WebDAV security on IIS problems
From: msnews.microsoft.com (remove-gharris_at_pushhands.com)
Date: 11/25/03
- Next message: MS: "SSL Certificate"
- Previous message: Rob: "Controling Content by User"
- Next in thread: David Wang [Msft]: "Re: WebDAV security on IIS problems"
- Reply: David Wang [Msft]: "Re: WebDAV security on IIS problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 Nov 2003 12:58:49 -0500
Hey All,
I have been beating my head over this one for a long time. It has to do
with setting up a WebDAV folder in IIS and setting permissions on that
folder to two accounts - one with read access and the other with full. From
all the documentation, this should be a simple task. WebDAV is supported by
default on all IIS folders and virtual folders. Here is an article from
Microsoft describing how easy it should be done:
http://support.microsoft.com/default.aspx?scid=kb;en-us;323470&Product=iis50
The article is pretty straight forward and I have followed it to the letter.
I can get WebDAV to work, the problem lies in setting the security on the
folder to restrict or allow access. Here is what I have tried and I am
hoping there is someone out ther who has worked with this before.
Here is the configuration: I have one Windows 2000 (SP4 and all latest
patches) member server behind a firewall with IIS 5 installed. Let's call
this server WEB1. I have a web site in IIS (with its own IP) whose
directory contents are on a share on another computer in the same domain
behind the same firewall. The server that hosts the source files for the
web site (not running IIS) is a Windows 200 (SP4 and all latest patches)
domain controller. Let's call this server FILE1. The current web site has
been established for many years and has been working without a hitch the
whole time. The client is interested in being able to upload files to a
folder within the website (let's call the folder "webdav-upload"). They
would like to have two separate accounts to access the contents of this
folder. One account has Read Only access to that folder and the other has
Full Access to that folder. I can get WebDAV access to that folder, the
problem is that I cannot get authentication to work as I would like. Here
is how I proceeded to setup this configuration:
1.) Within the website on WEB1, I created a Virtual Directory called
"Webdav-Upload". This Virtual Directory point to a a share on FILE1. The
Connect as box in the Virtual Directory's properties is using the
IUSER_SHARE account (we have specified the password for this account and do
not let the server manage the password although this should have no bearing
on this).
2.) The Virtual Directory connects just fine with no Red X. I have enabled
Directory Browsing, Read, Write and Excute permissions on the folder.
3.) I disabled annonymous access to the folder and then enabled Basic
Authentication and specified the default logon domain.
4.) I then created 2 user accounts in the Domain called "WedDav-Read" and
WebDav-Full".
5.) Gave both accounts the Log On Locally right to the Domain Controllers OU
Group Policy and ran the SECEDIT refresh.
6.) On FILE1, the share that the Virtual Directory connects to has full
control for the Everyone Group.
7.) On the folder underneath that share (one folder deep), I have set the
NTFS permissions as follows: I disabled inheritance of permission and
removed all inherited permissions. I then assigened the following
permissions:
Domain Admins Full Control
WebDav-Full Full Control
WebDav-Read Read, List Folder Contents, Read &
Execute
IUSR_SHARE Read
8.) I then reset these permissions on all child objects.
9.) Then from a remote location outside on the Internet, I used the My
Network Places to create a new network place. I put in the full URL:
http://FQDN/webdav-upload
10.) It then prompted me for permissions and kept prompting me and would
fail. I could never connect.
I tried the following change to the above configuration to try and get it
working.
1.) I enabled Annonymous access on the virtual directory and removed basic
authentication to have the NTFS permissions provide the security.
- This would allow me to connect but gave me the
permissions of the IUSER_SHARE as that was the account in the Connect As
box in the Virtual Directory's properties.
How else can I get this working? Has anyone successfully gotten this
configuration to work? There is little to no troubleshooting documentation
for Microsoft's IIS and WebDAV. Please help!
Thanks!
PS. Please reply to the posting address but remove the "remove-" from the
email address.
Sincerely,
George Harris
- Next message: MS: "SSL Certificate"
- Previous message: Rob: "Controling Content by User"
- Next in thread: David Wang [Msft]: "Re: WebDAV security on IIS problems"
- Reply: David Wang [Msft]: "Re: WebDAV security on IIS problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
