We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IIS7 - WebDAV 7.5 & Shared Hosting Config w/UNC folder location [Answered]RSS

4 replies

Last post Sep 22, 2009 02:14 PM by reachchandra

  • IIS7 - WebDAV 7.5 & Shared Hosting Config w/UNC folder location

    Aug 27, 2009 01:04 PM|jon.ebersole|LINK

    I am setting up a web farm with multiple IIS7 servers in a shared configuration setting, where the files are located on a UNC share.  I have added the correct permissions to the share so and the users can access the websites anonymously as expected.  I have also setup FTP 7.5, created accounts, and users can login and edit their content using FTP protocols.

    I also installed WebDAV 7.5 so our FrontPage/Expression Web users could login and edit content, but it doesn't work as expected - it gives me an access denied error.  For testing, I created a new site and made the folder strucuture local to the web server, added a new user to Active Directory, and WebDAV worked fine.  As soon as I point that website to the UNC path, WebDAV asks me for the login name and password 3 times, and then gives me an error stating http://<domainname>, The folder name is not valid.  Again, if i FTP to the site located on the UNC share using the same credentials, it works fine.

    I used Process Monitor from sysinternals to see where I was getting the access denied errors.  It appears that when the web server tries to access the UNC share from the file server, it tries to impersonate the user that you use to logon (the user in Active Directory that has explicit permissions on the file server), but it fails????  The Active Directory user has full control of the shared folder.  This is apparent, because FTP works fine.  Btw, the Authorization Rules for FTP and WebDAV are the same.

    I get the following error...

    w3wp.exe CreateFile \\servername\sharename ACCESS DENIED Desired access:generic read, disposition:open, Options:sequential access, open for backup, attributes:RE,sharemode:Read,Write,Delete AllocationSize: n/a, Impersonating domain\username

    Any ideas?  Is WebDAV doing something different than FTP does with impersonation?  Thanks for your help in advance.

    Thanks,
    Jon Ebersole
  • Re: IIS7 - WebDAV 7.5 & Shared Hosting Config w/UNC folder location

    Aug 27, 2009 10:16 PM|steve schofield|LINK

    Nice troubleshooting so far.  Can you post the IIS logs from the same CreateFile.  I'd be curious of the status code.

    Try enabling FREB and post the errors.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: IIS7 - WebDAV 7.5 & Shared Hosting Config w/UNC folder location

    Aug 28, 2009 02:11 PM|jon.ebersole|LINK

    Thanks Steve.

    It has been a long ride on this project, but I think I figured it out.  I successfully got it working this morning (a 5 day project) by deselecting the 'Windows Authentication' option within the Authentication options of the website.  I tried with and without the 'Enable Kernel-mode authentication' checkbox and it always failed.

    After removing Windows Authentication altogether, it worked fine.  I have no idea if this is the expected setting or not, so I don't know if this will break something in the future.

    I want to also note that this is a shared configuration, where the UNC path (file share) is on a server that is actually in a different domain!  I created a trust relationship between the two domains and added the Network Service account to the file server by adding the <domain>\<computername>$ account to a local group, and then assigned that group permissions to the share.
    Example: microsoft.com\webserver1$ <-- represents a computer's Network Service account

    The command to do that is:
    net group <localcompgroupname> <domainname>\<computername>$ /add

    I also made sure that the application pool's advanced setting for Identity was set to NetworkService, and Enable 32-bit Applications was set to True (I have 64 bit web servers).  In the Basic Settings of the website, I also had to set the 'Connect As' setting to use the 'Application user (pass-through authentication)' to get all of this to work properly.  Shared configurations are powerful, but they aren't ready yet for 'the common IT guy' to configure.

    Another note; you have to disable shared configuration on the web servers, prior to installing FTP 7.5 or WebDAV 7.5, etc.  Actually, as funny as this sounds, it appears that you have to temporarily disable shared configuration in IIS for any other software application installs, updates, or upgrades that depend on or work around IIS.  I tried applying Windows Updates to my IIS 7 server and it kept failiing.  I also tried adding or removing features to IIS 7 and it kept failing.  As soon as I disabled the shared configuration, they worked again.  So now, I am in the habit of diabling/intstalling/enabling shared configurations whenever I do anything.

    Another piece of advice; make sure your log files for each web farm server are local to each webserver.  It increases performance and you won't experience file locks.  IIS 7 doesn't have the ability to set the log filename, so each server would try to write to the same file in the shared folder.

    And yet another; Microsoft says that IIS 7.0 has a 'severe limitation' in the management interface.  When you add SSL certificates, it won't let you enter a host name.  Simply add the SSL certificate, then open the applicationHost.config file, find the 'bindings' section and alter the ssl entry like the line below and restart IIS on the webfarm servers and you should be fine.

    from
    <binding protocol="https" bindingInformation="10.0.0.1:443:" />
    to
    <binding protocol="https" bindingInformation="10.0.0.1:443:www.microsoft.com" />
    (the IP address indicated above 10.0.0.1 represents the primary IP address of your web farm server, regardless of what IP address you assigned it on the server!!! ISA server routes all traffic using webfarm IP's NOT your virtual IP address)

    I can still get those logs for you if you would like me to, but I think my problem is resolved for now.  I really, really hope this post helps someone somewhere.

    Thanks,
    Jon Ebersole
  • Re: IIS7 - WebDAV 7.5 & Shared Hosting Config w/UNC folder location

    Aug 29, 2009 07:17 AM|steve schofield|LINK

    Wow!  Thanks for the detailed explaination.  I agree with many points Shared configuration is not for the 'common' IT guy.   Most 'common scenarios don't have a large web farm or implementation as you described.  I hope the experience in the future using shared configuration gets better tools.   The benefits do outway the drawbacks once you know them. As far as the kerberos thing, I can't help you there.  Using BASIC w/SSL is a workaround.  Having two domains, trusts and the like you posted is complicated.  I'm going to book mark this thread in my UNC TAG so people can refer to it in the future.

    http://weblogs.asp.net/steveschofield/archive/tags/UNC/default.aspx

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: IIS7 - Multiple webdav folders

    Sep 22, 2009 02:14 PM|reachchandra|LINK

    HI I am new to  IIS and webdav . I have an application which sends data in passive mode . I have been told to configure webdav on my server  . For each user that is going to use the application for uploadding the document  , I have to create a separate folder for that perticular user with username and passoword.    For Ed is there is user called sam i have to create a folder called D:\Webdav\sam where he can upload the data using webdav. each user will have access to their repective folders. 

     My Challenge is  How to send the data in passive mode and Second how to cofigure folder with webdav enabled with user id and Passoword. 

    Currently I have created a virtual directory called sam under default website . Then i have enabled the webdav on sam virtual directory  with authentication and authoring roles. The webdav is not working at all. i dont what to do.,

     

    webdav on multiple folders.