UNC Virtual Directories; NTFS permission authentication not accept

This one is driving me crazy. Here is the environment:

I have one web server, Windows 2003 R2; IIS 6.0, and a files server running
Windows 2003 R2. Both servers are part of a Windows 2003 native Active
Directory domain.

Virtual directories have been created on the web server pointing to a UNC
share: \\hrfile1\https clients\xxxx. Permissions on the https clients share
and the xxxx directory are locked down using NTFS permissions and the virtual
directory is setup with a "connect as" username or password instead asking
for credentails. SSL is required, anonymous access is unchecked, integrated
Windows authentication is checked. In addition, hrweb1 is setup for
delegation to hrfile1 for the HOST can cifs services.

The problem I have is that every time I access the site I am prompted for my
username and password, but even though I enter an username/password that is
authorized, the login screen keeps popping back up. I have created test
directories where share and NTFS permissions are set to EVERYONE - Full
control and still get prompted over and over for credentials.

If I use the "connect as" option, I am prompted for creditails and allowed
in, but once in I can browse to any folder, even ones that I am not allowed
access to, so that is not an option.

If anyone can help me out, I would really appreciate it.

It may not matter, but the web server is part of a network load balanced
system, though I am not testing with the nlb address, just the local address
on one system.

RE: UNC Virtual Directories; NTFS permission authentication not accept

Just an update here, I found a solution, though it is not what I expected.

Everything I read said that I needed to add the Delegation rights from the
web server to the file server (HOST and cifs). This turned out to be the
problem. Once I removed those delegation rights AND removed the Integrated
Windows Authentication option (leaving only Basic Authentication checked) the
system worked like it I had hoped, authenticating based on the NTFS
permissions of the folder the UNC path was pointing to.

This works fine for me since the SSL is required on all connections.

Thanks to anyone who took a look at this and tried to help!!

"Jason Carter" wrote:

> This one is driving me crazy. Here is the environment:
>
> I have one web server, Windows 2003 R2; IIS 6.0, and a files server running
> Windows 2003 R2. Both servers are part of a Windows 2003 native Active
> Directory domain.
>
> Virtual directories have been created on the web server pointing to a UNC
> share: \\hrfile1\https clients\xxxx. Permissions on the https clients share
> and the xxxx directory are locked down using NTFS permissions and the virtual
> directory is setup with a "connect as" username or password instead asking
> for credentails. SSL is required, anonymous access is unchecked, integrated
> Windows authentication is checked. In addition, hrweb1 is setup for
> delegation to hrfile1 for the HOST can cifs services.
>
> The problem I have is that every time I access the site I am prompted for my
> username and password, but even though I enter an username/password that is
> authorized, the login screen keeps popping back up. I have created test
> directories where share and NTFS permissions are set to EVERYONE - Full
> control and still get prompted over and over for credentials.
>
> If I use the "connect as" option, I am prompted for creditails and allowed
> in, but once in I can browse to any folder, even ones that I am not allowed
> access to, so that is not an option.
>
> If anyone can help me out, I would really appreciate it.
>
> It may not matter, but the web server is part of a network load balanced
> system, though I am not testing with the nlb address, just the local address
> on one system.

Re: UNC Virtual Directories; NTFS permission authentication not accept

While I am happy that you have found a solution to your situation, I
have to say that Delegation is NOT the problem. And using Basic over
SSL is NOT necessarily the correct solution.

Basic over SSL is basically the "I give up because I don't understand
delegation" solution because it is insecure, though in your situation
you are using a non-important ConnectAs user whose delegation
properties you do not need to secure.

In other words, Basic/SSL is a passable workaround for your needs, but
it is definitely not the correct solution for the general issue of
delegation which surfaces as soon as you want users to use your web
server to access resources on another server.

What OS is providing the CIFS file services?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Apr 5, 1:56 pm, Jason Carter
wrote:
> Just an update here, I found a solution, though it is not what I expected.
>
> Everything I read said that I needed to add the Delegation rights from the
> web server to the file server (HOST and cifs). This turned out to be the
> problem. Once I removed those delegation rights AND removed the Integrated
> Windows Authentication option (leaving only Basic Authentication checked) the
> system worked like it I had hoped, authenticating based on the NTFS
> permissions of the folder the UNC path was pointing to.
>
> This works fine for me since the SSL is required on all connections.
>
> Thanks to anyone who took a look at this and tried to help!!
>
>
>
> "Jason Carter" wrote:
> > This one is driving me crazy. Here is the environment:
>
> > I have one web server, Windows 2003 R2; IIS 6.0, and a files server running
> > Windows 2003 R2. Both servers are part of a Windows 2003 native Active
> > Directory domain.
>
> > Virtual directories have been created on the web server pointing to a UNC
> > share: \\hrfile1\https clients\xxxx. Permissions on the https clients share
> > and the xxxx directory are locked down using NTFS permissions and the virtual
> > directory is setup with a "connect as" username or password instead asking
> > for credentails. SSL is required, anonymous access is unchecked, integrated
> > Windows authentication is checked. In addition, hrweb1 is setup for
> > delegation to hrfile1 for the HOST can cifs services.
>
> > The problem I have is that every time I access the site I am prompted for my
> > username and password, but even though I enter an username/password that is
> > authorized, the login screen keeps popping back up. I have created test
> > directories where share and NTFS permissions are set to EVERYONE - Full
> > control and still get prompted over and over for credentials.
>
> > If I use the "connect as" option, I am prompted for creditails and allowed
> > in, but once in I can browse to any folder, even ones that I am not allowed
> > access to, so that is not an option.
>
> > If anyone can help me out, I would really appreciate it.
>
> > It may not matter, but the web server is part of a network load balanced
> > system, though I am not testing with the nlb address, just the local address
> > on one system.- Hide quoted text -
>
> - Show quoted text -

Re: UNC Virtual Directories; NTFS permission authentication not ac

Every server is Windows 2003 R2 (web and file server).

I had delegation enabled on the web server to the file server for the HOST
and cifs services in a Windows 2003 native mode active directory.

I am interested in knowing what you think should have been done differently.
I am all for securing the data as much as possible, as long as it works.

Thank you for your response.

"David Wang" wrote:

> While I am happy that you have found a solution to your situation, I
> have to say that Delegation is NOT the problem. And using Basic over
> SSL is NOT necessarily the correct solution.
>
> Basic over SSL is basically the "I give up because I don't understand
> delegation" solution because it is insecure, though in your situation
> you are using a non-important ConnectAs user whose delegation
> properties you do not need to secure.
>
> In other words, Basic/SSL is a passable workaround for your needs, but
> it is definitely not the correct solution for the general issue of
> delegation which surfaces as soon as you want users to use your web
> server to access resources on another server.
>
> What OS is providing the CIFS file services?
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Apr 5, 1:56 pm, Jason Carter
> wrote:
> > Just an update here, I found a solution, though it is not what I expected.
> >
> > Everything I read said that I needed to add the Delegation rights from the
> > web server to the file server (HOST and cifs). This turned out to be the
> > problem. Once I removed those delegation rights AND removed the Integrated
> > Windows Authentication option (leaving only Basic Authentication checked) the
> > system worked like it I had hoped, authenticating based on the NTFS
> > permissions of the folder the UNC path was pointing to.
> >
> > This works fine for me since the SSL is required on all connections.
> >
> > Thanks to anyone who took a look at this and tried to help!!
> >
> >
> >
> > "Jason Carter" wrote:
> > > This one is driving me crazy. Here is the environment:
> >
> > > I have one web server, Windows 2003 R2; IIS 6.0, and a files server running
> > > Windows 2003 R2. Both servers are part of a Windows 2003 native Active
> > > Directory domain.
> >
> > > Virtual directories have been created on the web server pointing to a UNC
> > > share: \\hrfile1\https clients\xxxx. Permissions on the https clients share
> > > and the xxxx directory are locked down using NTFS permissions and the virtual
> > > directory is setup with a "connect as" username or password instead asking
> > > for credentails. SSL is required, anonymous access is unchecked, integrated
> > > Windows authentication is checked. In addition, hrweb1 is setup for
> > > delegation to hrfile1 for the HOST can cifs services.
> >
> > > The problem I have is that every time I access the site I am prompted for my
> > > username and password, but even though I enter an username/password that is
> > > authorized, the login screen keeps popping back up. I have created test
> > > directories where share and NTFS permissions are set to EVERYONE - Full
> > > control and still get prompted over and over for credentials.
> >
> > > If I use the "connect as" option, I am prompted for creditails and allowed
> > > in, but once in I can browse to any folder, even ones that I am not allowed
> > > access to, so that is not an option.
> >
> > > If anyone can help me out, I would really appreciate it.
> >
> > > It may not matter, but the web server is part of a network load balanced
> > > system, though I am not testing with the nlb address, just the local address
> > > on one system.- Hide quoted text -
> >
> > - Show quoted text -
>
>
>

Re: UNC Virtual Directories; NTFS permission authentication not ac

If you want Kerberos delegation to work, you need to have everything setup
correctly end-to-end.

The browser must authenticate using Kerberos, which means that both IE must
attempt Kerberos *and* the relevant server SPNs must be created/set
correctly. In an NLB scenario, you'd need to run your worker process under a
domain account, and register the virtual hostname that the end user is going
to use as an SPN under that domain account. The following may be helpful in
getting this working:

IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx


Cheers
Ken


"Jason Carter" wrote in message
news:046E4A03-2444-4669-B199-B5A1A6B57870@microsoft.com...
> Every server is Windows 2003 R2 (web and file server).
>
> I had delegation enabled on the web server to the file server for the HOST
> and cifs services in a Windows 2003 native mode active directory.
>
> I am interested in knowing what you think should have been done
> differently.
> I am all for securing the data as much as possible, as long as it works.
>
> Thank you for your response.
>
> "David Wang" wrote:
>
>> While I am happy that you have found a solution to your situation, I
>> have to say that Delegation is NOT the problem. And using Basic over
>> SSL is NOT necessarily the correct solution.
>>
>> Basic over SSL is basically the "I give up because I don't understand
>> delegation" solution because it is insecure, though in your situation
>> you are using a non-important ConnectAs user whose delegation
>> properties you do not need to secure.
>>
>> In other words, Basic/SSL is a passable workaround for your needs, but
>> it is definitely not the correct solution for the general issue of
>> delegation which surfaces as soon as you want users to use your web
>> server to access resources on another server.
>>
>> What OS is providing the CIFS file services?
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //
>>
>>
>>
>> On Apr 5, 1:56 pm, Jason Carter
>> wrote:
>> > Just an update here, I found a solution, though it is not what I
>> > expected.
>> >
>> > Everything I read said that I needed to add the Delegation rights from
>> > the
>> > web server to the file server (HOST and cifs). This turned out to be
>> > the
>> > problem. Once I removed those delegation rights AND removed the
>> > Integrated
>> > Windows Authentication option (leaving only Basic Authentication
>> > checked) the
>> > system worked like it I had hoped, authenticating based on the NTFS
>> > permissions of the folder the UNC path was pointing to.
>> >
>> > This works fine for me since the SSL is required on all connections.
>> >
>> > Thanks to anyone who took a look at this and tried to help!!
>> >
>> >
>> >
>> > "Jason Carter" wrote:
>> > > This one is driving me crazy. Here is the environment:
>> >
>> > > I have one web server, Windows 2003 R2; IIS 6.0, and a files server
>> > > running
>> > > Windows 2003 R2. Both servers are part of a Windows 2003 native
>> > > Active
>> > > Directory domain.
>> >
>> > > Virtual directories have been created on the web server pointing to a
>> > > UNC
>> > > share: \\hrfile1\https clients\xxxx. Permissions on the https clients
>> > > share
>> > > and the xxxx directory are locked down using NTFS permissions and the
>> > > virtual
>> > > directory is setup with a "connect as" username or password instead
>> > > asking
>> > > for credentails. SSL is required, anonymous access is unchecked,
>> > > integrated
>> > > Windows authentication is checked. In addition, hrweb1 is setup for
>> > > delegation to hrfile1 for the HOST can cifs services.
>> >
>> > > The problem I have is that every time I access the site I am prompted
>> > > for my
>> > > username and password, but even though I enter an username/password
>> > > that is
>> > > authorized, the login screen keeps popping back up. I have created
>> > > test
>> > > directories where share and NTFS permissions are set to EVERYONE -
>> > > Full
>> > > control and still get prompted over and over for credentials.
>> >
>> > > If I use the "connect as" option, I am prompted for creditails and
>> > > allowed
>> > > in, but once in I can browse to any folder, even ones that I am not
>> > > allowed
>> > > access to, so that is not an option.
>> >
>> > > If anyone can help me out, I would really appreciate it.
>> >
>> > > It may not matter, but the web server is part of a network load
>> > > balanced
>> > > system, though I am not testing with the nlb address, just the local
>> > > address
>> > > on one system.- Hide quoted text -
>> >
>> > - Show quoted text -
>>
>>
>>