401.3 When Accessing Remote UNC Share

I've been trying to figure out the following issue for a few days with
no luck. There are two servers involved, both are standalone servers
(no domain):

WebServer - Windows 2003 R2
FileServer - Windoows 2000 SP4

>From the WebServer i've created a new Virtual Directory, and specified
a UNC path on the FileServer. I then specify an Account to use when
accessing the UNC. This account exists on both the WebServer and
FileServer with the same password. Accessing the UNC from Windows
Explorer works flawless. Trying to access the UNC though a browser
results in the following:

If the UNC Username and password has no prefix, I get error 500
If I specify \\WebServer\Username along with the password I get a
401.3 error
If I specify \\FileServer\Username along with the password I get
another error 500

I've verified that the UNC username exists in the Metabase. If I
disable the UNC username/password, and check the both to use the
current credentials (with basic Authentication checked) I am prompted
with a login screen. Entering the account in there (or even one of
the admin accounts) results in a 401.3 error after a few attempts.

Using the exact same credentials to access the file share from outside
IIS is working. I'm stuck for ideas, as neither computer is in a
domain so Delegation can't be an issue. Is there something simple i'm
missing?

Re: 401.3 When Accessing Remote UNC Share

On Oct 27, 12:51 am, GTU...@hush.com wrote:
> I've been trying to figure out the following issue for a few days with
> no luck. There are two servers involved, both are standalone servers
> (no domain):
>
> WebServer - Windows 2003 R2
> FileServer - Windoows 2000 SP4
>
> >From the WebServer i've created a new Virtual Directory, and specified
>
> a UNC path on the FileServer. I then specify an Account to use when
> accessing the UNC. This account exists on both the WebServer and
> FileServer with the same password. Accessing the UNC from Windows
> Explorer works flawless. Trying to access the UNC though a browser
> results in the following:
>
> If the UNC Username and password has no prefix, I get error 500
> If I specify \\WebServer\Username along with the password I get a
> 401.3 error
> If I specify \\FileServer\Username along with the password I get
> another error 500
>
> I've verified that the UNC username exists in the Metabase. If I
> disable the UNC username/password, and check the both to use the
> current credentials (with basic Authentication checked) I am prompted
> with a login screen. Entering the account in there (or even one of
> the admin accounts) results in a 401.3 error after a few attempts.
>
> Using the exact same credentials to access the file share from outside
> IIS is working. I'm stuck for ideas, as neither computer is in a
> domain so Delegation can't be an issue. Is there something simple i'm
> missing?

Incidentally, a ProcessMon reveals the following:

Access Denied when trying to access \\FileServer\Share. Going deeper
it shows the impersonating account as \\WebServer\User, and the User
under process as "NT Authority\System" (App Pool is using Local System
for troubleshooting).

Is the fact that the account appears to be impersonated causing any
issues?

Re: 401.3 When Accessing Remote UNC Share

Impersonation uses the IUSR account (anonymous). if not, the application
pool user is used. You need to have either network service, then grant the
calling web service account access to the content or use a custom user. As
far as I know, SYSTEM won't work. I've never tested SYSTEM as the app pool
user and UNC content.

http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx


--

Best regards,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

http://www.IISLogs.com
Log archival solution.
Install, Configure, Forget

wrote in message
news:1193466404.468669.272300@d55g2000hsg.googlegroups.com.. .
> On Oct 27, 12:51 am, GTU...@hush.com wrote:
>> I've been trying to figure out the following issue for a few days with
>> no luck. There are two servers involved, both are standalone servers
>> (no domain):
>>
>> WebServer - Windows 2003 R2
>> FileServer - Windoows 2000 SP4
>>
>> >From the WebServer i've created a new Virtual Directory, and specified
>>
>> a UNC path on the FileServer. I then specify an Account to use when
>> accessing the UNC. This account exists on both the WebServer and
>> FileServer with the same password. Accessing the UNC from Windows
>> Explorer works flawless. Trying to access the UNC though a browser
>> results in the following:
>>
>> If the UNC Username and password has no prefix, I get error 500
>> If I specify \\WebServer\Username along with the password I get a
>> 401.3 error
>> If I specify \\FileServer\Username along with the password I get
>> another error 500
>>
>> I've verified that the UNC username exists in the Metabase. If I
>> disable the UNC username/password, and check the both to use the
>> current credentials (with basic Authentication checked) I am prompted
>> with a login screen. Entering the account in there (or even one of
>> the admin accounts) results in a 401.3 error after a few attempts.
>>
>> Using the exact same credentials to access the file share from outside
>> IIS is working. I'm stuck for ideas, as neither computer is in a
>> domain so Delegation can't be an issue. Is there something simple i'm
>> missing?
>
> Incidentally, a ProcessMon reveals the following:
>
> Access Denied when trying to access \\FileServer\Share. Going deeper
> it shows the impersonating account as \\WebServer\User, and the User
> under process as "NT Authority\System" (App Pool is using Local System
> for troubleshooting).
>
> Is the fact that the account appears to be impersonated causing any
> issues?
>

Re: 401.3 When Accessing Remote UNC Share

On Oct 27, 2:17 am, "Steve Schofield" wrote:
> Impersonation uses the IUSR account (anonymous). if not, the application
> pool user is used. You need to have either network service, then grant the
> calling web service account access to the content or use a custom user. As
> far as I know, SYSTEM won't work. I've never tested SYSTEM as the app pool
> user and UNC content.
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/techno...
>
> --
>
> Best regards,
>
> Steve Schofield
> Windows Server MVP - IIShttp://weblogs.asp.net/steveschofield
>
> http://www.IISLogs.com
> Log archival solution.
> Install, Configure, Forget
>
> wrote in message
>
> news:1193466404.468669.272300@d55g2000hsg.googlegroups.com.. .
>
>
>
> > On Oct 27, 12:51 am, GTU...@hush.com wrote:
> >> I've been trying to figure out the following issue for a few days with
> >> no luck. There are two servers involved, both are standalone servers
> >> (no domain):
>
> >> WebServer - Windows 2003 R2
> >> FileServer - Windoows 2000 SP4
>
> >> >From the WebServer i've created a new Virtual Directory, and specified
>
> >> a UNC path on the FileServer. I then specify an Account to use when
> >> accessing the UNC. This account exists on both the WebServer and
> >> FileServer with the same password. Accessing the UNC from Windows
> >> Explorer works flawless. Trying to access the UNC though a browser
> >> results in the following:
>
> >> If the UNC Username and password has no prefix, I get error 500
> >> If I specify \\WebServer\Username along with the password I get a
> >> 401.3 error
> >> If I specify \\FileServer\Username along with the password I get
> >> another error 500
>
> >> I've verified that the UNC username exists in the Metabase. If I
> >> disable the UNC username/password, and check the both to use the
> >> current credentials (with basic Authentication checked) I am prompted
> >> with a login screen. Entering the account in there (or even one of
> >> the admin accounts) results in a 401.3 error after a few attempts.
>
> >> Using the exact same credentials to access the file share from outside
> >> IIS is working. I'm stuck for ideas, as neither computer is in a
> >> domain so Delegation can't be an issue. Is there something simple i'm
> >> missing?
>
> > Incidentally, a ProcessMon reveals the following:
>
> > Access Denied when trying to access \\FileServer\Share. Going deeper
> > it shows the impersonating account as \\WebServer\User, and the User
> > under process as "NT Authority\System" (App Pool is using Local System
> > for troubleshooting).
>
> > Is the fact that the account appears to be impersonated causing any
> > issues?- Hide quoted text -
>
> - Show quoted text -

Thanks Steve, but i've tried using the Generic App Pool with the same
results. I'm specifying the credentials in the properties of the
Virtual Directory where it allows me to always use a specific user,
additionally i've granted these rights on the destination UNC share.

Is there anything else I need to do? Should is matter that a
processMon shows that i'm trying to access the remote share as WebUser
\Username and not FileServer\Username? Netmon shows that the request
is making it to the FileServer, but i'm not sure if IIS is passing the
correct credentials, or why i'm getting an access denied error. Is
there anything equivalent to delegation that needs to be turned on in
a non-domain?

Re: 401.3 When Accessing Remote UNC Share

Take a look at the article I wrote, maybe it'll point you in the right
direction. Running Filemon on the web server and remote file server can
help determine if there is a NTFS folder issue. Make sure the Share
permissions are setup correctly or this could prohibit it from working.

http://iislogs.com/articles/23/

--

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

wrote in message
news:1193502532.424008.260390@v3g2000hsg.googlegroups.com...
> On Oct 27, 2:17 am, "Steve Schofield" wrote:
>> Impersonation uses the IUSR account (anonymous). if not, the application
>> pool user is used. You need to have either network service, then grant
>> the
>> calling web service account access to the content or use a custom user.
>> As
>> far as I know, SYSTEM won't work. I've never tested SYSTEM as the app
>> pool
>> user and UNC content.
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/techno...
>>
>> --
>>
>> Best regards,
>>
>> Steve Schofield
>> Windows Server MVP - IIShttp://weblogs.asp.net/steveschofield
>>
>> http://www.IISLogs.com
>> Log archival solution.
>> Install, Configure, Forget
>>
>> wrote in message
>>
>> news:1193466404.468669.272300@d55g2000hsg.googlegroups.com.. .
>>
>>
>>
>> > On Oct 27, 12:51 am, GTU...@hush.com wrote:
>> >> I've been trying to figure out the following issue for a few days with
>> >> no luck. There are two servers involved, both are standalone servers
>> >> (no domain):
>>
>> >> WebServer - Windows 2003 R2
>> >> FileServer - Windoows 2000 SP4
>>
>> >> >From the WebServer i've created a new Virtual Directory, and
>> >> >specified
>>
>> >> a UNC path on the FileServer. I then specify an Account to use when
>> >> accessing the UNC. This account exists on both the WebServer and
>> >> FileServer with the same password. Accessing the UNC from Windows
>> >> Explorer works flawless. Trying to access the UNC though a browser
>> >> results in the following:
>>
>> >> If the UNC Username and password has no prefix, I get error 500
>> >> If I specify \\WebServer\Username along with the password I get a
>> >> 401.3 error
>> >> If I specify \\FileServer\Username along with the password I get
>> >> another error 500
>>
>> >> I've verified that the UNC username exists in the Metabase. If I
>> >> disable the UNC username/password, and check the both to use the
>> >> current credentials (with basic Authentication checked) I am prompted
>> >> with a login screen. Entering the account in there (or even one of
>> >> the admin accounts) results in a 401.3 error after a few attempts.
>>
>> >> Using the exact same credentials to access the file share from outside
>> >> IIS is working. I'm stuck for ideas, as neither computer is in a
>> >> domain so Delegation can't be an issue. Is there something simple i'm
>> >> missing?
>>
>> > Incidentally, a ProcessMon reveals the following:
>>
>> > Access Denied when trying to access \\FileServer\Share. Going deeper
>> > it shows the impersonating account as \\WebServer\User, and the User
>> > under process as "NT Authority\System" (App Pool is using Local System
>> > for troubleshooting).
>>
>> > Is the fact that the account appears to be impersonated causing any
>> > issues?- Hide quoted text -
>>
>> - Show quoted text -
>
> Thanks Steve, but i've tried using the Generic App Pool with the same
> results. I'm specifying the credentials in the properties of the
> Virtual Directory where it allows me to always use a specific user,
> additionally i've granted these rights on the destination UNC share.
>
> Is there anything else I need to do? Should is matter that a
> processMon shows that i'm trying to access the remote share as WebUser
> \Username and not FileServer\Username? Netmon shows that the request
> is making it to the FileServer, but i'm not sure if IIS is passing the
> correct credentials, or why i'm getting an access denied error. Is
> there anything equivalent to delegation that needs to be turned on in
> a non-domain?
>