|
Home > Archive > IIS Server Security > January 2005 > IIS6.0 & NAS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi at all!
I've a little problem.
I've a web site with storage on a shared folder on a NAS.
The folder is shared to user's domain (Domain\IUSR_WEB).
The web site is configured to connect to the folder with (Domain\IURS_WEB)
and anonymous access,
all work propertly, but i have to lock some file or folder for only
determinate users. So i have grant to user's domain the permission and in
IIS
configuration, under the tab 'protection directory', disabled 'anonimous
access' and i've leave 'authentication integrated windows'.
Every users' domain can still access to the files/folders....why??!!! (also
if the user don't have the permission on them!)
Any clue will be appreciated!
Thanx in advance ;))
/crino
| |
| Mark Thomas [MSFT] 2005-01-31, 7:51 am |
| Hi, the answer depends a little on whether you are using IIS4/5 or IIS6. In
versions earlier than 6.0 this is exactly what you will see and is by
design. What people often expect is that the web server will somehow "pass
through" the user's credentials. In fact, it cannot do this (or at least,
not by default). There are two sets of credentials involved here. The first
is the one that the user uses to connect to the web server. If the web
server is not using anonymous, these credentials are used to authenticate
and authorise access to the web site. Once the user has been authorised, the
credentials stored when you configured the virtual directory to point to the
SAN are used to retrieve the file. Notice, it's the credentials that have
been stored in the metabase that are used to retrieve the file. So everyone
who accesses the virtual directory on the web server has the same access to
the files. This is, as I said earlier, by design.
There is a long, and complicated KB article that tells you how to configure
"pass-through authentication" for UNC-based virtual directories.
http://support.microsoft.com/defaul...kb;en-us;214806
For IIS 6.0 the situation is different, there is a facility to allow
pass-through authentication. Here's an article that explains:
http://support.microsoft.com/defaul...kb;en-us;332151
Here's a general article on using remote storage with IIS
http://www.microsoft.com/technet/pr...s/remstorg.mspx
Hope that helps.
--
Regards
Mark Thomas
This posting is provided "AS IS" with no warranties, and confers no rights.
"crino" <cseverini@aditusnet.it> wrote in message
news:TdfFd.398354$b5.19366575@news3.tin.it...
> Hi at all!
> I've a little problem.
> I've a web site with storage on a shared folder on a NAS.
> The folder is shared to user's domain (Domain\IUSR_WEB).
> The web site is configured to connect to the folder with (Domain\IURS_WEB)
> and anonymous access,
> all work propertly, but i have to lock some file or folder for only
> determinate users. So i have grant to user's domain the permission and in
> IIS
> configuration, under the tab 'protection directory', disabled 'anonimous
> access' and i've leave 'authentication integrated windows'.
> Every users' domain can still access to the files/folders....why??!!!
> (also
> if the user don't have the permission on them!)
> Any clue will be appreciated!
> Thanx in advance ;))
>
> /crino
>
>
|
|
|
|
|