Re: Access Denied to share with anonymous access disabled

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 05/13/05 

Date: Fri, 13 May 2005 02:19:30 -0700

Please read this URL for details on how to correctly configure what you are
trying to do.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

The short answer is that for security reasons, you cannot double-hop with an
IWA credential unless you set up protocol transitioning. Exactly the same
reasoning as I've stated earlier. 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Billnitro45" <billnitro45@comcast.net> wrote in message
news:%23Il0YPnVFHA.3188@TK2MSFTNGP09.phx.gbl...
Quick question in response....
I have a IIS 6 running.  I setup a new website.  The home directory points
to a network share \\server\sharename.  Share and NTFS permissions are setup
correctly.  I want to use IWA to connect but it fails with HTTP Error
401.3 - Unauthorized: Access is denied due to an ACL set on the requested
resource.  If you go to properties of your website and select the Home
Directory tab you will see the "Connect As..." button.  The connect as
button default setting is to use always use authenticated users credentials.
Why wouldn't this work?  Is it a problem using NTLM to authenticate (we are
still in nt 4.0 domain)?
Thanks for the help!
-Jeff
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uvYEaHuSFHA.140@TK2MSFTNGP10.phx.gbl...
> Does your user account have access through BOTH the Share's ACLs as well
as
> actual NTFS ACLs on the directory itself?
>
> If the scenario works if you change it to Basic authentication instead of
> Integrated Windows authentication, then you are looking at the classic
> "double hop" situation (even though you short-circuit it right now) and
the
> fact that NTLM does not delegate. You will need to use an authentication
> protocol (like Basic [insecure] or Kerberos) that delegates in order to
> access "shares" remotely. The logic behind it is simple. If you log onto a
> server, why should the server automatically be able to use your
credentials
> to access some other network resource? In other words, do you believe that
> when you log onto a server that the server be automatically able to use
your
> credentials to debit money from your bank account on another network
> resource.
>
> -- 
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> <cis042000@yahoo.com> wrote in message
> news:1114559695.832177.35210@g14g2000cwa.googlegroups.com...
> My asp.net app is trying to access a local share on my my server.  The
> share and the server are on the same box.  To begin with, I gave the
> ASPNet local user account full access to the share.  Then I enabled
> anonymous access with integrated windows security on the web site.  It
> works like a charm.  Disable anonymous access with integrated windows
> security and I get the error listed at the bottom of this message.  As
> a test case, I wrote a small test harness to display the current
> identity (WindowsIdentity.GetCurrent().Name).  With anonymous access
> enabled it displays the IUser account.  When anonymous access is
> disabled it shows my user name.  My user account has access to the
> share and still gets the error. Does anyone know what I'm doing wrong?
>
> System.UnauthorizedAccessException: Access to the path
> "\\CorpServer\Applications\appFRSQA\ReportShare\0616200641342PM.txt" is
> denied.
>    at System.IO.__Error.WinIOError(Int32 errorCode, String str)
>    at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
> access, FileShare share, Int32 bufferSize, Boolean useAsync, String
> msgPath, Boolean bFromProxy)
>    at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess
> access, FileShare share, Int32 bufferSize)
>    at System.IO.StreamWriter.CreateFile(String path, Boolean append)
>    at System.IO.StreamWriter..ctor(String path, Boolean append,
> Encoding encoding, Int32 bufferSize)
>    at System.IO.StreamWriter..ctor(String path)
>    at Hca.Tcs.Service.Report.Helper.WriteAuditFileData(SqlDataReader
> dataReader, AuditFileReportHeader reportHeader)
>
>
>