|
Home > Archive > IIS Server Security > April 2007 > UNC Virtual Directories; NTFS permission authentication not accept
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
UNC Virtual Directories; NTFS permission authentication not accept
|
|
| Jason Carter 2007-04-04, 1:19 pm |
| This one is driving me crazy. Here is the environment:
I have one web server, Windows 2003 R2; IIS 6.0, and a files server running
Windows 2003 R2. Both servers are part of a Windows 2003 native Active
Directory domain.
Virtual directories have been created on the web server pointing to a UNC
share: \\hrfile1\https clients\xxxx. Permissions on the https clients share
and the xxxx directory are locked down using NTFS permissions and the virtual
directory is setup with a "connect as" username or password instead asking
for credentails. SSL is required, anonymous access is unchecked, integrated
Windows authentication is checked. In addition, hrweb1 is setup for
delegation to hrfile1 for the HOST can cifs services.
The problem I have is that every time I access the site I am prompted for my
username and password, but even though I enter an username/password that is
authorized, the login screen keeps popping back up. I have created test
directories where share and NTFS permissions are set to EVERYONE - Full
control and still get prompted over and over for credentials.
If I use the "connect as" option, I am prompted for creditails and allowed
in, but once in I can browse to any folder, even ones that I am not allowed
access to, so that is not an option.
If anyone can help me out, I would really appreciate it.
It may not matter, but the web server is part of a network load balanced
system, though I am not testing with the nlb address, just the local address
on one system.
| |
| Jason Carter 2007-04-05, 7:21 pm |
| Just an update here, I found a solution, though it is not what I expected.
Everything I read said that I needed to add the Delegation rights from the
web server to the file server (HOST and cifs). This turned out to be the
problem. Once I removed those delegation rights AND removed the Integrated
Windows Authentication option (leaving only Basic Authentication checked) the
system worked like it I had hoped, authenticating based on the NTFS
permissions of the folder the UNC path was pointing to.
This works fine for me since the SSL is required on all connections.
Thanks to anyone who took a look at this and tried to help!!
"Jason Carter" wrote:
> This one is driving me crazy. Here is the environment:
>
> I have one web server, Windows 2003 R2; IIS 6.0, and a files server running
> Windows 2003 R2. Both servers are part of a Windows 2003 native Active
> Directory domain.
>
> Virtual directories have been created on the web server pointing to a UNC
> share: \\hrfile1\https clients\xxxx. Permissions on the https clients share
> and the xxxx directory are locked down using NTFS permissions and the virtual
> directory is setup with a "connect as" username or password instead asking
> for credentails. SSL is required, anonymous access is unchecked, integrated
> Windows authentication is checked. In addition, hrweb1 is setup for
> delegation to hrfile1 for the HOST can cifs services.
>
> The problem I have is that every time I access the site I am prompted for my
> username and password, but even though I enter an username/password that is
> authorized, the login screen keeps popping back up. I have created test
> directories where share and NTFS permissions are set to EVERYONE - Full
> control and still get prompted over and over for credentials.
>
> If I use the "connect as" option, I am prompted for creditails and allowed
> in, but once in I can browse to any folder, even ones that I am not allowed
> access to, so that is not an option.
>
> If anyone can help me out, I would really appreciate it.
>
> It may not matter, but the web server is part of a network load balanced
> system, though I am not testing with the nlb address, just the local address
> on one system.
| |
| David Wang 2007-04-05, 7:21 pm |
| While I am happy that you have found a solution to your situation, I
have to say that Delegation is NOT the problem. And using Basic over
SSL is NOT necessarily the correct solution.
Basic over SSL is basically the "I give up because I don't understand
delegation" solution because it is insecure, though in your situation
you are using a non-important ConnectAs user whose delegation
properties you do not need to secure.
In other words, Basic/SSL is a passable workaround for your needs, but
it is definitely not the correct solution for the general issue of
delegation which surfaces as soon as you want users to use your web
server to access resources on another server.
What OS is providing the CIFS file services?
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Apr 5, 1:56 pm, Jason Carter
<JasonCar...@discussions.microsoft.com> wrote:
> Just an update here, I found a solution, though it is not what I expected.
>
> Everything I read said that I needed to add the Delegation rights from the
> web server to the file server (HOST and cifs). This turned out to be the
> problem. Once I removed those delegation rights AND removed the Integrated
> Windows Authentication option (leaving only Basic Authentication checked) the
> system worked like it I had hoped, authenticating based on the NTFS
> permissions of the folder the UNC path was pointing to.
>
> This works fine for me since the SSL is required on all connections.
>
> Thanks to anyone who took a look at this and tried to help!!
>
>
>
> "Jason Carter" wrote:
>
>
>
>
>
>
>
> - Show quoted text -
|
|
|
|
|