Re: WebDAV security on IIS problems
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/26/03
- Next message: David Wang [Msft]: "Re: how do I force secure ASP.NET session cookies?"
- Previous message: Wei-Dong Xu [MSFT]: "Re: Anonymouse access causes Unauthorized Access error"
- In reply to: msnews.microsoft.com: "WebDAV security on IIS problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 Nov 2003 23:10:47 -0800
Read this URL to understand the how to set up a UNC vdir:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/deploy/confeat/RemStorg.asp
Problem with your setup:
- Since you set the UNC vdir on WEB1 to be connecting as IUSER_SHARE -- all
users will come across to FILE1 as this user identity, rendering the rest of
your ACLs quite useless.
What you want is to implement pass-thru authentication, of which there are a
LOT of KB articles on this (it doesn't work very well on IIS5 except under
some circumstances). Read the above URL for links to them all, as well as
how to implement it correctly. On IIS5, pass-thru will only work with basic
or kerberos authentication on the front-end. On IIS6, with an AD, pass-thru
will work for any authentication type given that you configure the backend
AD/Kerberos correctly.
I know the first thing you must do for pass-thru auth is to delete the UNC
vdir you created -- because even if you uncheck the "connect as" box, the
metabase property for it still remains and confuses IIS. You can't delete
the property from the UI, so the only way is to create a new UNC vdir and
NEVER set the "connect as" box to make sure the property is never set in the
first place.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "msnews.microsoft.com" <remove-gharris@pushhands.com> wrote in message news:%235GJT73sDHA.556@TK2MSFTNGP11.phx.gbl... Hey All, I have been beating my head over this one for a long time. It has to do with setting up a WebDAV folder in IIS and setting permissions on that folder to two accounts - one with read access and the other with full. From all the documentation, this should be a simple task. WebDAV is supported by default on all IIS folders and virtual folders. Here is an article from Microsoft describing how easy it should be done: http://support.microsoft.com/default.aspx?scid=kb;en-us;323470&Product=iis50 The article is pretty straight forward and I have followed it to the letter. I can get WebDAV to work, the problem lies in setting the security on the folder to restrict or allow access. Here is what I have tried and I am hoping there is someone out ther who has worked with this before. Here is the configuration: I have one Windows 2000 (SP4 and all latest patches) member server behind a firewall with IIS 5 installed. Let's call this server WEB1. I have a web site in IIS (with its own IP) whose directory contents are on a share on another computer in the same domain behind the same firewall. The server that hosts the source files for the web site (not running IIS) is a Windows 200 (SP4 and all latest patches) domain controller. Let's call this server FILE1. The current web site has been established for many years and has been working without a hitch the whole time. The client is interested in being able to upload files to a folder within the website (let's call the folder "webdav-upload"). They would like to have two separate accounts to access the contents of this folder. One account has Read Only access to that folder and the other has Full Access to that folder. I can get WebDAV access to that folder, the problem is that I cannot get authentication to work as I would like. Here is how I proceeded to setup this configuration: 1.) Within the website on WEB1, I created a Virtual Directory called "Webdav-Upload". This Virtual Directory point to a a share on FILE1. The Connect as box in the Virtual Directory's properties is using the IUSER_SHARE account (we have specified the password for this account and do not let the server manage the password although this should have no bearing on this). 2.) The Virtual Directory connects just fine with no Red X. I have enabled Directory Browsing, Read, Write and Excute permissions on the folder. 3.) I disabled annonymous access to the folder and then enabled Basic Authentication and specified the default logon domain. 4.) I then created 2 user accounts in the Domain called "WedDav-Read" and WebDav-Full". 5.) Gave both accounts the Log On Locally right to the Domain Controllers OU Group Policy and ran the SECEDIT refresh. 6.) On FILE1, the share that the Virtual Directory connects to has full control for the Everyone Group. 7.) On the folder underneath that share (one folder deep), I have set the NTFS permissions as follows: I disabled inheritance of permission and removed all inherited permissions. I then assigened the following permissions: Domain Admins Full Control WebDav-Full Full Control WebDav-Read Read, List Folder Contents, Read & Execute IUSR_SHARE Read 8.) I then reset these permissions on all child objects. 9.) Then from a remote location outside on the Internet, I used the My Network Places to create a new network place. I put in the full URL: http://FQDN/webdav-upload 10.) It then prompted me for permissions and kept prompting me and would fail. I could never connect. I tried the following change to the above configuration to try and get it working. 1.) I enabled Annonymous access on the virtual directory and removed basic authentication to have the NTFS permissions provide the security. - This would allow me to connect but gave me the permissions of the IUSER_SHARE as that was the account in the Connect As box in the Virtual Directory's properties. How else can I get this working? Has anyone successfully gotten this configuration to work? There is little to no troubleshooting documentation for Microsoft's IIS and WebDAV. Please help! Thanks! PS. Please reply to the posting address but remove the "remove-" from the email address. Sincerely, George Harris
- Next message: David Wang [Msft]: "Re: how do I force secure ASP.NET session cookies?"
- Previous message: Wei-Dong Xu [MSFT]: "Re: Anonymouse access causes Unauthorized Access error"
- In reply to: msnews.microsoft.com: "WebDAV security on IIS problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
