IIS 7 and Above
IIS7 - WebDAV 7.5 & Shared Hosting Config w/UNC folder location
Last post Sep 22, 2009 02:14 PM by reachchandra
Aug 27, 2009 01:04 PM|jon.ebersole|LINK
I am setting up a web farm with multiple IIS7 servers in a shared configuration setting, where the files are located on a UNC share. I have added the correct permissions to the share so and the users can access the websites anonymously as expected. I have
also setup FTP 7.5, created accounts, and users can login and edit their content using FTP protocols.
I also installed WebDAV 7.5 so our FrontPage/Expression Web users could login and edit content, but it doesn't work as expected - it gives me an access denied error. For testing, I created a new site and made the folder strucuture local to the web server,
added a new user to Active Directory, and WebDAV worked fine. As soon as I point that website to the UNC path, WebDAV asks me for the login name and password 3 times, and then gives me an error stating http://<domainname>, The folder name is not valid. Again,
if i FTP to the site located on the UNC share using the same credentials, it works fine.
I used Process Monitor from sysinternals to see where I was getting the access denied errors. It appears that when the web server tries to access the UNC share from the file server, it tries to impersonate the user that you use to logon (the user in Active
Directory that has explicit permissions on the file server), but it fails???? The Active Directory user has full control of the shared folder. This is apparent, because FTP works fine. Btw, the Authorization Rules for FTP and WebDAV are the same.
I get the following error...
w3wp.exe CreateFile \\servername\sharename ACCESS DENIED Desired access:generic read, disposition:open, Options:sequential access, open for backup, attributes:RE,sharemode:Read,Write,Delete AllocationSize: n/a, Impersonating domain\username
Any ideas? Is WebDAV doing something different than FTP does with impersonation? Thanks for your help in advance.
Aug 27, 2009 10:16 PM|steve schofield|LINK
Nice troubleshooting so far. Can you post the IIS logs from the same CreateFile. I'd be curious of the status code.
Try enabling FREB and post the errors.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Aug 28, 2009 02:11 PM|jon.ebersole|LINK
It has been a long ride on this project, but I think I figured it out. I successfully got it working this morning (a 5 day project) by deselecting the 'Windows Authentication' option within the Authentication options of the website. I tried with and without
the 'Enable Kernel-mode authentication' checkbox and it always failed.
After removing Windows Authentication altogether, it worked fine. I have no idea if this is the expected setting or not, so I don't know if this will break something in the future.
I want to also note that this is a shared configuration, where the UNC path (file share) is on a server that is actually in a different domain! I created a trust relationship between the two domains and added the Network Service account to the file server
by adding the <domain>\<computername>$ account to a local group, and then assigned that group permissions to the share.
Example: microsoft.com\webserver1$ <-- represents a computer's Network Service account
The command to do that is:
net group <localcompgroupname> <domainname>\<computername>$ /add
I also made sure that the application pool's advanced setting for Identity was set to NetworkService, and Enable 32-bit Applications was set to True (I have 64 bit web servers). In the Basic Settings of the website, I also had to set the 'Connect As' setting
to use the 'Application user (pass-through authentication)' to get all of this to work properly. Shared configurations are powerful, but they aren't ready yet for 'the common IT guy' to configure.
Another note; you have to disable shared configuration on the web servers, prior to installing FTP 7.5 or WebDAV 7.5, etc. Actually, as funny as this sounds, it appears that you have to temporarily disable shared configuration in IIS for any other software
application installs, updates, or upgrades that depend on or work around IIS. I tried applying Windows Updates to my IIS 7 server and it kept failiing. I also tried adding or removing features to IIS 7 and it kept failing. As soon as I disabled the shared
configuration, they worked again. So now, I am in the habit of diabling/intstalling/enabling shared configurations whenever I do anything.
Another piece of advice; make sure your log files for each web farm server are local to each webserver. It increases performance and you won't experience file locks. IIS 7 doesn't have the ability to set the log filename, so each server would try to write
to the same file in the shared folder.
And yet another; Microsoft says that IIS 7.0 has a 'severe limitation' in the management interface. When you add SSL certificates, it won't let you enter a host name. Simply add the SSL certificate, then open the applicationHost.config file, find the 'bindings'
section and alter the ssl entry like the line below and restart IIS on the webfarm servers and you should be fine.
<binding protocol="https" bindingInformation="10.0.0.1:443:" />
<binding protocol="https" bindingInformation="10.0.0.1:443:www.microsoft.com" />
(the IP address indicated above 10.0.0.1 represents the primary IP address of your web farm server, regardless of what IP address you assigned it on the server!!! ISA server routes all traffic using webfarm IP's NOT your virtual IP address)
I can still get those logs for you if you would like me to, but I think my problem is resolved for now. I really, really hope this post helps someone somewhere.
Aug 29, 2009 07:17 AM|steve schofield|LINK
Wow! Thanks for the detailed explaination. I agree with many points Shared configuration is not for the 'common' IT guy. Most 'common scenarios don't have a large web farm or implementation as you described. I hope the experience in the future using
shared configuration gets better tools. The benefits do outway the drawbacks once you know them. As far as the kerberos thing, I can't help you there. Using BASIC w/SSL is a workaround. Having two domains, trusts and the like you posted is complicated.
I'm going to book mark this thread in my UNC TAG so people can refer to it in the future.
Sep 22, 2009 02:14 PM|reachchandra|LINK
HI I am new to IIS and webdav . I have an application which sends data in passive mode . I have been told to configure webdav on my server . For each user that is going to use the application for uploadding the document , I have to create a separate folder
for that perticular user with username and passoword. For Ed is there is user called sam i have to create a folder called D:\Webdav\sam where he can upload the data using webdav. each user will have access to their repective folders.
My Challenge is How to send the data in passive mode and Second how to cofigure folder with webdav enabled with user id and Passoword.
Currently I have created a virtual directory called sam under default website . Then i have enabled the webdav on sam virtual directory with authentication and authoring roles. The webdav is not working at all. i dont what to do.,
webdav on multiple folders.