Increased security on a virtual directory. Now web asking for PW

I'm in need of some help.

We have an IIS 6 web server that offers up a multiple page, web site to
public access. We created a virtual directory tied to this web site, and
wanted to limit access to the web pages in that directory. As a result, we
locked down the NTFS security on the actual folder that the virtual directory
referenced. Meaning, we removed any access to this directory by the user
group as well as the web guest account (IUSR_xxx)

As soon as we did this, it caused the entire web site (which was freely
readable by the iusr visitor account to prompt for a username and a password
before the public web page would even display. If the anonymous user
canceled out of this, he or she could still read the open web site.

The problem is that we can't have normal users being asked for credentials
when they have no plans to visit the virtual directory.

Why is the entire web site prompting a query for credentials before anyone
gives any indication that they're interested in the content in the virtual
directory, and is there a way to limit this query to only those who try to
access files in this place?

Thanks
Roger

Re: Increased security on a virtual directory. Now web asking for PW

On Nov 20, 2:20 pm, Roger Smith III
wrote:
> I'm in need of some help.
>
> We have an IIS 6 web server that offers up a multiple page, web site to
> public access. We created a virtual directory tied to this web site, and
> wanted to limit access to the web pages in that directory. As a result, we
> locked down the NTFS security on the actual folder that the virtual directory
> referenced. Meaning, we removed any access to this directory by the user
> group as well as the web guest account (IUSR_xxx)
>
> As soon as we did this, it caused the entire web site (which was freely
> readable by the iusr visitor account to prompt for a username and a password
> before the public web page would even display. If the anonymous user
> canceled out of this, he or she could still read the open web site.
>
> The problem is that we can't have normal users being asked for credentials
> when they have no plans to visit the virtual directory.
>
> Why is the entire web site prompting a query for credentials before anyone
> gives any indication that they're interested in the content in the virtual
> directory, and is there a way to limit this query to only those who try to
> access files in this place?
>
> Thanks
> Roger



What you want to accomplish is possible with IIS6 by default, so let's
see what is awry with your configuration.

Can you report the Authentication method(s) configured for:
1. Your secured virtual directory
2. The root of the open website for public access

Your observation that "if the anonymous user canceled out of this, he
or she could still read the open website" tells me that the open
website which you see unwanted login dialog box has both Anonymous
authentication and some other authentication protocol enabled, which
is NOT what you want. This misconfiguration is the cause of your
issue.

You want the open website to ONLY have Anonymous authentication, and
the secured virtual directory to NOT have anonymous authentication
enabled and some other authentication protocol enabled.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Increased security on a virtual directory. Now web asking for

"David Wang" wrote:

> On Nov 20, 2:20 pm, Roger Smith III
> wrote:
> > I'm in need of some help.
> >
> > We have an IIS 6 web server that offers up a multiple page, web site to
> > public access. We created a virtual directory tied to this web site, and
> > wanted to limit access to the web pages in that directory. As a result, we
> > locked down the NTFS security on the actual folder that the virtual directory
> > referenced. Meaning, we removed any access to this directory by the user
> > group as well as the web guest account (IUSR_xxx)
> >
> > As soon as we did this, it caused the entire web site (which was freely
> > readable by the iusr visitor account to prompt for a username and a password
> > before the public web page would even display. If the anonymous user
> > canceled out of this, he or she could still read the open web site.
> >
> > The problem is that we can't have normal users being asked for credentials
> > when they have no plans to visit the virtual directory.
> >
> > Why is the entire web site prompting a query for credentials before anyone
> > gives any indication that they're interested in the content in the virtual
> > directory, and is there a way to limit this query to only those who try to
> > access files in this place?
> >
> > Thanks
> > Roger
>
>
>
> What you want to accomplish is possible with IIS6 by default, so let's
> see what is awry with your configuration.
>
> Can you report the Authentication method(s) configured for:
> 1. Your secured virtual directory
> 2. The root of the open website for public access
>
> Your observation that "if the anonymous user canceled out of this, he
> or she could still read the open website" tells me that the open
> website which you see unwanted login dialog box has both Anonymous
> authentication and some other authentication protocol enabled, which
> is NOT what you want. This misconfiguration is the cause of your
> issue.
>
> You want the open website to ONLY have Anonymous authentication, and
> the secured virtual directory to NOT have anonymous authentication
> enabled and some other authentication protocol enabled.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>

Your advice caused me to go looking again, and we discovered that a Perl
script was executing inside the web page, and was referencing files that were
locked down by the enhanced security. By moving the Perl files into a place
that was less protected, we solved the problem.

Thanks