Re: Virtual Directory to a remote UNC not working properly



David,

Thanks for the feedback!

I will implement your suggestions to make the site more global and not just
windows oriented.

In addition, I want to thank you for your help and direction on this entire
security project. You greatly simplified things for me.
--
Dave


"David Wang" wrote:

I recommend that you use:
<node label="Public Test" url="/Public/IT information/Tips/Contacts -
Keeping track.doc" />

Because it:
1. matches up with your actual URL. I recommend against using parent
paths (../ ).
2. Please use "/" instead of "\" (which was originally in front of
"Contacts") in a URL

It is a common mistake, and some programs will automatically flip "\"
to "/" (and vice versa) depending on situation, but not all programs.
So it is a good habit to know.

Basically, "\" is commonly used as the Windows directory separator, so
it only applies when you are providing a name for a File on a Windows
machine. "/" is commonly used as the URL segment separator as well as
on filesystems of on Unix or Linux.

In this case, you are providing a name for URL. Thus you should use "/"
and not "\".


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


dhoops wrote:
David,

Disregard my prior email...

I have resolved my issue... The following xml code resolves the login issue
both from the internet and intranet...

<node label="Public Test" url="../Public/IT information/Tips\Contacts -
Keeping track.doc" />

This uses the unc-vdir path and references back to the root of the default
site, which works for both the intranet and internet. Thanks for all your
help!

Have a good holiday!

--
Dave


"David Wang" wrote:

The reason you get a login popup from Intranet is because browsers do
not auto-login to Internet address by default.

What is going on is this:
- From Internet - when you access http://public.webserver.ip/ , web
browser does not auto-login by default and pop up the login dialog box.
After logging in, it eventually accesses a page with NAS URL that looks
like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls
under the authentication to http://public.webserver.ip/ hence no
additional logins
- From Intranet - when you access http://internalWebServerIP/ , web
browser auto-login by default for Intranet. After logging in, it
eventually accesses a page with NAS URL that looks like
http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address
is in Internet Zone by default and browser does not auto-login, thus
you get a login dialog box

In other words, using a NAS URL of
http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a
login dialog box regardless of where the user came from BECAUSE it is
considered a dotted IP-address and a part of Internet Zone which does
not auto-login.

I do not understand why you do not create NAS URLs using relative links
that look like:
<A src="/UNC-vdir/SomeFile.ext">SomeFile.ext</A>

Because that is no longer a dotted-IP address and would fall under
auto-login in Intranet and manual login on Internet.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



dhoops wrote:
David,

I have broken through! Woo Hoo!!

My current authentication method on the Web Server is only set to Integrated
Windows and I have configured Active directory to have the Web Server
delegate for all protocols...

When I tested from an outside address I only had to logon to the site and
then accessing the file on the nas drive worked with no additional logon.

When I tested internally I did not have to logon to the site, but when I
accessed the file on the nas drive I had to logon with my username and
password to access the file... I said save my password and from that point on
I did not have to logon again from the Intranet (internally).

Will other users have to do this or is there a config setting i can employ
to avoid having a logon dialog pop-up when accessing nas files from the
intranet???

Thanks.
--
Dave


"David Wang" wrote:

1. Yes. Syntax works as
http://server-to-communicate-HTTP-with/virtual-URI

So, you should give the public IP of the webserver handling the Website
containing the UNC Vdir, and then the vdir mapping you provided
(/Public goes to \\flnas01\...), and then the rest of the directory
structure follows from that vdir mapping.

2. Read the NAS and IIS6 URL of my prior email. It has all necessary
configuration details and links on how to configure


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


dhoops wrote:
David,

Thanks for all this great info! I do have a couple of questions for clarity
sake:

1. When connecting to the NAS file via
'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should
I actually be entering the following:
'http://public.webserver.IP.address,(where address is ip address of the
webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS
such as 'Public'/then the rest of the path on the NAS drive ?

2. Since we have active directory setup on our network you said all I need
to do is configure 'Protocol Transitioning' and then I can use any
authentication protocol on IIS... Where do I configure 'Protocol
Transitioining' ?

Thanks-Dave
--
Dave


"David Wang" wrote:

Thanks for the info. Some more requirements need to be gathered before
determining the correct configuration.

- Your web pages cannot contain file:// or \\flnas01 links if you want
it to work from Internet.

If your web page MUST contain file:// or \\flnas01 links, then you will
need to open more holes in the firewall to allow RPC and UNC ports as
well as publish your flnas01 server to be accessible via the Internet.
Obviously, this sort of web page does NOT do what you want - make files
on NAS server available via Web Server (instead, it is making your NAS
server available via the Internet because your Web Server exposed its
name), and this approach is also heavily discouraged due to security
concerns.

It is easier and safer to configure a UNC vdir on IIS to point to
\\flnas01 UNC shares on NAS, and for your web pages to use
http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
OF \\flnas01 links). This single page will work from both Intranet and
Internet with minimal security concerns.

If you do the above, but you want to optimize Intranet traffic to not
go through http://public.webserver.IP.address/unc-vdir, then you should
create two websites, one internal and the other external. This takes
more effort to maintain, and your router may not be smart enough to
support it.
- Internal website: web page uses \\flnas01 links, and bound to
http://internalWebServer
- External website: web page uses
http://public.webserver.IP.address/unc-vdir links, and bound to
http://public.webserver.IP.address


- In order for a vdir pointing to UNC share to work, it has to use an
Authentication protocol that supports Delegation. NTLM/Digest do not,
so your current failure is by-design. Choice of each protocol has its
plus and minus, and correct choice depends on your needs. The following
URL provides an excellent background and motivation:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

Applying that knowledge to your particular needs:
- Anonymous authentication works, but it means ALL users accessing
NAS server via the web server appear as the configured Anonymous User
on IIS, preventing repudiation (i.e. auditing who accessed what files
on the NAS). You may not care about the auditing, in which case
Anonymous authentication is easiest.
- Basic authentication works, but it passes username/password in the
clear, so you must protect it with SSL. This means you have to purchase
an SSL Server Certificate and maintain it. If you control all Web
Browsers used by your users, you can avoid paying for SSL Server
Certificate by creating your own SSL Certificate and inserting it into
the Trusted Root Store of all Web Browser machines (remember, you can
do this because you control all Web Browsers - if you do not control
all Web Browsers of your users, this approach does not work
effectively).
- Kerberos works, but it requires setting up Active Directory and
configuring Delegation.

Since you want the solution to work both for Internet and Intranet, the
following choices are simplest:
- If you want to expose NAS over Web Server and you do not care to know
what user accessed which files (i.e. any user can access any file on
the NAS), then use Anonymous Authentication on IIS, configure its
Anonymous User to be a user that you also ACL the NAS UNC share.
- If you want to expose NAS over Web Server and you DO care about which
user access which files (i.e. users can only access the files ACL'd to
them on the NAS), then use Basic over SSL
- If you want to expose NAS over Web Server, you care about which user
access which files, and you have an Active Directory already, then
configure Protocol Transitioning and you can use any authentication
protocol on IIS (including NTLM).

There are other solutions, of more complexity, offering different
security-based tradeoffs.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



dhoops wrote:
David,

Thanks for the reply. What you wrote below is exactly what i am trying to
do... ie Make files from the NAS file server available to users on the inside
on the (Intranet) and from the outside on the (Internet) via our web server
in general... These files are linked through pages on the web site.

It appears my security is not setup correctly?

--
Dave


"David Wang" wrote:

Can you describe what you are trying to do so that we can help you with
correct configuration? It sounds like you have a web server and a NAS
file server in your Intranet, and you are trying to make the files on
the NAS file server available via the web server, to people both inside
your Intranet and on the Internet.

The behaviors you describe are actually all normal and by-design.

When trying to access a file on the virtual directory from outside the
domain or on the domain I get the following message "You are not authorized
to view this page...
This is because of "double hop" using NTLM with a UNC Virtual
Directory. Lots of people hit this, and there are well documented ways
to make this scenario work. Please search for those solutions.


If I access a file on the UNC from within the domain without using the
virtual dir I have no problems. If I access a file on the UNC from outside
the domain I get the message "Cannot find 'file://\\flnas01... rest of path'
make sure the path or internet address is correct.
This is because the name "flnas01" is not known to the computer/browser
outside the domain.

If you got that error by clicking on a link on a web page, it means
your web page content is incorrect because it has a UNC file reference
(which is valid only on the Intranet OR if you expose the flnas01
server to the entire world outside your domain). If you want the web
page to work outside the domain, you will have to find a suitable way
to expose your flnas01 server outside the domain, which may not be what
you want.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


.



Relevant Pages

  • Re: Virtual Directory to a remote UNC not working properly
    ... for the unwanted logins in the Intranet screnarios... ... not auto-login to Internet address by default. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ...
    (microsoft.public.inetserver.iis.security)
  • Re: Virtual Directory to a remote UNC not working properly
    ... not auto-login to Internet address by default. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ... need to open more holes in the firewall to allow RPC and UNC ports as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Virtual Directory to a remote UNC not working properly
    ... The reason you get a login popup from Intranet is because browsers do ... not auto-login to Internet address by default. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ...
    (microsoft.public.inetserver.iis.security)
  • Re: Virtual Directory to a remote UNC not working properly
    ... which works for both the intranet and internet. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ...
    (microsoft.public.inetserver.iis.security)
  • Re: Virtual Directory to a remote UNC not working properly
    ... which works for both the intranet and internet. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ...
    (microsoft.public.inetserver.iis.security)