IIS 6 & UNC Share Scurity Issue

Good Day Folks,

We are trying to configure the following:
- 3 node IIS 6 (Windows 2003 WEB) servers using an Alteon swithc for the
load balancing.
- 2 Node Windows Server 2003 R2 file cluster for the data share.

I can get everything to work correctly when storing the data locally on the
3 IIS servers. We use anonymous access for them. Thsi account is a domain
account that has been given the proper access.

the problem happens when we move the data to the Cluster via a UNC Path.
Althogh we can still access the site anonymously, when we try to secure one
folder by removing the anonymous access and providing a different domain
account we are unable to log in. and get an error (See bellow the SNIP line).

I have read all I can find on this but nothing seems to work.

To re-iterate, we can access the website through IIS with the data on the
UNC share via the anonymous account. When we try to secure one of the folders
on the path, we get the error.

Thank you all for your time.


-----SNIP-----
You do not have permission to view this directory or page due to the access
control list (ACL) that is configured for this resource on the Web server.
--------------------------------------------------------------------------------

Please try the following:

Contact the Web site administrator if you believe you should be able to view
this directory or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the
requested resource.
Internet Information Services (IIS)

It looks like you haven't configure the "Network Directory Security
Credentials".

In the tab Network Directory, click on the "Connect as" button, then define
the credentials to access to the share.
There, you configure a user to access to the share, and then restrict the
permission on the share and ntfs to allow access only to that user.


Saludos!


"Rob C." <RobC@discussions.microsoft.com> wrote in message
news:A10B19F1-AF64-4188-9326-6CC12AB34A54@microsoft.com...
> Good Day Folks,
>
> We are trying to configure the following:
> - 3 node IIS 6 (Windows 2003 WEB) servers using an Alteon swithc for the
> load balancing.
> - 2 Node Windows Server 2003 R2 file cluster for the data share.
>
> I can get everything to work correctly when storing the data locally on
> the
> 3 IIS servers. We use anonymous access for them. Thsi account is a domain
> account that has been given the proper access.
>
> the problem happens when we move the data to the Cluster via a UNC Path.
> Althogh we can still access the site anonymously, when we try to secure
> one
> folder by removing the anonymous access and providing a different domain
> account we are unable to log in. and get an error (See bellow the SNIP
> line).
>
> I have read all I can find on this but nothing seems to work.
>
> To re-iterate, we can access the website through IIS with the data on the
> UNC share via the anonymous account. When we try to secure one of the
> folders
> on the path, we get the error.
>
> Thank you all for your time.
>
>
> -----SNIP-----
> You do not have permission to view this directory or page due to the
> access
> control list (ACL) that is configured for this resource on the Web server.
> --------------------------------------------------------------------------------
>
> Please try the following:
>
> Contact the Web site administrator if you believe you should be able to
> view
> this directory or page.
> Click the Refresh button to try again with different credentials.
> HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> requested resource.
> Internet Information Services (IIS)

Hello, and thank you for your reply.

We have set the "Network Directory Security Crudentials" in IIS 6.0 to
"Alway's use the authenticated user's crudentials when validating access to
the network directory".
This allows us to access the site anonymously. the trouble is when trying to
access a NTFS secured folder within the site, we get the error mentioned
before.

If we assign a domain account to the "Network Directory Security
Crudentials" we are still able to access the site anonymously, but this time
when we try to access the secured area we get no prompt for cudentials and a
"HTTP Error 500 - Internal server error." message.

In both cases the domain account used for anonymous access is applied to the
UNC share.
I must be missing something somewhere.

"Pablo A. Allois" wrote:

> It looks like you haven't configure the "Network Directory Security
> Credentials".
>
> In the tab Network Directory, click on the "Connect as" button, then define
> the credentials to access to the share.
> There, you configure a user to access to the share, and then restrict the
> permission on the share and ntfs to allow access only to that user.
>
>
> Saludos!
>
>
> "Rob C." <RobC@discussions.microsoft.com> wrote in message
> news:A10B19F1-AF64-4188-9326-6CC12AB34A54@microsoft.com...
> > Good Day Folks,
> >
> > We are trying to configure the following:
> > - 3 node IIS 6 (Windows 2003 WEB) servers using an Alteon swithc for the
> > load balancing.
> > - 2 Node Windows Server 2003 R2 file cluster for the data share.
> >
> > I can get everything to work correctly when storing the data locally on
> > the
> > 3 IIS servers. We use anonymous access for them. Thsi account is a domain
> > account that has been given the proper access.
> >
> > the problem happens when we move the data to the Cluster via a UNC Path.
> > Althogh we can still access the site anonymously, when we try to secure
> > one
> > folder by removing the anonymous access and providing a different domain
> > account we are unable to log in. and get an error (See bellow the SNIP
> > line).
> >
> > I have read all I can find on this but nothing seems to work.
> >
> > To re-iterate, we can access the website through IIS with the data on the
> > UNC share via the anonymous account. When we try to secure one of the
> > folders
> > on the path, we get the error.
> >
> > Thank you all for your time.
> >
> >
> > -----SNIP-----
> > You do not have permission to view this directory or page due to the
> > access
> > control list (ACL) that is configured for this resource on the Web server.
> > --------------------------------------------------------------------------------
> >
> > Please try the following:
> >
> > Contact the Web site administrator if you believe you should be able to
> > view
> > this directory or page.
> > Click the Refresh button to try again with different credentials.
> > HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> > requested resource.
> > Internet Information Services (IIS)
>
>
>

The web site is using framework 2.0 ?

Now, the error change ... it looks like the security problem is solved, but
you have a new problem.

In your internet explorer, unckeck the option "Show friendly messages" to
see the detail of the HTTP error 500 .. or see the eventlog to find more
detail.


Saludos!

"Rob C." <RobC@discussions.microsoft.com> wrote in message
newsA679E90-6B08-4B2F-8D24-CEB391481808@microsoft.com...
> Hello, and thank you for your reply.
>
> We have set the "Network Directory Security Crudentials" in IIS 6.0 to
> "Alway's use the authenticated user's crudentials when validating access
> to
> the network directory".
> This allows us to access the site anonymously. the trouble is when trying
> to
> access a NTFS secured folder within the site, we get the error mentioned
> before.
>
> If we assign a domain account to the "Network Directory Security
> Crudentials" we are still able to access the site anonymously, but this
> time
> when we try to access the secured area we get no prompt for cudentials and
> a
> "HTTP Error 500 - Internal server error." message.
>
> In both cases the domain account used for anonymous access is applied to
> the
> UNC share.
> I must be missing something somewhere.
>
> "Pablo A. Allois" wrote:
>
>> It looks like you haven't configure the "Network Directory Security
>> Credentials".
>>
>> In the tab Network Directory, click on the "Connect as" button, then
>> define
>> the credentials to access to the share.
>> There, you configure a user to access to the share, and then restrict the
>> permission on the share and ntfs to allow access only to that user.
>>
>>
>> Saludos!
>>
>>
>> "Rob C." <RobC@discussions.microsoft.com> wrote in message
>> news:A10B19F1-AF64-4188-9326-6CC12AB34A54@microsoft.com...
>> > Good Day Folks,
>> >
>> > We are trying to configure the following:
>> > - 3 node IIS 6 (Windows 2003 WEB) servers using an Alteon swithc for
>> > the
>> > load balancing.
>> > - 2 Node Windows Server 2003 R2 file cluster for the data share.
>> >
>> > I can get everything to work correctly when storing the data locally on
>> > the
>> > 3 IIS servers. We use anonymous access for them. Thsi account is a
>> > domain
>> > account that has been given the proper access.
>> >
>> > the problem happens when we move the data to the Cluster via a UNC
>> > Path.
>> > Althogh we can still access the site anonymously, when we try to secure
>> > one
>> > folder by removing the anonymous access and providing a different
>> > domain
>> > account we are unable to log in. and get an error (See bellow the SNIP
>> > line).
>> >
>> > I have read all I can find on this but nothing seems to work.
>> >
>> > To re-iterate, we can access the website through IIS with the data on
>> > the
>> > UNC share via the anonymous account. When we try to secure one of the
>> > folders
>> > on the path, we get the error.
>> >
>> > Thank you all for your time.
>> >
>> >
>> > -----SNIP-----
>> > You do not have permission to view this directory or page due to the
>> > access
>> > control list (ACL) that is configured for this resource on the Web
>> > server.
>> > --------------------------------------------------------------------------------
>> >
>> > Please try the following:
>> >
>> > Contact the Web site administrator if you believe you should be able to
>> > view
>> > this directory or page.
>> > Click the Refresh button to try again with different credentials.
>> > HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on
>> > the
>> > requested resource.
>> > Internet Information Services (IIS)
>>
>>
>>

On Aug 15, 11:28*am, Rob C. <R...@discussions.microsoft.com> wrote:
> Good Day Folks,
>
> We are trying to configure the following:
> - 3 node IIS 6 (Windows 2003 WEB) servers using an Alteon swithc for the
> load balancing.
> - 2 Node Windows Server 2003 R2 file cluster for the data share.
>
> I can get everything to work correctly when storing the data locally on the
> 3 IIS servers. We use anonymous access for them. Thsi account is a domain
> account that has been given the proper access.
>
> the problem happens when we move the data to the Cluster via a UNC Path.
> Althogh we can still access the site anonymously, when we try to secure one
> folder by removing the anonymous access and providing a different domain
> account we are unable to log in. and get an error (See bellow the SNIP line).
>
> I have read all I can find on this but nothing seems to work.
>
> To re-iterate, we can access the website through IIS with the data on the
> UNC share via the anonymous account. When we try to secure one of the folders
> on the path, we get the error.
>
> Thank you all for your time.
>
> -----SNIP-----
> You do not have permission to view this directory or page due to the access
> control list (ACL) that is configured for this resource on the Web server..
> ---------------------------------------------------------------------------*-----
>
> Please try the following:
>
> Contact the Web site administrator if you believe you should be able to view
> this directory or page.
> Click the Refresh button to try again with different credentials.
> HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the
> requested resource.
> Internet Information Services (IIS)


Read this URL on how to work with IIS6 and UNC.
http://www.microsoft.com/technet/pro.../remstorg.mspx


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

I would like to thank the both of you for your reply. I would also like to
note that I am currently LOST!
I have read all the documentation that you suggested and tried a few things.
I am about ready to start a-new.
This is what I am trying to accomplish:

All servers are on the same domain. A single account has been created for
anonymous access on the DC's.
All servers are hosted within VMware ESX 3.5
Front end web servers (3 Nodes) running Windows Server 2003 R2 Fully patched
running IIS. (DMZ network)
2 node file cluster that will host the files for the front end web servers
through a UNC share. (Application network)
A mojority of the sites will be anonymous, this seems to work. The issue I
have is when trying to secure one of the folders within one of the sites. I
secure the folder by removing anonymous access (The domain account) and then
enable an account that should have access. Then trying the page, logging in
with the appropriate account I get the errors.

Does anyone know of a step - by - step guide for a configuration like what
we are trying to accomplish?
Any pointers for us slow folk?

Thanks again for your time everyone.

Rob C.

Hi Rob,

A little improvised step-by-step guide, and a tip for troubleshooting your
environment.

Guide:
*Create the share on the file server.
*Create a group for users that will access the share.
*Set at least Read Permission on the share to the group
If the share is in a cluster, give the permission on the resource in the
cluster.
*Set at least Read Permission on the file system to the group
*Configure your home directory to "Connect as" and put the credentials of a
user in the group previously created.
*Configure your website to use Integrated Security

This configuration must work, after you make it work, you can try to tight
the security avoiding the access of the webusers to the share ... but I dont
have that configuration fresh enough to make a step-by-step

Troubleshooting:
* Download Sysinternals tools
* Run ProcMon.exe in your webserver
There is no need to install it, just copy the executable and run it
* In procmon filter the events
* Make the http request
* Look for the access denied

That tool will tell you the resource and the user that is having the access
denied.

Take care! DO NOT leave that application running in the server, this will
consume all your server memory in a minutes.


Saludos!



"Rob C." <RobC@discussions.microsoft.com> wrote in message
news:46667C7D-CA2B-4EED-AD20-264E6F5BB4C5@microsoft.com...
>I would like to thank the both of you for your reply. I would also like to
> note that I am currently LOST!
> I have read all the documentation that you suggested and tried a few
> things.
> I am about ready to start a-new.
> This is what I am trying to accomplish:
>
> All servers are on the same domain. A single account has been created for
> anonymous access on the DC's.
> All servers are hosted within VMware ESX 3.5
> Front end web servers (3 Nodes) running Windows Server 2003 R2 Fully
> patched
> running IIS. (DMZ network)
> 2 node file cluster that will host the files for the front end web servers
> through a UNC share. (Application network)
> A mojority of the sites will be anonymous, this seems to work. The issue I
> have is when trying to secure one of the folders within one of the sites.
> I
> secure the folder by removing anonymous access (The domain account) and
> then
> enable an account that should have access. Then trying the page, logging
> in
> with the appropriate account I get the errors.
>
> Does anyone know of a step - by - step guide for a configuration like what
> we are trying to accomplish?
> Any pointers for us slow folk?
>
> Thanks again for your time everyone.
>
> Rob C.

Thanks for your reply Pablo!

I am and have been able to get the configuration to work that you mention in
the first part / Guide.
It is when I try to secure the folder so that the clients would need to
login using a different account rather then the one that is being used for
anonymous access (Connect as: account) due to removing that account from the
NTFS rights on the share. I have tried about everything and am now going to
look at different options. Currently out IIS boxes are 32bit and the file
cluster is 64 bit and all are VM's inside VMware ESX 3.5. Although I dont
think any of this should matter.

What are others doing to create a central IIS web services? We have multiple
sites and would like to ensure they are all redundant. I thought that having
multiple front end servers connected to a back end cluster would be simple,
this way we did not need to worry about data replication or what boxes the
clients connected to to do the updates.
Any one have any suggestions?

Thanks again for your time folks.

Please, make the troubleshooting with procmon, to see more exactly what is
the problem.

Saludos!

"Rob C." <RobC@discussions.microsoft.com> wrote in message
news:480E20C0-4E20-4032-B096-843357E4E5C0@microsoft.com...
> Thanks for your reply Pablo!
>
> I am and have been able to get the configuration to work that you mention
> in
> the first part / Guide.
> It is when I try to secure the folder so that the clients would need to
> login using a different account rather then the one that is being used for
> anonymous access (Connect as: account) due to removing that account from
> the
> NTFS rights on the share. I have tried about everything and am now going
> to
> look at different options. Currently out IIS boxes are 32bit and the file
> cluster is 64 bit and all are VM's inside VMware ESX 3.5. Although I dont
> think any of this should matter.
>
> What are others doing to create a central IIS web services? We have
> multiple
> sites and would like to ensure they are all redundant. I thought that
> having
> multiple front end servers connected to a back end cluster would be
> simple,
> this way we did not need to worry about data replication or what boxes the
> clients connected to to do the updates.
> Any one have any suggestions?
>
> Thanks again for your time folks.
>

I have looked at this program. it shows me that I get an "Access Denied"
error to the folder that I have changed the rights on.
The access is being denied is for the account rcareyad, this account does
have full NTFS right on the folder (http://stieurl.domain.com/_Secure). The
_Secure folder is where the rights are changed.

I think it is something to do with the account used in the login as: within
IE for the UNC path (Same account being used for the application pool), being
removed access to the _secure folder. I would assume that the login would
prompt like it is, but using an account that has the right NTFS permissions
get the error. I would think something to do with multiple authentication or
not "impersonating" correctly?



"Pablo A. Allois" wrote:

> Please, make the troubleshooting with procmon, to see more exactly what is
> the problem.
>
> Saludos!
>
> "Rob C." <RobC@discussions.microsoft.com> wrote in message
> news:480E20C0-4E20-4032-B096-843357E4E5C0@microsoft.com...
> > Thanks for your reply Pablo!
> >
> > I am and have been able to get the configuration to work that you mention
> > in
> > the first part / Guide.
> > It is when I try to secure the folder so that the clients would need to
> > login using a different account rather then the one that is being used for
> > anonymous access (Connect as: account) due to removing that account from
> > the
> > NTFS rights on the share. I have tried about everything and am now going
> > to
> > look at different options. Currently out IIS boxes are 32bit and the file
> > cluster is 64 bit and all are VM's inside VMware ESX 3.5. Although I dont
> > think any of this should matter.
> >
> > What are others doing to create a central IIS web services? We have
> > multiple
> > sites and would like to ensure they are all redundant. I thought that
> > having
> > multiple front end servers connected to a back end cluster would be
> > simple,
> > this way we did not need to worry about data replication or what boxes the
> > clients connected to to do the updates.
> > Any one have any suggestions?
> >
> > Thanks again for your time folks.
> >
>
>
>