Re: UNC Virtual Directories; NTFS permission authentication not ac

Every server is Windows 2003 R2 (web and file server).

I had delegation enabled on the web server to the file server for the HOST
and cifs services in a Windows 2003 native mode active directory.

I am interested in knowing what you think should have been done differently.
I am all for securing the data as much as possible, as long as it works.

Thank you for your response.

"David Wang" wrote:

While I am happy that you have found a solution to your situation, I
have to say that Delegation is NOT the problem. And using Basic over
SSL is NOT necessarily the correct solution.

Basic over SSL is basically the "I give up because I don't understand
delegation" solution because it is insecure, though in your situation
you are using a non-important ConnectAs user whose delegation
properties you do not need to secure.

In other words, Basic/SSL is a passable workaround for your needs, but
it is definitely not the correct solution for the general issue of
delegation which surfaces as soon as you want users to use your web
server to access resources on another server.

What OS is providing the CIFS file services?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Apr 5, 1:56 pm, Jason Carter
<JasonCar...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Just an update here, I found a solution, though it is not what I expected.

Everything I read said that I needed to add the Delegation rights from the
web server to the file server (HOST and cifs). This turned out to be the
problem. Once I removed those delegation rights AND removed the Integrated
Windows Authentication option (leaving only Basic Authentication checked) the
system worked like it I had hoped, authenticating based on the NTFS
permissions of the folder the UNC path was pointing to.

This works fine for me since the SSL is required on all connections.

Thanks to anyone who took a look at this and tried to help!!



"Jason Carter" wrote:
This one is driving me crazy. Here is the environment:

I have one web server, Windows 2003 R2; IIS 6.0, and a files server running
Windows 2003 R2. Both servers are part of a Windows 2003 native Active
Directory domain.

Virtual directories have been created on the web server pointing to a UNC
share: \\hrfile1\https clients\xxxx. Permissions on the https clients share
and the xxxx directory are locked down using NTFS permissions and the virtual
directory is setup with a "connect as" username or password instead asking
for credentails. SSL is required, anonymous access is unchecked, integrated
Windows authentication is checked. In addition, hrweb1 is setup for
delegation to hrfile1 for the HOST can cifs services.

The problem I have is that every time I access the site I am prompted for my
username and password, but even though I enter an username/password that is
authorized, the login screen keeps popping back up. I have created test
directories where share and NTFS permissions are set to EVERYONE - Full
control and still get prompted over and over for credentials.

If I use the "connect as" option, I am prompted for creditails and allowed
in, but once in I can browse to any folder, even ones that I am not allowed
access to, so that is not an option.

If anyone can help me out, I would really appreciate it.

It may not matter, but the web server is part of a network load balanced
system, though I am not testing with the nlb address, just the local address
on one system.- Hide quoted text -

- Show quoted text -



.

Relevant Pages

  • Re: Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Servic
    ... Directory Domain as the server computer and the server App Pool run-as ... Windows 2003 Server mode -- they may be in Windows 2000 mixed mode. ... to be configured so as to use kerberos delegation. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Kerberos, Delegation, and Win2.3K
    ... Server fax server... ... Windows 2003 Server with a Shared Fax ... has been trusted for delegation. ... If IIS is setup to use Windows Authentication, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: kerberos sudenly stop working on an IIS server
    ... D_DebugLogClient %wZ sent AS request with no server name\n") ... Windows XP and Windows Server 2003 will recover from this automatically. ... For information about setting up service accounts for delegation, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Linked Server - Windows Authentication passthrough?
    ... I agree with him that delegation cannot be set up ... It is a feature of Windows 2000. ... mapping to a SQL login would be necessary. ... | Subject: Re: Linked Server - Windows Authentication passthrough? ...
    (microsoft.public.sqlserver.security)
  • Re: CIFS improvements/wider testing needed
    ... We have had multiple people reproduce the strange ... > Unix mode bits to Windows ACLs when umask is set to certain values or 2) ... > a strange combination of share permissions and ntfs acls on the server ... CIFS) to avoid corrupting the old one, then modyfy it, ...
    (Linux-Kernel)