« Previous Next »

Thread: IIS7 WEBDAV and UNC PATH to Windows File Servers

Last post 07-30-2009 10:59 PM by Senna9649. 9 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (10 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 10-14-2008, 10:47 PM

    • dkenna
    • Not Ranked
    • Joined on 10-15-2008, 2:05 AM
    • New Zealand
    • Posts 5

    IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

    Hi all, done a bit of searching and not been able to find an answer to this issue.

    I have a Windows 2003 Server with IIS6 and Webdav this server has Virtual Directories connecting to UNC Share paths where users can log on and gain access to their files on our windows file servers over the internet via https and using basic auth,I have the the virtual directories set to "always use the authenticated user's credentials when validing access to the network directory" and all works nice and well and users only gain access to folders they should

     Also these servers are all apart of an Active Directory Domain (expect end clients connecting via https)

     Now i have read on this site about setting up WebDav in IIS7 and i have attempted to setup pretty much the same configuration as above with not alot of luck, i did read about IIS7 wanting some Path Creds to gain access to a UNC path but would use "User Creds" for access but this does not seem to be true in my case, so i figure i must be doing it wrong. I was hoping that Pass Thru would work but of course i get an Error 500 and if i do give some Path Creds its that account it uses when surfing the Folders not the "Basic Creds i supply when i auth against IIS using basic auth

    Does anyone have a good URL or Info for setting this up or tell me what i could be doing wrong.

    As i have followed as per instructions on this site i think i have everything required to run correctly. Also created a folder locally on the IIS server with premissions works with no issues.

     Thanks

  • 10-15-2008, 4:03 PM In reply to

    • dkenna
    • Not Ranked
    • Joined on 10-15-2008, 2:05 AM
    • New Zealand
    • Posts 5

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

     OK, a nights sleep does wonders.

     All sorted now

    Of course maybe where i was reading didn't put it in or maybe i just cant read period 

    But for anyone else

    Created application pool. no managed code and set to run as a domain account with access to the UNC path, then turned VDIR into application running in this application pool

     

     

     

  • 12-02-2008, 9:32 PM In reply to

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact
    Hi, I am trying to do exactly the same thing. Can you perhaps post a mini-guide with the steps you performed to get this working? Thanks!

  • 12-02-2008, 9:47 PM In reply to

    • dkenna
    • Not Ranked
    • Joined on 10-15-2008, 2:05 AM
    • New Zealand
    • Posts 5

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

    Ok first off in IIS7 you need to create a new application Pool, I called mine Webdav

     

    This application pool needs to be set to run “no Managed Code”

     

    You also need to set the Identity of this application Pool to a domain account with Access to the Server shares you want to display via webdav

    I have a service account that is a domain admin so I just used that account so far I have not tested if a non domain admin account will work BUT I see no reason why it should not work as long as the account has access to the share (which from memory is the important thing)

     

    Also in application settings pool, set Load User Profile to False

     

    Next will be to add the Virtual Directory and set the Connect as settings to application user (Pass thru)

     

    Final step is to then set the Virtual Directory as an application and use the application pool you have created  above and all should work

     
    Tags:

  • 12-02-2008, 10:54 PM In reply to

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact
    Thanks for such a quick reply. I am going to try this very soon, but am concerned about using a domain admin account for the app pool. I'll write back with the results of trying to limit the rights of the pool. -jonathan

  • 12-02-2008, 11:01 PM In reply to

    • dkenna
    • Not Ranked
    • Joined on 10-15-2008, 2:05 AM
    • New Zealand
    • Posts 5

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

     Sure, It does not use the "application pool" account for access to folders it still uses the "users" logons for access, no idea why they did this, but a normal account with access to the share should still work let me know, i do plan to change mine to an account with less access also

     

    Cheers

     

  • 03-05-2009, 9:47 PM In reply to

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

    Hi guys, I am trying to do the exact same thing. I used to have home directories shared off a UNC path with WebDAV using IIS6 and 2003 Server. Now I want to port it over to 2008 and IIS7.

    Setup is as follows

    • 2008 server standard running IIS7
    • An application pool called "WebDAV" has been created and uses the account "domain\binduser". This user has read permission to the root of the share.
    • The virtual directory student has been created off the default web root. The physical path is \\files\student where all the home directories are stored.
    • The virtual directory is set to run using the WebDAV application pool.
    • Windows Authentication is turned on for student and all other auth methods are off.
    • Directory Browsing is turned on for student

    When I go to navigate to the page from any logged in client in our network, the user authentication box comes up. The WebDAV site I am trying to host is an intranet zone and i can confirm that the browser is sending the negotiation - I used wireshark to see what was happening in the auth process and I can see all the Negotiate HTTP headers

    If I access the site from the server it is hosted on using http://localhost/student it logs in fine and uses the logged in user account. If I access the site from the server but use its hostname instead (its called vpn) http://vpn/student I get the same authentication prompt as if I were a remote machine.

    As a test, I shared a directory C:\test on the web server and set it to the virtual path /test. I turned on Windows Authentication and turned off all other auth methods. I could access this share fine. The problems seem to only be happening with UNC shares. 

    Finally, if I use basic authentication, I can log in successfully - regardless if I am accessing from the server of from another PC. Basic auth is not ideal as it will prompt the users for their auth details and not pass them through using Kerberos/NTLM (or whichever auth method Windows decides to use).

    I have read through many forums here and been googling for the last few days so this is really a last resort.

    Thanks in advance :D

  • 03-24-2009, 4:29 AM In reply to

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

    I kinda figured it out. I thought I'd post it here for completeness sake.

    Kerberos was failing and not authenticating properly. I thought that IIS7 would change the authenticate method to NTLM but It kept failing on Kerberos and continued asking for a user name/password.

    I eventially ended up changing the website to bind to a different host name other than the name of the server. If you want to do kerberos auth on a website under a different host name other that the one of the server the site is hosted off, you also need to use the setspn utility to add a Service Principal Name record to AD. Without this the auth will fail. EG: setspn -A HTTP/hostname.of.site realservername. The real server name needs to be the NetBIOS name of the server. After adding this record, authentication worked : D.

    I still dont know exactly why kerberos wouldn't work using the default web site that already setup with IIS7 and using the actual server name. I tried using the setspn utility like setspn -A HTTP/servername servername but this didn't work either.

    I also found out that the reason I could connect using localhost on the web server was because Internet Explorer always connects using NTLM rather than kerberos which was working fine.

    If you are still having issues, you can disable Kerberos completely and just use NTLM. This isn't available in the IIS server manager, but needs some manual work. Although not reccomended, Google can help you out here.

  • 07-01-2009, 1:55 AM In reply to

    • dkenna
    • Not Ranked
    • Joined on 10-15-2008, 2:05 AM
    • New Zealand
    • Posts 5

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

    Hi Thanks for your input to my Post, I hope you can all contribute, i am updating this with a question emailed to me and my response, you may have something to add.

     This was sent to me

    I have an IIS7 webserver with webdav. I have a secure site and an application under that site at points at the UNC path of my fileserver. Basic Authentication and Anonymous Auth are enabled.

    If I try to open a webdav folder (a subfolder of my application path https://site.edu/student/accountname) the basic auth challenge comes up and sometimes it will work just fine. Other times I type in the correct credentials and it comes back. After challenging me 3 times is gives up. It's completely random as well. Sometimes I can get in the first time. Sometimes it will ask me once and fail, then I'll wait 30 seconds, type in my credentials again and it will work. Sometimes it won't work at all no matter how many times I try.

     Any ideas?

    Much appreciated

    My response to this was.

     Hey there

    I have had this issue before but with my old windows 2003 server and webdav to a unc share.

    Turns out it was a permissions issue on the file server

    In my configuration i have a student file server with \\server\student$\a\b\abc   so if your username was say "bob12" then your share would be \\server\student$\b\o\bob12

    bob12 was a student so was apart of a group called "STUDENT"

    What i had to do for webdav was the following, as per my instructions i had my webdav application running as an account WebDav, i had to ensure that this account had access to my share but also be able to read/modify the web.config that sat in the root of my share e.g \\server\student$

    I also had to ensure that the group "Student" had "List directory" permissions set on "\b\o" directories but not  set on the students folder, i did this with a powershell script that set the permission inherited but them revoked the permission on the folder "bob12" i also have a powershell that creates the user and folders and apart of that process is to revoke the "STUDENT" group premission off the folder for the user

    This should get over your issues with "Auth" and it keep coming back for the username and password, i found with my one that it was trying to "Touch" the folder but didn't have the acl set so would come back with the username and password box

    P.S i dont think you should have "Anonymous" set it should be disabled and only "Basic" set
     

     

  • 07-30-2009, 10:59 PM In reply to

    • Senna9649
    • Not Ranked
    • Joined on 07-30-2009, 10:57 PM
    • Posts 1

    Re: IIS7 WEBDAV and UNC PATH to Windows File Servers

    Reply Contact

    HELLO,

     

     I AM THE SYS ADMIN FOR A NEW SCHOOL. I SET UP WEBDAV WEBFOLDERS FOR FACULTY AND STAFF DEPARTMENTS BUT WOULD ALOS LIKE TO ADD IT FOR STUDENTS. I HAVE SOME ISSUES AND ONE IS WITH PERMISSIONS. I AM NEW TO POWERSHELL. WOULD YOU BE WILLING TO SHARE SOME MORE DETAILED INFORMATION REGARDING THE PERMISSION SCRIP?

     

    THANKS
Page 1 of 1 (10 items)
Microsoft Communities