« Previous Next »

• 04-06-2007, 2:22 PM

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,889

  New thread - Using a domain account to access UNC content. Reply Contact STEVE: Can you open another thread with the rights of a built-in account to an UNC share? This thread here gets too complicated if I answer it here. I'm setting up a VM with the Longhorn CTP and see if I can reproduce the error.   The way the accounts are defined are different in IIS7.  It is nice the login is reduced to just use the application pool user id vs. having it defined in the anonymous section, then the application pool settings.  Just the option of using a setup like I described using domain accounts seems different in IIS7.  I didn't realize the username and password are not validated.  I guess this is the same in IIS6, so the behavior is consistant, maybe it is the UI changes that make it seem different.  All the press and articles cover the new built-in users, which is cool.  When I ran into an issue, I probably should have posted.   I'll have some results from my testing. Here are the steps I'm going to test.  The IIS_WPG is of course the IIS_USERS group on IIS7.  I haven't tried on the latest CTP yet, however I ran into issues on previous builds of Longhorn.  The way you did this in IIS6 would be to 1) create a domain account 2) add the domain account to the IIS_WPG group 3) adjust the anonyous user and application pool user to use this domain account.  When using IIS manager, it would allow you to browse and add the user. or you could 1) create a domain account 2) create a global group 3) put the domain account in the global group 4) then put the global group in the IIS_WPG group. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 04-06-2007, 4:32 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,889

  Re: New thread - Using a domain account to access UNC content. Reply Contact Here is a summary of what I did.  I did run into some errors that IIS Manager did not take very well.  There might be some opportunity to clean this up.  Create a domain user called 'UncContentUser' Created a group called uncIIS_USERS Added this group the IIS_USERS group on the VM Created a folder on a file server called unccontent Granted Administrators, The domain group and System F/C Created a hidden shared called UncContent$ Adjusted the share so Everyone has 'modified' rights.  Yes, I could have securied it more with just the groups. I'd do if there was more than my test domain there. Created a webpage that displayed Now(). Backed up my config folder in c:\windows\system32\inetsrv\config Turned off the Default Website Created a site called 'UncContentTest'.  Got an error.  See below for explaination. Click create a Site again, and it said the site was already existed. When I tried to right click and adjust permissions, I got an error.  See below.   *I was trying to enable various modules. I manually mapped a drive using the domain account credentials.  I was able edit the properties inside IIS manager. When the IUSR was configured on the 'anonymous' authentication, this was displayed.  HTTP Error 401.3 - Unauthorized You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.  was displayed.  This would be expected because the IUSR account does not have rights remotely.   After I updated the anonymous setting to use the 'application pool credentials' under the authorization setting using the domain user, it worked. The errors are because I'm logged in as local Administrator on the Longhorn machine with no password.  The remote machine, which is a domain controller, the 'Administrator' account is disabled.   IIS manager did not handle this very well.  :)   I have some screen shots I can send to the IIS team off-line, if you like.  Overall, without the rare situation a domain controller will be the NAS server, the 'domain' Administrator account is disabled and also being logged on the local VM, with no password mind you.  Things worked.  I know these are not real production practices, but after I overcame my unique test setup environment, things worked as designed.  I looked on the Open files and Open sessions on the Domain Controller, the appropriate credentials worked (it showed the domain use account).  Besides the 'few errors' the IIS manager had, I'd say domain accounts work!  It was a good quick afternoon project.  Hope this helps someone. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 04-06-2007, 4:44 PM

  In reply to

  CarlosAg Joined on 02-19-2003, 2:23 AM Posts 332	Re: New thread - Using a domain account to access UNC content. Reply Contact If you could send me the snapshots I would appreciate it.

• 04-06-2007, 7:00 PM

  In reply to

  ericdeily Joined on 01-19-2006, 1:48 AM Redmond, WA Posts 38	Re: New thread - Using a domain account to access UNC content. Reply Contact could you add me to that email too Steve?  I'm interested in what those errors were.  ta. -ericdeily Program Manager - IIS Release/Proj Mgmt & Support/Health/Instr/Tracing/Logging

• 04-06-2007, 10:12 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,889	Re: New thread - Using a domain account to access UNC content. Reply Contact I'm not sure what email to send to.  Contact me at steve@orcsweb.com.  I'll forward the screen shot word doc. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget