http://forums.iis.net/1043.aspxDiscussions around the security of IIS 7 including compentization, hidden directories, or authentication\authorizationenCommunityServer 2007 SP1 (Build: 20510.895)http://forums.iis.net/thread/1881693.aspxThu, 09 Oct 2008 21:24:25 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1881693krolson0http://forums.iis.net/thread/1881693.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1043&PostID=1881693<p>You would have to configure the share permissions to allow at least read access to the identity IIS is using (the IIS worker process identity) to connect to the share.&nbsp; </p> <p>Also, I believe that in order to use pass-through authentication you would have to disable the use of distributed web.config files in the virtual directory. To do this you set the allowSubDirConfig attribute on the virtual directory definition fo &quot;false.&quot;&nbsp; </p> <p>&nbsp;The pass-through method can be tricky because some application frameworks will use the IIS worker process identity while others will always use the authenticated user identity.</p> <p>&nbsp;A few cautions as well: if you grant IIS permissions above Read access (or give the IIS account administrative privileges on the remote network server), it may be possible for an attacker to gain control of the remote share if the server is compromised.&nbsp; You would only need write/full access&nbsp;if you are using IIS to publish content (and you should never use identities with administrative privileges on the file server to access remote content).&nbsp; </p>http://forums.iis.net/thread/1881586.aspxWed, 08 Oct 2008 17:55:15 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1881586Metek0http://forums.iis.net/thread/1881586.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1043&PostID=1881586<p>Hello Krolson,</p> <p>The access via User account is working OK, but unfortunately, we are making Intranet and need differintiate user&nbsp;rights on the share. Any suggestion, how&nbsp;we can make&nbsp;authentification working? I also do not understand why access fails when&nbsp;I&#39;m typing credential directy into Authentication dialog.</p> <p>&gt;&gt;&nbsp;&nbsp;You could try to give the IIS worker process identity read access to the remote content share</p> <p>Could you please explain this option in more details?</p> <p>With best regards,</p> <p>Al</p> <p><font face="Verdana" color="#034af3"></font>&nbsp;</p>http://forums.iis.net/thread/1881584.aspxWed, 08 Oct 2008 17:48:50 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1881584Metek0http://forums.iis.net/thread/1881584.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1043&PostID=1881584<p>Hi Anil,</p> <p>Thank you for your reply. As specified in my initial message, we are using &quot;Active Directory Client Certificate Authentication&quot;. </p> <p>&gt;&gt; you will have to write some scripts to configure it</p> <p>What kinf of scripts? How can I configure such way&nbsp;that user is identified on network share?</p> <p>With best regards,</p> <p>Al&nbsp;</p> <p>&nbsp;</p>http://forums.iis.net/thread/1881509.aspxWed, 08 Oct 2008 00:02:54 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1881509krolson0http://forums.iis.net/thread/1881509.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1043&PostID=1881509<p>One issue may be that you cannot use pass-through authentication to access web.config files on a remote share (because IIS uses the authenticated user for pass-through, and the access would have to occur before IIS has determined the authenticated user).&nbsp; </p> <p>You could try to give the IIS worker process identity read access to the remote content share, but pass-through access is a little messy in this case. &nbsp;I would recommend using virtual directory fixed credentials instead.&nbsp; Remember to set a username and password on the virtual directory that correspond to a valid account on your share.</p>http://forums.iis.net/thread/1881507.aspxTue, 07 Oct 2008 23:58:46 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1881507anilr0http://forums.iis.net/thread/1881507.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1043&PostID=1881507<p>Are you trying &quot;windows integrated authentication&quot; or &quot;AD client cert authentication&quot;?&nbsp; Note that the IIS Manager does not let you configure the latter and you will have to write some scripts to configure it.</p>http://forums.iis.net/thread/1881396.aspxMon, 06 Oct 2008 19:58:22 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1881396Metek0http://forums.iis.net/thread/1881396.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1043&PostID=1881396<p>Hello All,</p> <p>I&#39;m trying to setup IIS7.0 WEB site with &quot;Windows Authentication&quot; through &quot;Active Directory Client Certificate Authentication&quot;. My User account is&nbsp;properly mapped to Domain User account&nbsp;and I have an access to all directories located on WEB server.</p> <p>Now I added Virtual directory with physical path mapping to the share on another server. &quot;Connected As&quot; is set to Application User (pass-through authentication). I verified that Domain User Account authenticated by Client certificate have an access to Share on another server and corresponding ACL on the physical disk directory. However, when I&#39;m trying connect to the new virtual directory 2 problems appear:</p> <p>1. I&#39;m getting Dialog asking for User Name and password. Why?</p> <p>2. Regardless what I&#39;m entering in that dialog (Domain account of user logged&nbsp;into WEB site or even Domain Administrator&nbsp;data), I&#39;m getting error 401. Log file is not informative at all: I see call to various Authentication modules, they all return false. The only Warning in log is</p> <p> <table class="" cellspacing="0" cellpadding="0"> <tr> <th class="">ModuleName</th> <td class="event-data" class="event-data">IIS Web Core</td></tr> <tr class="alt"> <th class="">Notification</th> <td class="event-data" class="event-data">2</td></tr> <tr> <th class="">HttpStatus</th> <td class="event-data" class="event-data">401</td></tr> <tr class="alt"> <th class="">HttpReason</th> <td class="event-data" class="event-data">Unauthorized</td></tr> <tr> <th class="">HttpSubStatus</th> <td class="event-data" class="event-data">3</td></tr> <tr class="alt"> <th class="">ErrorCode</th> <td class="event-data" class="event-data">2147942405</td></tr> <tr> <th class="">ConfigExceptionInfo</th> <td class="event-data" class="event-data"></td></tr> <tr class="alt"> <th class="">Notification</th> <td class="">AUTHENTICATE_REQUEST</td></tr> <tr> <th class="">ErrorCode</th> <td class="">Access is denied. (0x80070005)</td></tr></table></p> <p>What&#39;s wrong? Any help is appreciated.</p> <p>Al</p> <p>&nbsp;</p>