Hi all, done a bit of searching and not been able to find an answer to this issue.
I have a Windows 2003 Server with IIS6 and Webdav this server has Virtual Directories connecting to UNC Share paths where users can log on and gain access to their files on our windows file servers over the internet via https and using basic auth,I have
the the virtual directories set to "always use the authenticated user's credentials when validing access to the network directory" and all works nice and well and users only gain access to folders they should
Also these servers are all apart of an Active Directory Domain (expect end clients connecting via https)
Now i have read on this site about setting up WebDav in IIS7 and i have attempted to setup pretty much the same configuration as above with not alot of luck, i did read about IIS7 wanting some Path Creds to gain access to a UNC path but would use "User
Creds" for access but this does not seem to be true in my case, so i figure i must be doing it wrong. I was hoping that Pass Thru would work but of course i get an Error 500 and if i do give some Path Creds its that account it uses when surfing the Folders
not the "Basic Creds i supply when i auth against IIS using basic auth
Does anyone have a good URL or Info for setting this up or tell me what i could be doing wrong.
As i have followed as per instructions on this site i think i have everything required to run correctly. Also created a folder locally on the IIS server with premissions works with no issues.
Of course maybe where i was reading didn't put it in or maybe i just cant read period
But for anyone else
Created application pool. no managed code and set to run as a domain account with access to the UNC path, then turned VDIR into application running in this application pool
Ok first off in IIS7 you need to create a new application Pool, I called mine Webdav
This application pool needs to be set to run “no Managed Code”
You also need to set the Identity of this application Pool to a domain account with Access to the Server shares you want to display via webdav
I have a service account that is a domain admin so I just used that account so far I have not tested if a non domain admin account will work BUT I see
no reason why it should not work as long as the account has access to the share (which from memory is the important thing)
Also in application settings pool, set Load User Profile to False
Next will be to add the Virtual Directory and set the Connect as settings to application user (Pass thru)
Final step is to then set the Virtual Directory as an application and use the application pool you have created above and all should work
Thanks for such a quick reply. I am going to try this very soon, but am concerned about using a domain admin account for the app pool. I'll write back with the results of trying to limit the rights of the pool. -jonathan
Sure, It does not use the "application pool" account for access to folders it still uses the "users" logons for access, no idea why they did this, but a normal account with access to the share should still work let me know, i do plan to change mine to an
account with less access also
Hi guys, I am trying to do the exact same thing. I used to have home directories shared off a UNC path with WebDAV using IIS6 and 2003 Server. Now I want to port it over to 2008 and IIS7.
Setup is as follows
<div mce_keep="true">2008 server standard running IIS7</div>
<div mce_keep="true">An application pool called "WebDAV" has been created and uses the account "domain\binduser". This user has read permission to the root of the share.</div>
<div mce_keep="true">The virtual directory student has been created off the default web root. The physical path is
\\files\student where all the home directories are stored.</div>
<div mce_keep="true">The virtual directory is set to run using the WebDAV
application pool.</div>
<div mce_keep="true">Windows Authentication is turned on for
student and all other auth methods are off.</div>
<div mce_keep="true">Directory Browsing is turned on for
student</div>
When I go to navigate to the page from any logged in client in our network, the user authentication box comes up. The WebDAV site I am trying to host is an intranet zone and i can
confirm that the browser is sending the negotiation - I used wireshark to see what was happening in the auth process and I can see all the Negotiate HTTP headers
If I access the site from the server it is hosted on using http://localhost/student it logs in fine and uses the logged in user account. If I access the site from the server but use its hostname instead
(its called vpn) http://vpn/student I get the same authentication prompt as if I were a remote machine.
As a test, I shared a directory C:\test on the web server and set it to the virtual path
/test. I turned on Windows Authentication and turned off all other auth methods. I could access this share fine. The problems seem to only be happening with UNC shares.
Finally, if I use basic authentication, I can log in successfully - regardless if I am accessing from the server of from another PC. Basic auth is not ideal as it will prompt the users for their auth details and not pass them through using Kerberos/NTLM
(or whichever auth method Windows decides to use).
I have read through many forums here and been googling for the last few days so this is really a last resort.
I kinda figured it out. I thought I'd post it here for completeness sake.
Kerberos was failing and not authenticating properly. I thought that IIS7 would change the authenticate method to NTLM but It kept failing on Kerberos and continued asking for a user name/password.
I eventially ended up changing the website to bind to a different host name other than the name of the server. If you want to do kerberos auth on a website under a different host name other that the one of the server the site is hosted off, you also need
to use the setspn utility to add a Service Principal Name record to AD. Without this the auth will fail. EG:
setspn -A HTTP/hostname.of.site realservername. The real server name needs to be the NetBIOS name of the server. After adding this record, authentication worked : D.
I still dont know exactly why kerberos wouldn't work using the default web site that already setup with IIS7 and using the actual server name. I tried using the
setspn utility like setspn -A HTTP/servername servername but this didn't work either.
I also found out that the reason I could connect using localhost on the web server was because Internet Explorer always connects using NTLM rather than kerberos which was working fine.
If you are still having issues, you can disable Kerberos completely and just use NTLM. This isn't available in the IIS server manager, but needs some manual work. Although not reccomended, Google can help you out here.
Hi Thanks for your input to my Post, I hope you can all contribute, i am updating this with a question emailed to me and my response, you may have something to add.
This was sent to me
I have an IIS7 webserver with webdav. I have a secure site and an application under that site at points at the UNC path of my fileserver. Basic Authentication and Anonymous Auth are enabled.
If I try to open a webdav folder (a subfolder of my application path https://site.edu/student/accountname) the basic auth challenge comes up and sometimes it will work just fine. Other times I type in the correct credentials and it comes back. After challenging
me 3 times is gives up. It's completely random as well. Sometimes I can get in the first time. Sometimes it will ask me once and fail, then I'll wait 30 seconds, type in my credentials again and it will work. Sometimes it won't work at all no matter how many
times I try.
Any ideas?
Much appreciated
My response to this was.
Hey there
I have had this issue before but with my old windows 2003 server and webdav to a unc share.
Turns out it was a permissions issue on the file server
In my configuration i have a student file server with \\server\student$\a\b\abc so if your username was say "bob12" then your share would be \\server\student$\b\o\bob12
bob12 was a student so was apart of a group called "STUDENT"
What i had to do for webdav was the following, as per my instructions i had my webdav application running as an account WebDav, i had to ensure that this account had access to my share but also be able to read/modify the web.config that sat in the root of my
share e.g \\server\student$
I also had to ensure that the group "Student" had "List directory" permissions set on "\b\o" directories but not set on the students folder, i did this with a powershell script that set the permission inherited but them revoked the permission on the folder
"bob12" i also have a powershell that creates the user and folders and apart of that process is to revoke the "STUDENT" group premission off the folder for the user
This should get over your issues with "Auth" and it keep coming back for the username and password, i found with my one that it was trying to "Touch" the folder but didn't have the acl set so would come back with the username and password box
P.S i dont think you should have "Anonymous" set it should be disabled and only "Basic" set
I AM THE SYS ADMIN FOR A NEW SCHOOL. I SET UP WEBDAV WEBFOLDERS FOR FACULTY AND STAFF DEPARTMENTS BUT WOULD ALOS LIKE TO ADD IT FOR STUDENTS. I HAVE SOME ISSUES AND ONE IS WITH PERMISSIONS. I AM NEW TO POWERSHELL. WOULD YOU BE WILLING TO SHARE SOME MORE
DETAILED INFORMATION REGARDING THE PERMISSION SCRIP?
dkenna
12 Posts
IIS7 WEBDAV and UNC PATH to Windows File Servers
Oct 15, 2008 02:47 AM|LINK
Hi all, done a bit of searching and not been able to find an answer to this issue.
I have a Windows 2003 Server with IIS6 and Webdav this server has Virtual Directories connecting to UNC Share paths where users can log on and gain access to their files on our windows file servers over the internet via https and using basic auth,I have the the virtual directories set to "always use the authenticated user's credentials when validing access to the network directory" and all works nice and well and users only gain access to folders they should
Also these servers are all apart of an Active Directory Domain (expect end clients connecting via https)
Now i have read on this site about setting up WebDav in IIS7 and i have attempted to setup pretty much the same configuration as above with not alot of luck, i did read about IIS7 wanting some Path Creds to gain access to a UNC path but would use "User Creds" for access but this does not seem to be true in my case, so i figure i must be doing it wrong. I was hoping that Pass Thru would work but of course i get an Error 500 and if i do give some Path Creds its that account it uses when surfing the Folders not the "Basic Creds i supply when i auth against IIS using basic auth
Does anyone have a good URL or Info for setting this up or tell me what i could be doing wrong.
As i have followed as per instructions on this site i think i have everything required to run correctly. Also created a folder locally on the IIS server with premissions works with no issues.
Thanks
dkenna
12 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Oct 15, 2008 08:03 PM|LINK
OK, a nights sleep does wonders.
All sorted now
Of course maybe where i was reading didn't put it in or maybe i just cant read period
But for anyone else
Created application pool. no managed code and set to run as a domain account with access to the UNC path, then turned VDIR into application running in this application pool
JonathanKing
3 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Dec 03, 2008 01:32 AM|LINK
dkenna
12 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Dec 03, 2008 01:47 AM|LINK
Ok first off in IIS7 you need to create a new application Pool, I called mine Webdav
This application pool needs to be set to run “no Managed Code”
You also need to set the Identity of this application Pool to a domain account with Access to the Server shares you want to display via webdav
I have a service account that is a domain admin so I just used that account so far I have not tested if a non domain admin account will work BUT I see no reason why it should not work as long as the account has access to the share (which from memory is the important thing)
Also in application settings pool, set Load User Profile to False
Next will be to add the Virtual Directory and set the Connect as settings to application user (Pass thru)
Final step is to then set the Virtual Directory as an application and use the application pool you have created above and all should work
IIS7 WebDav
JonathanKing
3 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Dec 03, 2008 02:54 AM|LINK
dkenna
12 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Dec 03, 2008 03:01 AM|LINK
Sure, It does not use the "application pool" account for access to folders it still uses the "users" logons for access, no idea why they did this, but a normal account with access to the share should still work let me know, i do plan to change mine to an account with less access also
Cheers
alias_here
2 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Mar 06, 2009 01:47 AM|LINK
Hi guys, I am trying to do the exact same thing. I used to have home directories shared off a UNC path with WebDAV using IIS6 and 2003 Server. Now I want to port it over to 2008 and IIS7.
Setup is as follows
When I go to navigate to the page from any logged in client in our network, the user authentication box comes up. The WebDAV site I am trying to host is an intranet zone and i can confirm that the browser is sending the negotiation - I used wireshark to see what was happening in the auth process and I can see all the Negotiate HTTP headers
If I access the site from the server it is hosted on using http://localhost/student it logs in fine and uses the logged in user account. If I access the site from the server but use its hostname instead (its called vpn) http://vpn/student I get the same authentication prompt as if I were a remote machine.
As a test, I shared a directory C:\test on the web server and set it to the virtual path /test. I turned on Windows Authentication and turned off all other auth methods. I could access this share fine. The problems seem to only be happening with UNC shares.
Finally, if I use basic authentication, I can log in successfully - regardless if I am accessing from the server of from another PC. Basic auth is not ideal as it will prompt the users for their auth details and not pass them through using Kerberos/NTLM (or whichever auth method Windows decides to use).
I have read through many forums here and been googling for the last few days so this is really a last resort.
Thanks in advance :D
alias_here
2 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Mar 24, 2009 08:29 AM|LINK
I kinda figured it out. I thought I'd post it here for completeness sake.
Kerberos was failing and not authenticating properly. I thought that IIS7 would change the authenticate method to NTLM but It kept failing on Kerberos and continued asking for a user name/password.
I eventially ended up changing the website to bind to a different host name other than the name of the server. If you want to do kerberos auth on a website under a different host name other that the one of the server the site is hosted off, you also need to use the setspn utility to add a Service Principal Name record to AD. Without this the auth will fail. EG: setspn -A HTTP/hostname.of.site realservername. The real server name needs to be the NetBIOS name of the server. After adding this record, authentication worked : D.
I still dont know exactly why kerberos wouldn't work using the default web site that already setup with IIS7 and using the actual server name. I tried using the setspn utility like setspn -A HTTP/servername servername but this didn't work either.
I also found out that the reason I could connect using localhost on the web server was because Internet Explorer always connects using NTLM rather than kerberos which was working fine.
If you are still having issues, you can disable Kerberos completely and just use NTLM. This isn't available in the IIS server manager, but needs some manual work. Although not reccomended, Google can help you out here.
dkenna
12 Posts
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Jul 01, 2009 05:55 AM|LINK
Hi Thanks for your input to my Post, I hope you can all contribute, i am updating this with a question emailed to me and my response, you may have something to add.
This was sent to me
I have an IIS7 webserver with webdav. I have a secure site and an application under that site at points at the UNC path of my fileserver. Basic Authentication and Anonymous Auth are enabled.
If I try to open a webdav folder (a subfolder of my application path https://site.edu/student/accountname) the basic auth challenge comes up and sometimes it will work just fine. Other times I type in the correct credentials and it comes back. After challenging me 3 times is gives up. It's completely random as well. Sometimes I can get in the first time. Sometimes it will ask me once and fail, then I'll wait 30 seconds, type in my credentials again and it will work. Sometimes it won't work at all no matter how many times I try.
Any ideas?
Much appreciated
My response to this was.
Hey there
I have had this issue before but with my old windows 2003 server and webdav to a unc share.
Turns out it was a permissions issue on the file server
In my configuration i have a student file server with \\server\student$\a\b\abc so if your username was say "bob12" then your share would be \\server\student$\b\o\bob12
bob12 was a student so was apart of a group called "STUDENT"
What i had to do for webdav was the following, as per my instructions i had my webdav application running as an account WebDav, i had to ensure that this account had access to my share but also be able to read/modify the web.config that sat in the root of my share e.g \\server\student$
I also had to ensure that the group "Student" had "List directory" permissions set on "\b\o" directories but not set on the students folder, i did this with a powershell script that set the permission inherited but them revoked the permission on the folder "bob12" i also have a powershell that creates the user and folders and apart of that process is to revoke the "STUDENT" group premission off the folder for the user
This should get over your issues with "Auth" and it keep coming back for the username and password, i found with my one that it was trying to "Touch" the folder but didn't have the acl set so would come back with the username and password box
P.S i dont think you should have "Anonymous" set it should be disabled and only "Basic" set
Senna9649
1 Post
Re: IIS7 WEBDAV and UNC PATH to Windows File Servers
Jul 31, 2009 02:59 AM|LINK
HELLO,
I AM THE SYS ADMIN FOR A NEW SCHOOL. I SET UP WEBDAV WEBFOLDERS FOR FACULTY AND STAFF DEPARTMENTS BUT WOULD ALOS LIKE TO ADD IT FOR STUDENTS. I HAVE SOME ISSUES AND ONE IS WITH PERMISSIONS. I AM NEW TO POWERSHELL. WOULD YOU BE WILLING TO SHARE SOME MORE DETAILED INFORMATION REGARDING THE PERMISSION SCRIP?
THANKS