Re: IIS6.0 & Shared Folders
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 01/29/05
- Next message: Ken Schaefer: "Re: what difference between Integrated Windows Authentication in IIS configuration and Active Directory"
- Previous message: David Wang [Msft]: "Re: IIS Integrated Authentication and Windows XP clients problems"
- In reply to: crino: "IIS6.0 & Shared Folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jan 2005 01:57:08 -0800
Please read this URL on how UNC shares work. You did not configure what you
think:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
What you want is Pass-Thru authentication to restrict access based on the
authenticated user, but you configured something that allows any
authenticated user to access resources.
What you basically did was configure IIS to access any NAS resource when
requested via this website as Domain\IUSR_WEB. You then allowed only
Integrated authentication, meaning that only authenticated users can access
this website, and when they access NAS resources, these users do so as
Domain\IUSR_WEB (as you configured). Since you already gave read access to
Domain\IUSR_Web, that is why they have read access to it.
I suggest you configure Pass-Thru authentication so that theremote
authenticated user's identity is used on the NAS resource to determine
access. Clearly, if you want to restrict access to resources, you must lock
that file/folder for a particular user and do NOT include any other
identity.
As the URL will mention, Pass-Thru authentication requires delegation, which
does not work with Integrated authentication unless the machines are in a
domain and you use protocol transitioning to use Kerberos on the backend to
make delegation work.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "crino" <cseverini@aditusnet.it> wrote in message news:VPPJd.456806$b5.21779376@news3.tin.it... Hi at all! I've a little problem. I've a web site with storage on a shared folder on a NAS. The folder is shared to user's domain (Domain\IUSR_WEB). The web site is configured to connect to the folder with (Domain\IURS_WEB). The user is used for anonymous access too. all work propertly, but i have to lock some file or folder for only determinate users. So i have grant to user's domain the permission and in IIS configuration, under the tab 'protection directory', disabled 'anonimous access' and i've leave 'authentication integrated windows'. Every users' domain can still access to the files/folders....why??!!! (also if the user don't have the permission on them!) Any clue will be appreciated! Thanx in advance ;)) /crino
- Next message: Ken Schaefer: "Re: what difference between Integrated Windows Authentication in IIS configuration and Active Directory"
- Previous message: David Wang [Msft]: "Re: IIS Integrated Authentication and Windows XP clients problems"
- In reply to: crino: "IIS6.0 & Shared Folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
