IIS 6 & UNC Share Scurity Issue

Ok.
Now try this:

* Go to the admin tool for cluster (cluadmn)
* In the Resource Share that contain the files of the web site add this
permission:
rcareyad Read
* Go to the node of the file server that have the resource, and check with
server admin tool that the permission was applied to the share locally
* On other machine try to map the share with this user credentials:
net use * \\cluster\sharename /Uomain\rcareyad

Now try again to see the website with that user running the procmon.



Saludos!

"Rob C." <RobC@discussions.microsoft.com> wrote in message
news2EC329E-0550-4799-8C6E-2A5E64859242@microsoft.com...
>I have looked at this program. it shows me that I get an "Access Denied"
> error to the folder that I have changed the rights on.
> The access is being denied is for the account rcareyad, this account does
> have full NTFS right on the folder (http://stieurl.domain.com/_Secure).
> The
> _Secure folder is where the rights are changed.
>
> I think it is something to do with the account used in the login as:
> within
> IE for the UNC path (Same account being used for the application pool),
> being
> removed access to the _secure folder. I would assume that the login would
> prompt like it is, but using an account that has the right NTFS
> permissions
> get the error. I would think something to do with multiple authentication
> or
> not "impersonating" correctly?
>
>
>
> "Pablo A. Allois" wrote:
>
>> Please, make the troubleshooting with procmon, to see more exactly what
>> is
>> the problem.
>>
>> Saludos!
>>
>> "Rob C." <RobC@discussions.microsoft.com> wrote in message
>> news:480E20C0-4E20-4032-B096-843357E4E5C0@microsoft.com...
>> > Thanks for your reply Pablo!
>> >
>> > I am and have been able to get the configuration to work that you
>> > mention
>> > in
>> > the first part / Guide.
>> > It is when I try to secure the folder so that the clients would need to
>> > login using a different account rather then the one that is being used
>> > for
>> > anonymous access (Connect as: account) due to removing that account
>> > from
>> > the
>> > NTFS rights on the share. I have tried about everything and am now
>> > going
>> > to
>> > look at different options. Currently out IIS boxes are 32bit and the
>> > file
>> > cluster is 64 bit and all are VM's inside VMware ESX 3.5. Although I
>> > dont
>> > think any of this should matter.
>> >
>> > What are others doing to create a central IIS web services? We have
>> > multiple
>> > sites and would like to ensure they are all redundant. I thought that
>> > having
>> > multiple front end servers connected to a back end cluster would be
>> > simple,
>> > this way we did not need to worry about data replication or what boxes
>> > the
>> > clients connected to to do the updates.
>> > Any one have any suggestions?
>> >
>> > Thanks again for your time folks.
>> >
>>
>>
>>

Hi Rob,

How is the problem ?

"Rob C." <RobC@discussions.microsoft.com> wrote in message
news2EC329E-0550-4799-8C6E-2A5E64859242@microsoft.com...
>I have looked at this program. it shows me that I get an "Access Denied"
> error to the folder that I have changed the rights on.
> The access is being denied is for the account rcareyad, this account does
> have full NTFS right on the folder (http://stieurl.domain.com/_Secure).
> The
> _Secure folder is where the rights are changed.
>
> I think it is something to do with the account used in the login as:
> within
> IE for the UNC path (Same account being used for the application pool),
> being
> removed access to the _secure folder. I would assume that the login would
> prompt like it is, but using an account that has the right NTFS
> permissions
> get the error. I would think something to do with multiple authentication
> or
> not "impersonating" correctly?
>
>
>
> "Pablo A. Allois" wrote:
>
>> Please, make the troubleshooting with procmon, to see more exactly what
>> is
>> the problem.
>>
>> Saludos!
>>
>> "Rob C." <RobC@discussions.microsoft.com> wrote in message
>> news:480E20C0-4E20-4032-B096-843357E4E5C0@microsoft.com...
>> > Thanks for your reply Pablo!
>> >
>> > I am and have been able to get the configuration to work that you
>> > mention
>> > in
>> > the first part / Guide.
>> > It is when I try to secure the folder so that the clients would need to
>> > login using a different account rather then the one that is being used
>> > for
>> > anonymous access (Connect as: account) due to removing that account
>> > from
>> > the
>> > NTFS rights on the share. I have tried about everything and am now
>> > going
>> > to
>> > look at different options. Currently out IIS boxes are 32bit and the
>> > file
>> > cluster is 64 bit and all are VM's inside VMware ESX 3.5. Although I
>> > dont
>> > think any of this should matter.
>> >
>> > What are others doing to create a central IIS web services? We have
>> > multiple
>> > sites and would like to ensure they are all redundant. I thought that
>> > having
>> > multiple front end servers connected to a back end cluster would be
>> > simple,
>> > this way we did not need to worry about data replication or what boxes
>> > the
>> > clients connected to to do the updates.
>> > Any one have any suggestions?
>> >
>> > Thanks again for your time folks.
>> >
>>
>>
>>

Good Day Pablo & Others!

I looked into your steps, after adding the account to the cluster resource
the rights do appear under the sharing / security tab. Still the same results
when browsing the site though. I am able to map to the folder through a
command prompt.

I have started to create another couple VM's to re-create the setup in the
event there was a configuration problem. Once done, I will try the config you
pointed out, this time without the cluster and instead just a seperate box
with a share.

Will be in touch.

"Pablo A. Allois" wrote:

> Hi Rob,
>
> How is the problem ?
>
> "Rob C." <RobC@discussions.microsoft.com> wrote in message
> news2EC329E-0550-4799-8C6E-2A5E64859242@microsoft.com...
> >I have looked at this program. it shows me that I get an "Access Denied"
> > error to the folder that I have changed the rights on.
> > The access is being denied is for the account rcareyad, this account does
> > have full NTFS right on the folder (http://stieurl.domain.com/_Secure).
> > The
> > _Secure folder is where the rights are changed.
> >
> > I think it is something to do with the account used in the login as:
> > within
> > IE for the UNC path (Same account being used for the application pool),
> > being
> > removed access to the _secure folder. I would assume that the login would
> > prompt like it is, but using an account that has the right NTFS
> > permissions
> > get the error. I would think something to do with multiple authentication
> > or
> > not "impersonating" correctly?
> >
> >
> >
> > "Pablo A. Allois" wrote:
> >
> >> Please, make the troubleshooting with procmon, to see more exactly what
> >> is
> >> the problem.
> >>
> >> Saludos!
> >>
> >> "Rob C." <RobC@discussions.microsoft.com> wrote in message
> >> news:480E20C0-4E20-4032-B096-843357E4E5C0@microsoft.com...
> >> > Thanks for your reply Pablo!
> >> >
> >> > I am and have been able to get the configuration to work that you
> >> > mention
> >> > in
> >> > the first part / Guide.
> >> > It is when I try to secure the folder so that the clients would need to
> >> > login using a different account rather then the one that is being used
> >> > for
> >> > anonymous access (Connect as: account) due to removing that account
> >> > from
> >> > the
> >> > NTFS rights on the share. I have tried about everything and am now
> >> > going
> >> > to
> >> > look at different options. Currently out IIS boxes are 32bit and the
> >> > file
> >> > cluster is 64 bit and all are VM's inside VMware ESX 3.5. Although I
> >> > dont
> >> > think any of this should matter.
> >> >
> >> > What are others doing to create a central IIS web services? We have
> >> > multiple
> >> > sites and would like to ensure they are all redundant. I thought that
> >> > having
> >> > multiple front end servers connected to a back end cluster would be
> >> > simple,
> >> > this way we did not need to worry about data replication or what boxes
> >> > the
> >> > clients connected to to do the updates.
> >> > Any one have any suggestions?
> >> >
> >> > Thanks again for your time folks.
> >> >
> >>
> >>
> >>
>
>
>

Ok, if you are able to browse the file through unc share ... make the
request to the IIS again and log the access with the ProcMon ... the sholud
have another diferente access denied.

The web application is ASPX ?
Did you check the web.configs for security settings ?


Saludos!

"Rob C." <RobC@discussions.microsoft.com> wrote in message
news:3E23298B-4A05-488A-8C9E-4574F00F1874@microsoft.com...
> Good Day Pablo & Others!
>
> I looked into your steps, after adding the account to the cluster resource
> the rights do appear under the sharing / security tab. Still the same
> results
> when browsing the site though. I am able to map to the folder through a
> command prompt.
>
> I have started to create another couple VM's to re-create the setup in the
> event there was a configuration problem. Once done, I will try the config
> you
> pointed out, this time without the cluster and instead just a seperate box
> with a share.
>
> Will be in touch.
>
> "Pablo A. Allois" wrote:
>
>> Hi Rob,
>>
>> How is the problem ?
>>
>> "Rob C." <RobC@discussions.microsoft.com> wrote in message
>> news2EC329E-0550-4799-8C6E-2A5E64859242@microsoft.com...
>> >I have looked at this program. it shows me that I get an "Access Denied"
>> > error to the folder that I have changed the rights on.
>> > The access is being denied is for the account rcareyad, this account
>> > does
>> > have full NTFS right on the folder (http://stieurl.domain.com/_Secure).
>> > The
>> > _Secure folder is where the rights are changed.
>> >
>> > I think it is something to do with the account used in the login as:
>> > within
>> > IE for the UNC path (Same account being used for the application pool),
>> > being
>> > removed access to the _secure folder. I would assume that the login
>> > would
>> > prompt like it is, but using an account that has the right NTFS
>> > permissions
>> > get the error. I would think something to do with multiple
>> > authentication
>> > or
>> > not "impersonating" correctly?
>> >
>> >
>> >
>> > "Pablo A. Allois" wrote:
>> >
>> >> Please, make the troubleshooting with procmon, to see more exactly
>> >> what
>> >> is
>> >> the problem.
>> >>
>> >> Saludos!
>> >>
>> >> "Rob C." <RobC@discussions.microsoft.com> wrote in message
>> >> news:480E20C0-4E20-4032-B096-843357E4E5C0@microsoft.com...
>> >> > Thanks for your reply Pablo!
>> >> >
>> >> > I am and have been able to get the configuration to work that you
>> >> > mention
>> >> > in
>> >> > the first part / Guide.
>> >> > It is when I try to secure the folder so that the clients would need
>> >> > to
>> >> > login using a different account rather then the one that is being
>> >> > used
>> >> > for
>> >> > anonymous access (Connect as: account) due to removing that account
>> >> > from
>> >> > the
>> >> > NTFS rights on the share. I have tried about everything and am now
>> >> > going
>> >> > to
>> >> > look at different options. Currently out IIS boxes are 32bit and the
>> >> > file
>> >> > cluster is 64 bit and all are VM's inside VMware ESX 3.5. Although I
>> >> > dont
>> >> > think any of this should matter.
>> >> >
>> >> > What are others doing to create a central IIS web services? We have
>> >> > multiple
>> >> > sites and would like to ensure they are all redundant. I thought
>> >> > that
>> >> > having
>> >> > multiple front end servers connected to a back end cluster would be
>> >> > simple,
>> >> > this way we did not need to worry about data replication or what
>> >> > boxes
>> >> > the
>> >> > clients connected to to do the updates.
>> >> > Any one have any suggestions?
>> >> >
>> >> > Thanks again for your time folks.
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

Ok, so I have gone through all the notes and re-done the setup. Here is what
I can see happening:

Here is the domain config:

cd.domain.com = child domain, windows network, internal
domain.com = external access, all clinets hit domain.com to get sites.

When I use the url http://server/_Secure it works
When I use the URL http://server.cd.domain.com/_Secure it does not work.
When I use the URL http://server.domain.com/_Secure it does not work.
All URL's are set up as host headers on the IIS Server. All other
configuration is kept the same.

I have added a SNP fo the IIS server. Both for the local host ony, the FQDN
of the full child domain, and the FQDN for the external domain. All for the
same internal domain user account. this account is also being used for
anonymous access and for the application pool, and for the UNC connect as
account.
It does not have anything to do with the cluster as I have moved the files
off to a stand alone box, still through a UNC.

In all cases the anonymous access works, it is when I remove the anonymous
account from a folder and give a cd.domain.com account access. Although it
processes for a login, the login does not work.

I hope this makes sence to some of you.

Sorry, Rob it have no much sence for me

If the three url are using the same web site, and one url is working ... I
suppose that you do not have any permission problem.

This looks like,
"When I use the url http://server/_Secure it works" ... because your browser
detect that the webserver is in the local intranet zone and send the current
client credentials.

" When I use the URL http://server.cd.domain.com/_Secure it does not work "
and ...
" When I use the URL http://server.domain.com/_Secure it does not work"
Your browser DOES NOT detect that the webserver is in the local intranet
zone and ask for the credentials to access ... after the user put the
credentials ... we expect that the user get logged ok ... otherwise the user
is writting bad password or username. (sorry for my english)

Are you user that the user is writting well the credentials ? Did you tried
using netbios name like DOMAIN\UserName ?

Could you try using "Basic authentication" and leave un-checked "Integrated
authentication" ? Just a try.


Saludos!

> When I use the URL http://server.domain.com/_Secure it does not work.
> All URL's are set up as host headers on the IIS Server. All other



"Rob C." <RobC@discussions.microsoft.com> wrote in message
news:0EE6ECD0-17C2-4292-8C4C-767A94D32C33@microsoft.com...
> Ok, so I have gone through all the notes and re-done the setup. Here is
> what
> I can see happening:
>
> Here is the domain config:
>
> cd.domain.com = child domain, windows network, internal
> domain.com = external access, all clinets hit domain.com to get sites.
>
> When I use the url http://server/_Secure it works
> When I use the URL http://server.cd.domain.com/_Secure it does not work.
> When I use the URL http://server.domain.com/_Secure it does not work.
> All URL's are set up as host headers on the IIS Server. All other
> configuration is kept the same.
>
> I have added a SNP fo the IIS server. Both for the local host ony, the
> FQDN
> of the full child domain, and the FQDN for the external domain. All for
> the
> same internal domain user account. this account is also being used for
> anonymous access and for the application pool, and for the UNC connect as
> account.
> It does not have anything to do with the cluster as I have moved the files
> off to a stand alone box, still through a UNC.
>
> In all cases the anonymous access works, it is when I remove the anonymous
> account from a folder and give a cd.domain.com account access. Although it
> processes for a login, the login does not work.
>
> I hope this makes sence to some of you.

On Sep 3, 1:10*pm, Rob C. <R...@discussions.microsoft.com> wrote:
> Ok, so I have gone through all the notes and re-done the setup. Here is what
> I can see happening:
>
> Here is the domain config:
>
> cd.domain.com = child domain, windows network, internal
> domain.com = external access, all clinets hit domain.com to get sites.
>
> When I use the urlhttp://server/_Secureit works
> When I use the URLhttp://server.cd.domain.com/_Secureit does not work.
> When I use the URLhttp://server.domain.com/_Secureit does not work.
> All URL's are set up as host headers on the IIS Server. *All other
> configuration is kept the same.
>
> I have added a SNP fo the IIS server. Both for the local host ony, the FQDN
> of the full child domain, and the FQDN for the external domain. All for the
> same internal domain user account. this account is also being used for
> anonymous access and for the application pool, and for the UNC connect as
> account.
> It does not have anything to do with the cluster as I have moved the files
> off to a stand alone box, still through a UNC.
>
> In all cases the anonymous access works, it is when I remove the anonymous
> account from a folder and give a cd.domain.com account access. Although it
> processes for a login, the login does not work.
>
> I hope this makes sence to some of you.



Please define what you mean by "it does not work". What is the error
codes (HTTP status/substatus/Win32) that is logged for them by IIS?

Having behavior change with different hostname illustrates Client side
behavior change in authentication protocol. http://server is treated
as Local Intranet by IE while http://server.domain.com (with dots in
it) is treated as Internet Zone. Both Zones have different login/
authenication protocol allowance settings.

If you want to get authentication out of the picture, use Basic. The
most insecure protocol but also the one that tends to "work" because
it is so insecure.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//