Re: Access of images on file server
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Thu, 6 Nov 2003 20:17:45 -0800
Mapped drives are generally a bad idea because the drive letter of the
mapping exists only for your identity and not for the web server's identity.
Use a real UNC filepath instead.
Read this article on how to configure ACLs on a UNC setup.
In your case, I would pay special attention to the fact you are crossing a
DMZ boundary -- make sure that the internal firewall isn't blocking the web
server access to the file server (though if the web server in the DMZ is
able to access a file server not in the DMZ... I think the file server might
as well be in the DMZ...).
In particular, I think your problem is that because Windows Integrated
Authentication is not delegatable, unless you've configured a specific UNC
User on both web server and file server, it's all going to fail. And in the
case of a specific UNC User or Anonymous user, unless that user account is a
domain account, you will need to create the same identity on both web server
and file server such that their credentials match (i.e. IUSR on the
webserver is not the same as IUSR on the fileserver unless you've sync'd
their password and username). Then, you need to make sure that this
identity has both NTFS ACL to read the content AND that the UNC fileshare
allows that identity to at least read the content AND that the web server is
actually hitting your content as that user.
At the end of the day, it comes down to:
1. What user identity is the web server going to use to access the file
server (i.e. configured UNC Username, or always Anonymous user, or passthru
authentication with sufficient setup)
2. Can the user credentials hop off the web server to the file server.
Windows Integrated Authentication cannot, without delegation. Basic is
insecure sending of username/password, so it can hop.
3. What authorization is given to the user identity on the file server, at
both the UNC share level and the NTFS file level
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "MJ" <firstname.lastname@example.org> wrote in message news:email@example.com... I have a web server setup on a DMZ with an ASP application that is trying to access JPEGS on a file server that is not on the DMZ. I have a mapped drive setup on the web server pointing to the location of the JPEG images. When the pop-up appears within the ASP application that shows the JPEGS that are available, there are no hyperlinks to those JPEG files (this should be the case if things are setup properly). Everyone (including the anonymous account for this web server) has access to the folder with the JPEGS on the file server. What might I be missing here? Both anonymous and Windows Integrate Authentication are checked in the Internet Services Manager for the properties of this new site.