Virtual Directory Security

I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web site
and am using Basic Authentication for Domain users inside or outside the LAN
to access the site. This works however, the navigation of my web site is
such that the user starts in parent .htm files that are apparently using
Default Web Site authentication but I have some Virtual directories that once
accessed, ask for authentication again and will not allow access. They are
set to basic authentication also. What am I missing?

Re: Virtual Directory Security

Check that the NTFS permissions on those inaccessible
virtual folders matches what is working on the root area.
You should be aware that use of basic authentication with
those domain account is exposing the needed login information
on the traversed network, which you indicate includes external
network links.

"Rusty" wrote in message
news:86CBFBEF-211D-41F3-85BD-1124675D6A49@microsoft.com...
>I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web
>site
> and am using Basic Authentication for Domain users inside or outside the
> LAN
> to access the site. This works however, the navigation of my web site is
> such that the user starts in parent .htm files that are apparently using
> Default Web Site authentication but I have some Virtual directories that
> once
> accessed, ask for authentication again and will not allow access. They
> are
> set to basic authentication also. What am I missing?

Re: Virtual Directory Security

The NTFS permissions are all normal. Security looks the same as the security
for Default Web Page. The difference is that the problem directory is a
Virtual Directory.
1) Why is it asking me to authenticate if I already authenticated at the
Home Web Page?
2) Why can I not authenticate no matter what account I use including admin
account?

"Roger Abell [MVP]" wrote:

> Check that the NTFS permissions on those inaccessible
> virtual folders matches what is working on the root area.
> You should be aware that use of basic authentication with
> those domain account is exposing the needed login information
> on the traversed network, which you indicate includes external
> network links.
>
> "Rusty" wrote in message
> news:86CBFBEF-211D-41F3-85BD-1124675D6A49@microsoft.com...
> >I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web
> >site
> > and am using Basic Authentication for Domain users inside or outside the
> > LAN
> > to access the site. This works however, the navigation of my web site is
> > such that the user starts in parent .htm files that are apparently using
> > Default Web Site authentication but I have some Virtual directories that
> > once
> > accessed, ask for authentication again and will not allow access. They
> > are
> > set to basic authentication also. What am I missing?
>
>
>

Re: Virtual Directory Security

This is not how things should work.

If you have anonymous authentication disabled, then IIS will always ask for
credentials (for each and every page), however your browser should continue
sending the same credentials for each request (after you have authenticated
successfully on the first request).

So the potential issues are:
a) IIS is denying access, even though you are supplying credentials. I would
run FileMon (formly sysinternals tool - now available from the Microsoft
website) on the server, and see which user account is being denied access to
the file.

b) your browser is not supplying credentials at all, and is instead
prompting the user to supply credentials. You can verify this by looking in
the IIS logfiles (there should be nothing logged for the remote user cs-user
field), or by using a packet capture tool like Ethereal (aka WireShark).

Cheers
Ken


--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"Rusty" wrote in message
news:5C80438C-4734-432E-B0DF-305A352EC9A1@microsoft.com...
> The NTFS permissions are all normal. Security looks the same as the
> security
> for Default Web Page. The difference is that the problem directory is a
> Virtual Directory.
> 1) Why is it asking me to authenticate if I already authenticated at the
> Home Web Page?
> 2) Why can I not authenticate no matter what account I use including admin
> account?
>
> "Roger Abell [MVP]" wrote:
>
>> Check that the NTFS permissions on those inaccessible
>> virtual folders matches what is working on the root area.
>> You should be aware that use of basic authentication with
>> those domain account is exposing the needed login information
>> on the traversed network, which you indicate includes external
>> network links.
>>
>> "Rusty" wrote in message
>> news:86CBFBEF-211D-41F3-85BD-1124675D6A49@microsoft.com...
>> >I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web
>> >site
>> > and am using Basic Authentication for Domain users inside or outside
>> > the
>> > LAN
>> > to access the site. This works however, the navigation of my web site
>> > is
>> > such that the user starts in parent .htm files that are apparently
>> > using
>> > Default Web Site authentication but I have some Virtual directories
>> > that
>> > once
>> > accessed, ask for authentication again and will not allow access. They
>> > are
>> > set to basic authentication also. What am I missing?
>>
>>
>>

Re: Virtual Directory Security

Please clarify what you are meaning by Virtual Directory.
This term only means that the directory does not exist within the
content tree's physical store at the location where it is made to
appear. Are you by chance also intending to mean that this
virtual is sourced from a different server? If so then we need
to verify access/authentication issues going to the remote.

"Rusty" wrote in message
news:5C80438C-4734-432E-B0DF-305A352EC9A1@microsoft.com...
> The NTFS permissions are all normal. Security looks the same as the
> security
> for Default Web Page. The difference is that the problem directory is a
> Virtual Directory.
> 1) Why is it asking me to authenticate if I already authenticated at the
> Home Web Page?
> 2) Why can I not authenticate no matter what account I use including admin
> account?
>
> "Roger Abell [MVP]" wrote:
>
>> Check that the NTFS permissions on those inaccessible
>> virtual folders matches what is working on the root area.
>> You should be aware that use of basic authentication with
>> those domain account is exposing the needed login information
>> on the traversed network, which you indicate includes external
>> network links.
>>
>> "Rusty" wrote in message
>> news:86CBFBEF-211D-41F3-85BD-1124675D6A49@microsoft.com...
>> >I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web
>> >site
>> > and am using Basic Authentication for Domain users inside or outside
>> > the
>> > LAN
>> > to access the site. This works however, the navigation of my web site
>> > is
>> > such that the user starts in parent .htm files that are apparently
>> > using
>> > Default Web Site authentication but I have some Virtual directories
>> > that
>> > once
>> > accessed, ask for authentication again and will not allow access. They
>> > are
>> > set to basic authentication also. What am I missing?
>>
>>
>>

Re: Virtual Directory Security

#1. When you enable Authentication, the Web Server *always* require
the browser to prove its identity for *every* applicable resource. The
fact that you authenticated at the Home Web Page is not relevant. It
is the web browser which must remember to automatically "prove" your
initially authenticated access at "Home Web Page" to the web server,
so that the user does not see repeated login prompts.

#2. This usually indicates an invalid server-side configuration. You
should disclose the IIS web log entries related to those 401 requests
to determine the cause.

You want to read the following blog entries to help clear up common
user misconceptions about authentication and security.

http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Di agnose_IIS_401_Access_Denied.aspx

http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_D enied_to_Administrators_or_Anonymous_User.aspx


At this point, I suspect you need to tell us:
1. All authentication protocols enabled at each problematic URL
2. Are any of the vdirs pointing to UNC shares and if so, are you
using Pass-Thru Auth or specifying UNC user credentials
3. If Anonymous authentication is enabled, are the anonymous user
credentials correct.
4. The IIS Web log entry corresponding to each failed request. In
particular, I want the HTTP status, sub-status, and Win32 error codes
because they ease diagnosing the misconfiguration.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 13, 7:53 am, Rusty wrote:
> The NTFS permissions are all normal. Security looks the same as the security
> for Default Web Page. The difference is that the problem directory is a
> Virtual Directory.
> 1) Why is it asking me to authenticate if I already authenticated at the
> Home Web Page?
> 2) Why can I not authenticate no matter what account I use including admin
> account?
>
>
>
> "Roger Abell [MVP]" wrote:
> > Check that the NTFS permissions on those inaccessible
> > virtual folders matches what is working on the root area.
> > You should be aware that use of basic authentication with
> > those domain account is exposing the needed login information
> > on the traversed network, which you indicate includes external
> > network links.
>
> > "Rusty" wrote in message
> >news:86CBFBEF-211D-41F3-85BD-1124675D6A49@microsoft.com...
> > >I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web
> > >site
> > > and am using Basic Authentication for Domain users inside or outside the
> > > LAN
> > > to access the site. This works however, the navigation of my web site is
> > > such that the user starts in parent .htm files that are apparently using
> > > Default Web Site authentication but I have some Virtual directories that
> > > once
> > > accessed, ask for authentication again and will not allow access. They
> > > are
> > > set to basic authentication also. What am I missing?- Hide quoted text -
>
> - Show quoted text -

Re: Virtual Directory Security

Thanks all of you. The virtual directory that worked was on the local
server. The virtual directory that was redundantly asking for authentication
was on another server. I made an entry in the "Connect As" field and all is
well.

Thanks again

"Roger Abell [MVP]" wrote:

> Please clarify what you are meaning by Virtual Directory.
> This term only means that the directory does not exist within the
> content tree's physical store at the location where it is made to
> appear. Are you by chance also intending to mean that this
> virtual is sourced from a different server? If so then we need
> to verify access/authentication issues going to the remote.
>
> "Rusty" wrote in message
> news:5C80438C-4734-432E-B0DF-305A352EC9A1@microsoft.com...
> > The NTFS permissions are all normal. Security looks the same as the
> > security
> > for Default Web Page. The difference is that the problem directory is a
> > Virtual Directory.
> > 1) Why is it asking me to authenticate if I already authenticated at the
> > Home Web Page?
> > 2) Why can I not authenticate no matter what account I use including admin
> > account?
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> Check that the NTFS permissions on those inaccessible
> >> virtual folders matches what is working on the root area.
> >> You should be aware that use of basic authentication with
> >> those domain account is exposing the needed login information
> >> on the traversed network, which you indicate includes external
> >> network links.
> >>
> >> "Rusty" wrote in message
> >> news:86CBFBEF-211D-41F3-85BD-1124675D6A49@microsoft.com...
> >> >I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web
> >> >site
> >> > and am using Basic Authentication for Domain users inside or outside
> >> > the
> >> > LAN
> >> > to access the site. This works however, the navigation of my web site
> >> > is
> >> > such that the user starts in parent .htm files that are apparently
> >> > using
> >> > Default Web Site authentication but I have some Virtual directories
> >> > that
> >> > once
> >> > accessed, ask for authentication again and will not allow access. They
> >> > are
> >> > set to basic authentication also. What am I missing?
> >>
> >>
> >>
>
>
>