Re: shared folder access

From: Steve Jansen (stj3570_at_dev.nul)
Date: 10/17/03

  • Next message: sandy: "Re: shared folder access" 
    Date: Thu, 16 Oct 2003 18:43:43 -0400

    Did you use adsutil.vbs to delete the UNC parameters, or did you try to use
    the GUI tool (inetmgr.exe)?

    <anonymous@discussions.microsoft.com> wrote in message
    news:0b0001c393ae$591ea900$a301280a@phx.gbl...
    > Thanks Steve. Your options are really logical. However, i
    > tried with the basic autjentication as we r on intranet
    > and its ok for us to pass in plain text too.. but seems it
    > doesn't work.
    >
    > also, i am not able to delete the UNC parameters too as
    > you did..
    >
    > >-----Original Message-----
    > >I suggest reading the Patterns & Practices
    > whitepaper "Authentication in
    > >ASP.NET: .NET Security Guidance":
    > >http://msdn.microsoft.com/library/default.asp?
    > url=/library/en-us/dnbda/html/authaspdotnet.asp
    > >
    > >Impersonation is not enough to accomplish what you want.
    > You require
    > >account delegation from your physical server running IIS
    > to your physical
    > >server hosting the file share.
    > >
    > >Option 1
    > >---------
    > >Your first option is to use Basic Authentication in IIS
    > over SSL. This way,
    > >the inetinfo.exe process has your credentials in
    > plaintext and can logon to
    > >the remote file server on the end-users behalf.
    > >
    > >Option 2
    > >---------
    > >Alternatively I have gotten this to work before with
    > Windows Authenticaion,
    > >but, it is not straightforward:
    > >1) Enable Windows Authentication in IIS for your web app
    > >2) If you create a virtual directory that maps to your
    > UNC share, manually
    > >delete the UNCUserName and UNCPassword metabase values
    > using adsutil.vbs.
    > >This will remove the UNC user token credentials
    > (something that cannot be
    > >done through inetmgr.exe). Doing so causes IIS to
    > attempt delegation using
    > >the current logon credentials.
    > >3) Even though inetinfo.exe runs as LocalSystem, I had
    > to create an AD
    > >Service Principal Name. First, I had to set the
    > option "Trust this computer
    > >for delegation" for the IIS Computer AD object. Then, I
    > had to issue the
    > >setspn.exe command, which I remember being :
    > >
    > >setspn -A HTTP/myhost.mydomain.com myserver
    > >
    > >
    > >4) For IE clients, I had to add myhost.mydomain.com to
    > the LocalIntranet
    > >zone. I would guess this caused IE to use Kerberos
    > authentication instead
    > >of NTLM. It may have also had something to do
    > with "Automatic Logon in
    > >Intranet Zone only"
    > >
    > >Connected IE clients should then browse the remote file
    > share using their
    > >credentials and appropriate ACLs. You should be able to
    > confirm this by
    > >enabling complete auditing of file access for your share
    > and checking the
    > >event viewer. I believe there are major performance
    > implications for this,
    > >due to the increased network activity of IIS performing
    > delegation and UNC
    > >file operations.
    > >
    > >Option 3
    > >---------
    > >You can also set the UNCAuthenticationPassthrough
    > metabase attribute to True
    > >to accomplish this. The article @
    > >http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d
    > efault.aspx
    > >provides a good discussion of this setting. However, the
    > KB 286401 states
    > >that this setting is not supported by MS.
    > >
    > >-Steve Jansen
    > >
    > >"sundeeps@niit.com" <anonymous@discussions.microsoft.com>
    > wrote in message
    > >news:06d601c39315$9f30aef0$a001280a@phx.gbl...
    > >> hi, i have a web application residing on a web server
    > [w]
    > >> and a file server [s]. Both the servers are part of same
    > >> domain [d].
    > >>
    > >> now, i want to access shared folders from my web
    > >> application but the access should be given to only those
    > >> users who has permission on shared folder.
    > >>
    > >> I set up impersonate in my system and m using windows
    > >> authentication, but still i get access denied error.
    > >>
    > >> Need help
    > >
    > >
    > >.
    > >

  • Next message: sandy: "Re: shared folder access"

    Relevant Pages

    • Re: Login info over unsecure connection
      ... If you are trying to use unc to access a network share, ... challenge/response password challenge is still used for authentication and data is ... W2K/XP Pro computer [one connection limit] or possibly even an ipsec tunnel [not ...
      (microsoft.public.win2000.security)
    • Re: Strange password behavior with Linux
      ... Sounds like you are talking about having a vdir whose physical directory is ... If you configure the UNC Username/password for a vdir, ... authentication, where the authenticate user is used to access the UNC share. ... fileserver together with appropriate user/pass. ...
      (microsoft.public.inetserver.iis.security)
    • Re: webdav + virtual directories
      ... Make sure to NEVER specify the UNC Username/password. ... Use a delegatable authentication scheme so that IIS can actually use the ... "I want iis to use the credentials supplied by the user at the time of login ...
      (microsoft.public.inetserver.iis)
    • Re: Log on locally fro basic authentication
      ... Yes I can establish a UNC when sharing permissions include users of the ... remote domain and the error I get is 401.1 Unauthorized: ... >> I'm starting with basic authentication (as not all users use Internet ...
      (microsoft.public.inetserver.iis.security)
    • Re: Passthrough Authentication For Network Resources
      ... You are not configuring Pass-through authentication if you set the UNC ... A user connects to the website. ... credentials in the 'connect as' box. ...
      (microsoft.public.inetserver.iis)
    Loading