicking on a link on a web page, it means
> > > > > > > > > your web page content is incorrect because it has a UNC file reference
> > > > > > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > > > > > server to the entire world outside your domain). If you want the web
> > > > > > > > > page to work outside the domain, you will have to find a suitable way
> > > > > > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > > > > > you want.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > //David
> > > > > > > > > http://w3-4u.blogspot.com
> > > > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > > > //
> > > > > > > > >
> > > > > > > > >

Re: Virtual Directory to a remote UNC not working properly

No problems. Glad to be able to help.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


dhoops wrote:
> David,
>
> Thanks for the feedback!
>
> I will implement your suggestions to make the site more global and not just
> windows oriented.
>
> In addition, I want to thank you for your help and direction on this entire
> security project. You greatly simplified things for me.
> --
> Dave
>
>
> "David Wang" wrote:
>
> > I recommend that you use:
> >
> >
> > Because it:
> > 1. matches up with your actual URL. I recommend against using parent
> > paths (../ ).
> > 2. Please use "/" instead of "\" (which was originally in front of
> > "Contacts") in a URL
> >
> > It is a common mistake, and some programs will automatically flip "\"
> > to "/" (and vice versa) depending on situation, but not all programs.
> > So it is a good habit to know.
> >
> > Basically, "\" is commonly used as the Windows directory separator, so
> > it only applies when you are providing a name for a File on a Windows
> > machine. "/" is commonly used as the URL segment separator as well as
> > on filesystems of on Unix or Linux.
> >
> > In this case, you are providing a name for URL. Thus you should use "/"
> > and not "\".
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> > dhoops wrote:
> > > David,
> > >
> > > Disregard my prior email...
> > >
> > > I have resolved my issue... The following xml code resolves the login issue
> > > both from the internet and intranet...
> > >
> > >
> > >
> > > This uses the unc-vdir path and references back to the root of the default
> > > site, which works for both the intranet and internet. Thanks for all your
> > > help!
> > >
> > > Have a good holiday!
> > >
> > > --
> > > Dave
> > >
> > >
> > > "David Wang" wrote:
> > >
> > > > The reason you get a login popup from Intranet is because browsers do
> > > > not auto-login to Internet address by default.
> > > >
> > > > What is going on is this:
> > > > - From Internet - when you access http://public.webserver.ip/ , web
> > > > browser does not auto-login by default and pop up the login dialog box.
> > > > After logging in, it eventually accesses a page with NAS URL that looks
> > > > like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
> > > > under the authentication to http://public.webserver.ip/ hence no
> > > > additional logins
> > > > - From Intranet - when you access http://internalWebServerIP/ , web
> > > > browser auto-login by default for Intranet. After logging in, it
> > > > eventually accesses a page with NAS URL that looks like
> > > > http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
> > > > is in Internet Zone by default and browser does not auto-login, thus
> > > > you get a login dialog box
> > > >
> > > > In other words, using a NAS URL of
> > > > http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
> > > > login dialog box regardless of where the user came from BECAUSE it is
> > > > considered a dotted IP-address and a part of Internet Zone which does
> > > > not auto-login.
> > > >
> > > > I do not understand why you do not create NAS URLs using relative links
> > > > that look like:
> > > >
> > > >
> > > > Because that is no longer a dotted-IP address and would fall under
> > > > auto-login in Intranet and manual login on Internet.
> > > >
> > > >
> > > > //David
> > > > http://w3-4u.blogspot.com
> > > > http://blogs.msdn.com/David.Wang
> > > > //
> > > >
> > > >
> > > >
> > > > dhoops wrote:
> > > > > David,
> > > > >
> > > > > I have broken through! Woo Hoo!!
> > > > >
> > > > > My current authentication method on the Web Server is only set to Integrated
> > > > > Windows and I have configured Active directory to have the Web Server
> > > > > delegate for all protocols...
> > > > >
> > > > > When I tested from an outside address I only had to logon to the site and
> > > > > then accessing the file on the nas drive worked with no additional logon.
> > > > >
> > > > > When I tested internally I did not have to logon to the site, but when I
> > > > > accessed the file on the nas drive I had to logon with my username and
> > > > > password to access the file... I said save my password and from that point on
> > > > > I did not have to logon again from the Intranet (internally).
> > > > >
> > > > > Will other users have to do this or is there a config setting i can employ
> > > > > to avoid having a logon dialog pop-up when accessing nas files from the
> > > > > intranet???
> > > > >
> > > > > Thanks.
> > > > > --
> > > > > Dave
> > > > >
> > > > >
> > > > > "David Wang" wrote:
> > > > >
> > > > > > 1. Yes. Syntax works as
> > > > > > http://server-to-communicate-HTTP-with/virtual-URI
> > > > > >
> > > > > > So, you should give the public IP of the webserver handling the Website
> > > > > > containing the UNC Vdir, and then the vdir mapping you provided
> > > > > > (/Public goes to \\flnas01\...), and then the rest of the directory
> > > > > > structure follows from that vdir mapping.
> > > > > >
> > > > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary
> > > > > > configuration details and links on how to configure
> > > > > >
> > > > > >
> > > > > > //David
> > > > > > http://w3-4u.blogspot.com
> > > > > > http://blogs.msdn.com/David.Wang
> > > > > > //
> > > > > >
> > > > > >
> > > > > > dhoops wrote:
> > > > > > > David,
> > > > > > >
> > > > > > > Thanks for all this great info! I do have a couple of questions for clarity
> > > > > > > sake:
> > > > > > >
> > > > > > > 1. When connecting to the NAS file via
> > > > > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
> > > > > > > I actually be entering the following:
> > > > > > > 'http://public.webserver.IP.address,(where address is ip address of the
> > > > > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
> > > > > > > such as 'Public'/then the rest of the path on the NAS drive ?
> > > > > > >
> > > > > > > 2. Since we have active directory setup on our network you said all I need
> > > > > > > to do is configure 'Protocol Transitioning' and then I can use any
> > > > > > > authentication protocol on IIS... Where do I configure 'Protocol
> > > > > > > Transitioining' ?
> > > > > > >
> > > > > > > Thanks-Dave
> > > > > > > --
> > > > > > > Dave
> > > > > > >
> > > > > > >
> > > > > > > "David Wang" wrote:
> > > > > > >
> > > > > > > > Thanks for the info. Some more requirements need to be gathered before
> > > > > > > > determining the correct configuration.
> > > > > > > >
> > > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want
> > > > > > > > it to work from Internet.
> > > > > > > >
> > > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will
> > > > > > > > need to open more holes in the firewall to allow RPC and UNC ports as
> > > > > > > > well as publish your flnas01 server to be accessible via the Internet.
> > > > > > > > Obviously, this sort of web page does NOT do what you want - make files
> > > > > > > > on NAS server available via Web Server (instead, it is making your NAS
> > > > > > > > server available via the Internet because your Web Server exposed its
> > > > > > > > name), and this approach is also heavily discouraged due to security
> > > > > > > > concerns.
> > > > > > > >
> > > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to
> > > > > > > > \\flnas01 UNC shares on NAS, and for your web pages to use
> > > > > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
> > > > > > > > OF \\flnas01 links). This single page will work from both Intranet and
> > > > > > > > Internet with minimal security concerns.
> > > > > > > >
> > > > > > > > If you do the above, but you want to optimize Intranet traffic to not
> > > > > > > > go through http://public.webserver.IP.address/unc-vdir, then you should
> > > > > > > > create two websites, one internal and the other external. This takes
> > > > > > > > more effort to maintain, and your router may not be smart enough to
> > > > > > > > support it.
> > > > > > > > - Internal website: web page uses \\flnas01 links, and bound to
> > > > > > > > http://internalWebServer
> > > > > > > > - External website: web page uses
> > > > > > > > http://public.webserver.IP.address/unc-vdir links, and bound to
> > > > > > > > http://public.webserver.IP.address
> > > > > > > >
> > > > > > > >
> > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an
> > > > > > > > Authentication protocol that supports Delegation. NTLM/Digest do not,
> > > > > > > > so your current failure is by-design. Choice of each protocol has its
> > > > > > > > plus and minus, and correct choice depends on your needs. The following
> > > > > > > > URL provides an excellent background and motivation:
> > > > > > > >
> > > > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> > > > > > > >
> > > > > > > > Applying that knowledge to your particular needs:
> > > > > > > > - Anonymous authentication works, but it means ALL users accessing
> > > > > > > > NAS server via the web server appear as the configured Anonymous User
> > > > > > > > on IIS, preventing repudiation (i.e. auditing who accessed what files
> > > > > > > > on the NAS). You may not care about the auditing, in which case
> > > > > > > > Anonymous authentication is easiest.
> > > > > > > > - Basic authentication works, but it passes username/password in the
> > > > > > > > clear, so you must protect it with SSL. This means you have to purchase
> > > > > > > > an SSL Server Certificate and maintain it. If you control all Web
> > > > > > > > Browsers used by your users, you can avoid paying for SSL Server
> > > > > > > > Certificate by creating your own SSL Certificate and inserting it into
> > > > > > > > the Trusted Root Store of all Web Browser machines (remember, you can
> > > > > > > > do this because you control all Web Browsers - if you do not control
> > > > > > > > all Web Browsers of your users, this approach does not work
> > > > > > > > effectively).
> > > > > > > > - Kerberos works, but it requires setting up Active Directory and
> > > > > > > > configuring Delegation.
> > > > > > > >
> > > > > > > > Since you want the solution to work both for Internet and Intranet, the
> > > > > > > > following choices are simplest:
> > > > > > > > - If you want to expose NAS over Web Server and you do not care to know
> > > > > > > > what user accessed which files (i.e. any user can access any file on
> > > > > > > > the NAS), then use Anonymous Authentication on IIS, configure its
> > > > > > > > Anonymous User to be a user that you also ACL the NAS UNC share.
> > > > > > > > - If you want to expose NAS over Web Server and you DO care about which
> > > > > > > > user access which files (i.e. users can only access the files ACL'd to
> > > > > > > > them on the NAS), then use Basic over SSL
> > > > > > > > - If you want to expose NAS over Web Server, you care about which user
> > > > > > > > access which files, and you have an Active Directory already, then
> > > > > > > > configure Protocol Transitioning and you can use any authentication
> > > > > > > > protocol on IIS (including NTLM).
> > > > > > > >
> > > > > > > > There are other solutions, of more complexity, offering different
> > > > > > > > security-based tradeoffs.
> > > > > > > >
> > > > > > > >
> > > > > > > > //David
> > > > > > > > http://w3-4u.blogspot.com
> > > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > > //
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > dhoops wrote:
> > > > > > > > > David,
> > > > > > > > >
> > > > > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
> > > > > > > > > do... ie Make files from the NAS file server available to users on the inside
> > > > > > > > > on the (Intranet) and from the outside on the (Internet) via our web server
> > > > > > > > > in general... These files are linked through pages on the web site.
> > > > > > > > >
> > > > > > > > > It appears my security is not setup correctly?
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Dave
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "David Wang" wrote:
> > > > > > > > >
> > > > > > > > > > Can you describe what you are trying to do so that we can help you with
> > > > > > > > > > correct configuration? It sounds like you have a web server and a NAS
> > > > > > > > > > file server in your Intranet, and you are trying to make the files on
> > > > > > > > > > the NAS file server available via the web server, to people both inside
> > > > > > > > > > your Intranet and on the Internet.
> > > > > > > > > >
> > > > > > > > > > The behaviors you describe are actually all normal and by-design.
> > > > > > > > > >
> > > > > > > > > > > When trying to access a file on the virtual directory from outside the
> > > > > > > > > > > domain or on the domain I get the following message "You are not authorized
> > > > > > > > > > > to view this page...
> > > > > > > > > > This is because of "double hop" using NTLM with a UNC Virtual
> > > > > > > > > > Directory. Lots of people hit this, and there are well documented ways
> > > > > > > > > > to make this scenario work. Please search for those solutions.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > If I access a file on the UNC from within the domain without using the
> > > > > > > > > > > virtual dir I have no problems. If I access a file on the UNC from outside
> > > > > > > > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
> > > > > > > > > > > make sure the path or internet address is correct.
> > > > > > > > > > This is because the name "flnas01" is not known to the computer/browser
> > > > > > > > > > outside the domain.
> > > > > > > > > >
> > > > > > > > > > If you got that error by clicking on a link on a web page, it means
> > > > > > > > > > your web page content is incorrect because it has a UNC file reference
> > > > > > > > > > (which is valid only on the Intranet OR if you expose the flnas01
> > > > > > > > > > server to the entire world outside your domain). If you want the web
> > > > > > > > > > page to work outside the domain, you will have to find a suitable way
> > > > > > > > > > to expose your flnas01 server outside the domain, which may not be what
> > > > > > > > > > you want.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > //David
> > > > > > > > > > http://w3-4u.blogspot.com
> > > > > > > > > > http://blogs.msdn.com/David.Wang
> > > > > > > > > > //
> > > > > > > > > >
> > > > > > > > > >