|
Home > Archive > IIS Server Security > December 2005 > Issue: Virtual Directory to UNC
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Issue: Virtual Directory to UNC
|
|
|
| Hi,
I am configuring a virtual directory pointing to a UNC within the same
domain as the IIS server (Win 2003 server). The authentication setting is set
to Network Credentials of Users. The rest all like Anonymous access, etc. are
unchecked. ACLs are set up in the file server (UNC) thereby controlling
access on the list of people who would be accessing the file server normally
without the IIS.
Even though I have access to both the web server as well as the file servers
seperately, I am not able to access the files using the virtual directory.
For ex: \\myserver1\fileshare is set to the virtual directory
http://myserver2/fileshare.
Now when a file like say http://myserver2/fileshare/file1.ext is being
accessed, even though the credentials were supplied, it prompts for the
username and password as if the supplied credentials were incorrect.
I thought it might be a double hop issue, but when I try to access the path
from the server with http://myserver2/fileshare/file1.ext, even then, I get
the same issue.
I guess there should be no issue with IIS using the network credentials
directly. One catch is that as per the organisation's IT policy, web servers
cannot be allowed delegation. Is there any way the above issue can be
resolved.
Any help appreciated in advance.
Rgds.
| |
| David Wang [Msft] 2005-12-18, 2:48 am |
| Still looks like double-hop/delegation. The following URL should provide you
all necessary options/configuration and details.
http://www.microsoft.com/technet/pr...s/remstorg.mspx
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jay" <Jay@discussions.microsoft.com> wrote in message
news:7E585E7F-306E-4518-BD4C-766F161D5B70@microsoft.com...
> Hi,
> I am configuring a virtual directory pointing to a UNC within the same
> domain as the IIS server (Win 2003 server). The authentication setting is
> set
> to Network Credentials of Users. The rest all like Anonymous access, etc.
> are
> unchecked. ACLs are set up in the file server (UNC) thereby controlling
> access on the list of people who would be accessing the file server
> normally
> without the IIS.
>
> Even though I have access to both the web server as well as the file
> servers
> seperately, I am not able to access the files using the virtual directory.
> For ex: \\myserver1\fileshare is set to the virtual directory
> http://myserver2/fileshare.
>
> Now when a file like say http://myserver2/fileshare/file1.ext is being
> accessed, even though the credentials were supplied, it prompts for the
> username and password as if the supplied credentials were incorrect.
>
> I thought it might be a double hop issue, but when I try to access the
> path
> from the server with http://myserver2/fileshare/file1.ext, even then, I
> get
> the same issue.
>
> I guess there should be no issue with IIS using the network credentials
> directly. One catch is that as per the organisation's IT policy, web
> servers
> cannot be allowed delegation. Is there any way the above issue can be
> resolved.
>
> Any help appreciated in advance.
>
> Rgds.
| |
|
| Hi David,
First of all, my thanks to you. I had done some research on the web before
turning on to TechNet. As I had specified in my post, I CANNOT use delegation
as I am not the domain administrator. Setting up of delegation rights has
been restricted only to the domain admins.
As my server is in the domain, and as the application requires proper
authentication for access, I was expecting a way to use the same to access
the UNC. Even if there needs to be a re-authentication, I guess that should
not be an issue at all, but I am not able to get it work.
I repeat, I CANNOT set the delegation property (Even constrained). The
reason behind my post is to check if it would work, as impersonation as the
request user works even without delegation for other applications like AD,
except getting this virtual directory to an UNC.
If there is no solution without delegation, then I will have to remove the
feature from the application and live with the fact that sometimes MS
products do suck 
Rgds.
"David Wang [Msft]" wrote:
> Still looks like double-hop/delegation. The following URL should provide you
> all necessary options/configuration and details.
>
> http://www.microsoft.com/technet/pr...s/remstorg.mspx
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Jay" <Jay@discussions.microsoft.com> wrote in message
> news:7E585E7F-306E-4518-BD4C-766F161D5B70@microsoft.com...
>
>
>
| |
| David Wang [Msft] 2005-12-18, 5:57 pm |
| Your choices are to either:
1. Secure - use delegation
2. Insecure - use Basic authentication
Quickest example illustrating the security issue under discussion:
Just because a remote user authenticated to the web server, why should the
web server be able to log in to that user's bank and withdraw all their
money as the remote user.
In your example, you are accessing UNC files, but it can equivalent be
withdrawing money from a bank.
The difference? The authentication protocol controls whether this
man-in-the-middle attack is possible. Basic authentication allows it because
it implicitly delegates the username/password in clear-text to the server.
Integrated Authentication does not allow it (unless you configure delegation
[constrained], which gives *you* the power to control that Basic
authentication never had).
In other words, the reason it fails for you is because you are trying to do
something insecure and the protocol is resisting your attack. Unfortunately,
most users do not understand this, so they walk away think that the MS
product "sucks" and does not do what they want... when in fact the customer
simply never understands security and is simply doing the wrong thing...
which happens most of the time. :-)
Your issue basically has to trade off between:
- ease of using functionality
- security
- complexity of setup
The question is whether you are acceptable with each solution's tradeoff.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jay" <Jay@discussions.microsoft.com> wrote in message
news:A1984C85-E0E8-4BA8-8CD2-029D22BF0C81@microsoft.com...[vbcol=seagreen]
> Hi David,
> First of all, my thanks to you. I had done some research on the web before
> turning on to TechNet. As I had specified in my post, I CANNOT use
> delegation
> as I am not the domain administrator. Setting up of delegation rights has
> been restricted only to the domain admins.
>
> As my server is in the domain, and as the application requires proper
> authentication for access, I was expecting a way to use the same to access
> the UNC. Even if there needs to be a re-authentication, I guess that
> should
> not be an issue at all, but I am not able to get it work.
>
> I repeat, I CANNOT set the delegation property (Even constrained). The
> reason behind my post is to check if it would work, as impersonation as
> the
> request user works even without delegation for other applications like AD,
> except getting this virtual directory to an UNC.
>
> If there is no solution without delegation, then I will have to remove the
> feature from the application and live with the fact that sometimes MS
> products do suck
>
> Rgds.
>
>
> "David Wang [Msft]" wrote:
>
| |
|
| Thanks again David. I guess I figured it out myself that I need to use Basic
Authentication with HTTPS/SSL. By the way, the explanantion given by you on
the delegation was good. I now understand the reason behind the delegation
requirement, and I will take back my comment
Despite this, there is one question that I would like to ask. There are two
servers (1 App and 1 DB) in my domain for which I have administrator access.
The purpose of this server is to access I just want to access one machine
from the other. If I enable delegation I guess I will be free to do the above
said. So is there a way where I can set the webserver as a trusted server in
the file server?
Appreciate your patience in explaining stuff to me
Rgds.
"David Wang [Msft]" wrote:
> Your choices are to either:
> 1. Secure - use delegation
> 2. Insecure - use Basic authentication
>
> Quickest example illustrating the security issue under discussion:
>
> Just because a remote user authenticated to the web server, why should the
> web server be able to log in to that user's bank and withdraw all their
> money as the remote user.
>
> In your example, you are accessing UNC files, but it can equivalent be
> withdrawing money from a bank.
>
> The difference? The authentication protocol controls whether this
> man-in-the-middle attack is possible. Basic authentication allows it because
> it implicitly delegates the username/password in clear-text to the server.
> Integrated Authentication does not allow it (unless you configure delegation
> [constrained], which gives *you* the power to control that Basic
> authentication never had).
>
> In other words, the reason it fails for you is because you are trying to do
> something insecure and the protocol is resisting your attack. Unfortunately,
> most users do not understand this, so they walk away think that the MS
> product "sucks" and does not do what they want... when in fact the customer
> simply never understands security and is simply doing the wrong thing...
> which happens most of the time. :-)
>
> Your issue basically has to trade off between:
> - ease of using functionality
> - security
> - complexity of setup
>
> The question is whether you are acceptable with each solution's tradeoff.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Jay" <Jay@discussions.microsoft.com> wrote in message
> news:A1984C85-E0E8-4BA8-8CD2-029D22BF0C81@microsoft.com...
>
>
>
>
| |
| David Wang [Msft] 2005-12-20, 8:00 am |
| > So is there a way where I can set the webserver as a trusted
> server in the file server?
Nope. That model of security is a hack and does not scale. Treat each
machine as stand-alone and should trust no-one. It does not make sense to
have ability on the server to say "trust server X for this operation and
server Y for that operation" -- who and how to establish that trust? Of
course, you can always do something ad-hoc and insecure like Basic
authentication for delegation, but once again, that would never scale.
Instead, stand-alone servers that join a domain simply implicitly trusts the
domain controller -- and then take advantage of transitivity of trust to
have the controller dictate that trust. Every domain machine trusts the
domain controller, who then can do all sorts of nifty things with that
transitivity of trust. It also meshes well with general security concepts
and protocols like Kerberos, for example.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jay" <Jay@discussions.microsoft.com> wrote in message
news:0ACCE02B-63E6-4E96-932A-5CB5EF5FC9DA@microsoft.com...[vbcol=seagreen]
> Thanks again David. I guess I figured it out myself that I need to use
> Basic
> Authentication with HTTPS/SSL. By the way, the explanantion given by you
> on
> the delegation was good. I now understand the reason behind the delegation
> requirement, and I will take back my comment
>
> Despite this, there is one question that I would like to ask. There are
> two
> servers (1 App and 1 DB) in my domain for which I have administrator
> access.
> The purpose of this server is to access I just want to access one machine
> from the other. If I enable delegation I guess I will be free to do the
> above
> said. So is there a way where I can set the webserver as a trusted server
> in
> the file server?
>
> Appreciate your patience in explaining stuff to me
>
> Rgds.
>
> "David Wang [Msft]" wrote:
>
|
|
|
|
|