Server 2003 NTFS security for MP3 files doesn"t work

I am setting up a 2003 server to replace a 2000 server. I have transferred
an IIS web site and set it up identically. Part of the site is secured by
NTFS file and folder permissions. All of the content in the protected part
of the site is accessible to users with proper permissions as expected,
except for MP3 files, which generate a “Windows Media Player cannot access
the file” error 0xC00D11D2. The problem only occurs with MP3 files. This
configuration was working on the 2000 server.

If I add the Users group to the permissions for the protected part of the
site, it works (probably because it indirectly contains the IIS anonymous
accounts), but that eliminates the desired security. There is some right or
permission associated with the Users group that allows access to MP3 files,
but I don’t know what it is.

I have tried turning on (and off) integrated Windows authentication, to try
basic authentication; no difference. I also tried turning Windows Media
Server off on the 2003 server (which matches the 2000 server configuration).
I suspected WMS required the anonymous IIS accounts and was therefore
preventing NTFS permissions from working. That didn’t solve the problem.

Any help would be appreciated.

Re: Server 2003 NTFS security for MP3 files doesn"t work

On Jun 15, 3:02 pm, Steve in Santa Rosa
wrote:
> I am setting up a 2003 server to replace a 2000 server. I have transferred
> an IIS web site and set it up identically. Part of the site is secured by
> NTFS file and folder permissions. All of the content in the protected part
> of the site is accessible to users with proper permissions as expected,
> except for MP3 files, which generate a "Windows Media Player cannot access
> the file" error 0xC00D11D2. The problem only occurs with MP3 files. This
> configuration was working on the 2000 server.
>
> If I add the Users group to the permissions for the protected part of the
> site, it works (probably because it indirectly contains the IIS anonymous
> accounts), but that eliminates the desired security. There is some right or
> permission associated with the Users group that allows access to MP3 files,
> but I don't know what it is.
>
> I have tried turning on (and off) integrated Windows authentication, to try
> basic authentication; no difference. I also tried turning Windows Media
> Server off on the 2003 server (which matches the 2000 server configuration).
> I suspected WMS required the anonymous IIS accounts and was therefore
> preventing NTFS permissions from working. That didn't solve the problem.
>
> Any help would be appreciated.


IIS does not do anything special regarding MP3 files.

How exactly are you accessing the MP3 file to result in "Windows Media
Player cannot access the file" error 0xC00D11D2.

In particular, are you making an HTTP request to retrieve the MP3 file
or some other protocol. What client software is used?

If IIS serviced the request, you should see evidence of the request in
its log files. Provide that.

I am suspecting that *maybe* when you retrieve MP3 files with Windows
Media Player that it tries to read some other metadata file with an
extension that is not allowed for download by IIS6 on Windows Server
2003 by default. This security restriction did not exist on static
files on Windows 2000 Server. However, this suspicion has to be proven
by ensuring the client actually made HTTP requests serviced by IIS6
and that IIS6 logs indicate rejection. Otherwise, this is just
unsubstantiated speculation.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Server 2003 NTFS security for MP3 files doesn"t work

The web page has a link to the MP3 files, just like links to other HTML or
PDF files that do load successfully. Thus the browser, in this case IE6,
requests the MP3 from IIS using HTTP. The IIS log for each unsuccessful
attempt to load an MP3 file shows several entries:

1) Anonymous IE6 gets status 401 for the file (usually twice), then
2) (Sometimes) anonymous WMP 9 gets status 404 for a non-existant file with
the same name, but an extension of .smi, then
3) (Sometimes) IE6, showing the authenticated user, gets status 200 for the
original file request, then
4) Anonymous NS Player 9 gets status 206 for the original file request, and
that ends it.

The same workstation (browser, player, etc.) functions flawlessly accessing
an identical IIS 5 site on a windows 2000 server that was copied onto the new
problem IIS 6 site. I have never seen any reference to a search for a
non-existant .smi file (whatever that is) in the old server logs, nor is
there any reference to any such file in any of the HTML. Also, when the
"Users" group is given NTFS permissions to access the folder and files, the
same user and workstation can access the MP3 files just fine.

Re: Server 2003 NTFS security for MP3 files doesn"t work

On Jun 16, 8:06 pm, Steve in Santa Rosa
wrote:
> The web page has a link to the MP3 files, just like links to other HTML or
> PDF files that do load successfully. Thus the browser, in this case IE6,
> requests the MP3 from IIS using HTTP. The IIS log for each unsuccessful
> attempt to load an MP3 file shows several entries:
>
> 1) Anonymous IE6 gets status 401 for the file (usually twice), then
> 2) (Sometimes) anonymous WMP 9 gets status 404 for a non-existant file with
> the same name, but an extension of .smi, then
> 3) (Sometimes) IE6, showing the authenticated user, gets status 200 for the
> original file request, then
> 4) Anonymous NS Player 9 gets status 206 for the original file request, and
> that ends it.
>
> The same workstation (browser, player, etc.) functions flawlessly accessing
> an identical IIS 5 site on a windows 2000 server that was copied onto the new
> problem IIS 6 site. I have never seen any reference to a search for a
> non-existant .smi file (whatever that is) in the old server logs, nor is
> there any reference to any such file in any of the HTML. Also, when the
> "Users" group is given NTFS permissions to access the folder and files, the
> same user and workstation can access the MP3 files just fine.



I need you to provide verbatim IIS log entries for a single user
initiated failed attempt to retrieve a MP3 in your protected website
area.

I do not understand what you are describing with steps #1-4 because
you talk about anonymous IE6, anonymous WMP, and NS Player 9, which
are three different clients (to me) and I do not understand their
relationship to the single user initiated failed attempt to retrieve a
MP3.

My suspicion is that you have custom software running on IIS5 that is
not running or malfunctioning on IIS6 to result in this behavior --
because by default, HTML, PDF, and MP3 files are all handled by the
IIS6 static file handler which treats them the same, so if your
secured part of the website also transfers those resource types
successfully, then I do not believe the issue has to do with IIS6.

The issue may be with difference in website configuration on IIS5 and
IIS6. Even if you have identical configuration, most functionality on
IIS6 is disabled while on IIS5 it is enabled, so you may have to
figure out what additional functionality you relied on IIS5 that is
not enabled by default on IIS6 -- this is reasonable for security
purposes.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//