Re: Issue: Virtual Directory to UNC
- From: Jay <Jay@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 18 Dec 2005 15:53:02 -0800
Thanks again David. I guess I figured it out myself that I need to use Basic
Authentication with HTTPS/SSL. By the way, the explanantion given by you on
the delegation was good. I now understand the reason behind the delegation
requirement, and I will take back my comment :)
Despite this, there is one question that I would like to ask. There are two
servers (1 App and 1 DB) in my domain for which I have administrator access.
The purpose of this server is to access I just want to access one machine
from the other. If I enable delegation I guess I will be free to do the above
said. So is there a way where I can set the webserver as a trusted server in
the file server?
Appreciate your patience in explaining stuff to me :)
Rgds.
"David Wang [Msft]" wrote:
> Your choices are to either:
> 1. Secure - use delegation
> 2. Insecure - use Basic authentication
>
> Quickest example illustrating the security issue under discussion:
>
> Just because a remote user authenticated to the web server, why should the
> web server be able to log in to that user's bank and withdraw all their
> money as the remote user.
>
> In your example, you are accessing UNC files, but it can equivalent be
> withdrawing money from a bank.
>
> The difference? The authentication protocol controls whether this
> man-in-the-middle attack is possible. Basic authentication allows it because
> it implicitly delegates the username/password in clear-text to the server.
> Integrated Authentication does not allow it (unless you configure delegation
> [constrained], which gives *you* the power to control that Basic
> authentication never had).
>
> In other words, the reason it fails for you is because you are trying to do
> something insecure and the protocol is resisting your attack. Unfortunately,
> most users do not understand this, so they walk away think that the MS
> product "sucks" and does not do what they want... when in fact the customer
> simply never understands security and is simply doing the wrong thing...
> which happens most of the time. :-)
>
> Your issue basically has to trade off between:
> - ease of using functionality
> - security
> - complexity of setup
>
> The question is whether you are acceptable with each solution's tradeoff.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Jay" <Jay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:A1984C85-E0E8-4BA8-8CD2-029D22BF0C81@xxxxxxxxxxxxxxxx
> > Hi David,
> > First of all, my thanks to you. I had done some research on the web before
> > turning on to TechNet. As I had specified in my post, I CANNOT use
> > delegation
> > as I am not the domain administrator. Setting up of delegation rights has
> > been restricted only to the domain admins.
> >
> > As my server is in the domain, and as the application requires proper
> > authentication for access, I was expecting a way to use the same to access
> > the UNC. Even if there needs to be a re-authentication, I guess that
> > should
> > not be an issue at all, but I am not able to get it work.
> >
> > I repeat, I CANNOT set the delegation property (Even constrained). The
> > reason behind my post is to check if it would work, as impersonation as
> > the
> > request user works even without delegation for other applications like AD,
> > except getting this virtual directory to an UNC.
> >
> > If there is no solution without delegation, then I will have to remove the
> > feature from the application and live with the fact that sometimes MS
> > products do suck :)
> >
> > Rgds.
> >
> >
> > "David Wang [Msft]" wrote:
> >
> >> Still looks like double-hop/delegation. The following URL should provide
> >> you
> >> all necessary options/configuration and details.
> >>
> >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
> >>
> >> --
> >> //David
> >> IIS
> >> http://blogs.msdn.com/David.Wang
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> //
> >>
> >> "Jay" <Jay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:7E585E7F-306E-4518-BD4C-766F161D5B70@xxxxxxxxxxxxxxxx
> >> > Hi,
> >> > I am configuring a virtual directory pointing to a UNC within the same
> >> > domain as the IIS server (Win 2003 server). The authentication setting
> >> > is
> >> > set
> >> > to Network Credentials of Users. The rest all like Anonymous access,
> >> > etc.
> >> > are
> >> > unchecked. ACLs are set up in the file server (UNC) thereby controlling
> >> > access on the list of people who would be accessing the file server
> >> > normally
> >> > without the IIS.
> >> >
> >> > Even though I have access to both the web server as well as the file
> >> > servers
> >> > seperately, I am not able to access the files using the virtual
> >> > directory.
> >> > For ex: \\myserver1\fileshare is set to the virtual directory
> >> > http://myserver2/fileshare.
> >> >
> >> > Now when a file like say http://myserver2/fileshare/file1.ext is being
> >> > accessed, even though the credentials were supplied, it prompts for the
> >> > username and password as if the supplied credentials were incorrect.
> >> >
> >> > I thought it might be a double hop issue, but when I try to access the
> >> > path
> >> > from the server with http://myserver2/fileshare/file1.ext, even then, I
> >> > get
> >> > the same issue.
> >> >
> >> > I guess there should be no issue with IIS using the network credentials
> >> > directly. One catch is that as per the organisation's IT policy, web
> >> > servers
> >> > cannot be allowed delegation. Is there any way the above issue can be
> >> > resolved.
> >> >
> >> > Any help appreciated in advance.
> >> >
> >> > Rgds.
> >>
> >>
> >>
>
>
>
>
.
- Follow-Ups:
- Re: Issue: Virtual Directory to UNC
- From: David Wang [Msft]
- Re: Issue: Virtual Directory to UNC
- References:
- Re: Issue: Virtual Directory to UNC
- From: David Wang [Msft]
- Re: Issue: Virtual Directory to UNC
- From: Jay
- Re: Issue: Virtual Directory to UNC
- From: David Wang [Msft]
- Re: Issue: Virtual Directory to UNC
- Prev by Date: Re: Issue: Virtual Directory to UNC
- Next by Date: RE: VB6 DLL can not write to event logs in IIS 6.0
- Previous by thread: Re: Issue: Virtual Directory to UNC
- Next by thread: Re: Issue: Virtual Directory to UNC
- Index(es):
Relevant Pages
|
