Problems Accessing Remote UNC Shares via Virtual Directories
Problems Accessing Remote UNC Shares via Virtual Directories
am 05.12.2007 18:07:49 von Ben
Hi,
We've got a Wiki setup on one of our member servers (win2003 std edn) for
providing information to our users. We also have some documentation stored
on our main file server (also win 2003 std edn), which is usually accessed
via a mapped drive, i.e. M: = \\server.domain.com\manuals.
So that these documents can be accessed via the Wiki, I've created some
virtual directories under the wiki, that point to the UNC paths of the
required shares. However, I'm having problems accessing those virtual
directories. I can access them fine if I supply a set of generic credentials
under the 'Connect As' button. However, some of these documents are not for
everyone, so I want to use the 'Always use the authenticated user's
credentials...' option. The trouble is, when I select this option, no one
can access any of the virtual directories, even using the domain admin
account.
The directory security is set to anonymous access - disabled, Integrated &
digest - enabled, realm - domain.com. I've noticed that when I try to
authenticate, the credentials popup auto enters wiki.domain.com\username,
rather than the usual domain\username, or just username.
Can anyone help, or suggest a way to get authentication working correctly?
Many thanks
Ben
Re: Problems Accessing Remote UNC Shares via Virtual Directories
am 05.12.2007 21:37:14 von David Wang
On Dec 5, 9:07 am, "Ben" wrote:
> Hi,
>
> We've got a Wiki setup on one of our member servers (win2003 std edn) for
> providing information to our users. We also have some documentation stored
> on our main file server (also win 2003 std edn), which is usually accessed
> via a mapped drive, i.e. M: = \\server.domain.com\manuals.
>
> So that these documents can be accessed via the Wiki, I've created some
> virtual directories under the wiki, that point to the UNC paths of the
> required shares. However, I'm having problems accessing those virtual
> directories. I can access them fine if I supply a set of generic credentials
> under the 'Connect As' button. However, some of these documents are not for
> everyone, so I want to use the 'Always use the authenticated user's
> credentials...' option. The trouble is, when I select this option, no one
> can access any of the virtual directories, even using the domain admin
> account.
>
> The directory security is set to anonymous access - disabled, Integrated &
> digest - enabled, realm - domain.com. I've noticed that when I try to
> authenticate, the credentials popup auto enters wiki.domain.com\username,
> rather than the usual domain\username, or just username.
>
> Can anyone help, or suggest a way to get authentication working correctly?
>
> Many thanks
>
> Ben
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
If you want to use Integrated, you will also need to set up delegation
for that scenario to work. The reason it does not "just work" is for
security reasons.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: Problems Accessing Remote UNC Shares via Virtual Directories
am 06.12.2007 12:52:28 von Ben
"David Wang" wrote in message
news:43f1602b-9f4b-4b6a-b204-99b692e68f65@s12g2000prg.google groups.com...
> On Dec 5, 9:07 am, "Ben" wrote:
>
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
>
> If you want to use Integrated, you will also need to set up delegation
> for that scenario to work. The reason it does not "just work" is for
> security reasons.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
Hi David,
Thanks for the reply.
I read through the article, but came across an error when performing the
delegation steps to assign the webserver 'trust this computer for delegation
to specified services only - use Kerberos only'. When I add the services,
CIFS & HOST from the file server, then click apply, I get an error: "The
following Active Directory error occurred: Access is denied".
Having googled around I found a post that said I had to add the 'Enable
computer and user accounts to be trusted for delegation' user right to the
default domain controller policy (Computer configuration > Windows Settings
> Security Settings > Local Policies > User Rights Management > Enable
computer and user accounts to be trusted for delegation), which I did.
However, even after running a GPUPDATE /FORCE on the domain controller I
still get the above error.
Any ideas how to solve the problem? Not sure if this maybe out of your area
of knowledge, as its an AD problem, rather than IIS, if so I'll post in an
active directory specific forum.
Thanks again
Ben
Re: Problems Accessing Remote UNC Shares via Virtual Directories
am 07.12.2007 07:08:06 von David Wang
On Dec 6, 3:52 am, "Ben" wrote:
> "David Wang" wrote in message
>
> news:43f1602b-9f4b-4b6a-b204-99b692e68f65@s12g2000prg.google groups.com...
>
> > On Dec 5, 9:07 am, "Ben" wrote:
>
>
> >http://www.microsoft.com/technet/prodtechnol/windowsserver2 003/techno...
>
> > If you want to use Integrated, you will also need to set up delegation
> > for that scenario to work. The reason it does not "just work" is for
> > security reasons.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> Hi David,
>
> Thanks for the reply.
>
> I read through the article, but came across an error when performing the
> delegation steps to assign the webserver 'trust this computer for delegation
> to specified services only - use Kerberos only'. When I add the services,
> CIFS & HOST from the file server, then click apply, I get an error: "The
> following Active Directory error occurred: Access is denied".
>
> Having googled around I found a post that said I had to add the 'Enable
> computer and user accounts to be trusted for delegation' user right to the
> default domain controller policy (Computer configuration > Windows Settings
> > Security Settings > Local Policies > User Rights Management > Enable
> computer and user accounts to be trusted for delegation), which I did.
> However, even after running a GPUPDATE /FORCE on the domain controller I
> still get the above error.
>
> Any ideas how to solve the problem? Not sure if this maybe out of your area
> of knowledge, as its an AD problem, rather than IIS, if so I'll post in an
> active directory specific forum.
>
> Thanks again
>
> Ben
At this point your questions are no longer related to IIS.
If the Active Directory settings are correct and propagated to IIS,
then what you want to do will be allowed. Basically, the delegated
scenario with Integrated Authentication falls into:
1. Browser authenticates via Kerberos to Web Server, token is
delegated through to the File Server
2. Browser authenticates via any authentication protocol to Web
Server, who uses Protocol Transitioning to generate the Kerberos
delegate taken to the File Server
In other words, it's all Kerberos in the backend that allows this to
work. NTLM won't work.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//