Re: Virtual Directory to a remote UNC not working properly
- From: dhoops <dhoops@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 20 Nov 2006 06:44:01 -0800
David,
Thanks for the feedback and direction on my 2 questions.
I am in the process of making the changes and I have been reading the doc on
configuring IIS with remote stored content.
I'll let you know how it works out!
--
Dave
"David Wang" wrote:
1. Yes. Syntax works as.
http://server-to-communicate-HTTP-with/virtual-URI
So, you should give the public IP of the webserver handling the Website
containing the UNC Vdir, and then the vdir mapping you provided
(/Public goes to \\flnas01\...), and then the rest of the directory
structure follows from that vdir mapping.
2. Read the NAS and IIS6 URL of my prior email. It has all necessary
configuration details and links on how to configure
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
dhoops wrote:
David,
Thanks for all this great info! I do have a couple of questions for clarity
sake:
1. When connecting to the NAS file via
'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
I actually be entering the following:
'http://public.webserver.IP.address,(where address is ip address of the
webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
such as 'Public'/then the rest of the path on the NAS drive ?
2. Since we have active directory setup on our network you said all I need
to do is configure 'Protocol Transitioning' and then I can use any
authentication protocol on IIS... Where do I configure 'Protocol
Transitioining' ?
Thanks-Dave
--
Dave
"David Wang" wrote:
Thanks for the info. Some more requirements need to be gathered before
determining the correct configuration.
- Your web pages cannot contain file:// or \\flnas01 links if you want
it to work from Internet.
If your web page MUST contain file:// or \\flnas01 links, then you will
need to open more holes in the firewall to allow RPC and UNC ports as
well as publish your flnas01 server to be accessible via the Internet.
Obviously, this sort of web page does NOT do what you want - make files
on NAS server available via Web Server (instead, it is making your NAS
server available via the Internet because your Web Server exposed its
name), and this approach is also heavily discouraged due to security
concerns.
It is easier and safer to configure a UNC vdir on IIS to point to
\\flnas01 UNC shares on NAS, and for your web pages to use
http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
OF \\flnas01 links). This single page will work from both Intranet and
Internet with minimal security concerns.
If you do the above, but you want to optimize Intranet traffic to not
go through http://public.webserver.IP.address/unc-vdir, then you should
create two websites, one internal and the other external. This takes
more effort to maintain, and your router may not be smart enough to
support it.
- Internal website: web page uses \\flnas01 links, and bound to
http://internalWebServer
- External website: web page uses
http://public.webserver.IP.address/unc-vdir links, and bound to
http://public.webserver.IP.address
- In order for a vdir pointing to UNC share to work, it has to use an
Authentication protocol that supports Delegation. NTLM/Digest do not,
so your current failure is by-design. Choice of each protocol has its
plus and minus, and correct choice depends on your needs. The following
URL provides an excellent background and motivation:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
Applying that knowledge to your particular needs:
- Anonymous authentication works, but it means ALL users accessing
NAS server via the web server appear as the configured Anonymous User
on IIS, preventing repudiation (i.e. auditing who accessed what files
on the NAS). You may not care about the auditing, in which case
Anonymous authentication is easiest.
- Basic authentication works, but it passes username/password in the
clear, so you must protect it with SSL. This means you have to purchase
an SSL Server Certificate and maintain it. If you control all Web
Browsers used by your users, you can avoid paying for SSL Server
Certificate by creating your own SSL Certificate and inserting it into
the Trusted Root Store of all Web Browser machines (remember, you can
do this because you control all Web Browsers - if you do not control
all Web Browsers of your users, this approach does not work
effectively).
- Kerberos works, but it requires setting up Active Directory and
configuring Delegation.
Since you want the solution to work both for Internet and Intranet, the
following choices are simplest:
- If you want to expose NAS over Web Server and you do not care to know
what user accessed which files (i.e. any user can access any file on
the NAS), then use Anonymous Authentication on IIS, configure its
Anonymous User to be a user that you also ACL the NAS UNC share.
- If you want to expose NAS over Web Server and you DO care about which
user access which files (i.e. users can only access the files ACL'd to
them on the NAS), then use Basic over SSL
- If you want to expose NAS over Web Server, you care about which user
access which files, and you have an Active Directory already, then
configure Protocol Transitioning and you can use any authentication
protocol on IIS (including NTLM).
There are other solutions, of more complexity, offering different
security-based tradeoffs.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
dhoops wrote:
David,
Thanks for the reply. What you wrote below is exactly what i am trying to
do... ie Make files from the NAS file server available to users on the inside
on the (Intranet) and from the outside on the (Internet) via our web server
in general... These files are linked through pages on the web site.
It appears my security is not setup correctly?
--
Dave
"David Wang" wrote:
Can you describe what you are trying to do so that we can help you with
correct configuration? It sounds like you have a web server and a NAS
file server in your Intranet, and you are trying to make the files on
the NAS file server available via the web server, to people both inside
your Intranet and on the Internet.
The behaviors you describe are actually all normal and by-design.
When trying to access a file on the virtual directory from outside theThis is because of "double hop" using NTLM with a UNC Virtual
domain or on the domain I get the following message "You are not authorized
to view this page...
Directory. Lots of people hit this, and there are well documented ways
to make this scenario work. Please search for those solutions.
If I access a file on the UNC from within the domain without using theThis is because the name "flnas01" is not known to the computer/browser
virtual dir I have no problems. If I access a file on the UNC from outside
the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
make sure the path or internet address is correct.
outside the domain.
If you got that error by clicking on a link on a web page, it means
your web page content is incorrect because it has a UNC file reference
(which is valid only on the Intranet OR if you expose the flnas01
server to the entire world outside your domain). If you want the web
page to work outside the domain, you will have to find a suitable way
to expose your flnas01 server outside the domain, which may not be what
you want.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
dhoops wrote:
Setup:
IIS 6.0, Windows 2003 sp1 server.
Web server and UNC server are on the same domain.
Using 'Integrated Windows and Digest Authentication on both the Intranet
site and the virtual directory on the web server.
Problem:
When trying to access a file on the virtual directory from outside the
domain or on the domain I get the following message "You are not authorized
to view this page...
You do not have permission to view this directory or page due to the access
control list (ACL) that is configured for this resource on the web server.
HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the
requested resource (IIS).
If I access a file on the UNC from within the domain without using the
virtual dir I have no problems. If I access a file on the UNC from outside
the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
make sure the path or internet address is correct.
Any direction or insight would be appreciated!
--
Dave
- References:
- Re: Virtual Directory to a remote UNC not working properly
- From: David Wang
- Re: Virtual Directory to a remote UNC not working properly
- From: dhoops
- Re: Virtual Directory to a remote UNC not working properly
- From: David Wang
- Re: Virtual Directory to a remote UNC not working properly
- From: dhoops
- Re: Virtual Directory to a remote UNC not working properly
- From: David Wang
- Re: Virtual Directory to a remote UNC not working properly
- Prev by Date: Re: Force Relogin. IIS6, ASP.NET app, IE6+ browser
- Next by Date: Re: Force Relogin. IIS6, ASP.NET app, IE6+ browser
- Previous by thread: Re: Virtual Directory to a remote UNC not working properly
- Next by thread: Re: Virtual Directory to a remote UNC not working properly
- Index(es):
Relevant Pages
|
