IIS 5 & IIS 6
Remote Content w/ Windows Intergrated Authentication
Last post Dec 14, 2007 07:47 AM by gis-jedi
Dec 05, 2007 12:16 PM|gis-jedi|LINK
I have an intranet IIS 6.0 web server that has the default website configured for anonymous access. For a particular page used for file upload, I want to be able to retrieve the login name of domain users to associate with their uploaded files.
I set up the file upload page for Windows Integrated Authentication and removed the Anonymous authentication for that page. The rest of the site is still set up for Anonymous access. I can correctly extract the username from an ASP script when the user uploads
The problem that I am having is that the IIS 6.0 pass-through authentication is trying to kick in, and I am getting permissions errors when trying to create a file on a remote share to write the uploaded file contents to (probably because I haven't set up the
webserver for delegation in AD). But I want the remote file access to run under a certain domain account and DISABLE pass-through authentication.
Microsoft seems to indicate that it is possible to access remote content as a specified user account:
"If you want IIS to use a specific user when accessing remote content, set the UNCUsername and UNCPassword properties in the IIS metabase. For information about setting these properties, see the UNCUserName Metabase Property and the UNCPassword Metabase Property."
Since the UNCUsername and UNCPassword are set for the default web site, which is configured for anonymous access, I would think the setting would trickle down to the upload page and that account would be used for all remote file access. Apparently not?
I also tried using a virtual directory with a specified user account that points to the remote share:
* Virtual directory code:
Set oFile = oFS.CreateTextFile(server.mappath("/UserFiles") & "\" & strSaveFile, True)
* Non-virtual directory code:
Set oFile = oFS.CreateTextFile("\\geofiles\UserFiles\" & strSaveFile, True)
But this did not help.
I would appreciate any advice on disabling pass-through authentication. Thank you!
Dec 05, 2007 05:33 PM|tomkmvp|LINK
Do you want to use the authenticated user credentials or the UNCUserName to access the remote directory?
Did you see this too?
Dec 07, 2007 08:10 AM|gis-jedi|LINK
I would like to use an existing user account (whether it be through UNCUserName, or some other method) to access remote content, rather than the authenticated user.
I did in fact see that link, and Figure 6 seems to indicate that what I want to do is possible. Is there some issue with the context that the ASP script is running under? Does it override the UNCUserName setting?
Dec 07, 2007 08:27 AM|tomkmvp|LINK
I would suggest that your try to set the app pool for this site to run under a domain account and then make sure that domain account has permissions to the remote server files. IIRC, ASP will use this app pool account for file write operations while IIS
will use the UNCUserName account for client browse access ...
Dec 07, 2007 08:59 AM|gis-jedi|LINK
OK, I tried changing the app pool to a domain user that has administrative rights over the web server, but when I try to visit the file upload page (the one that requires authentication) in IE, I get a pop up box that asks me for a certificate. When I use
the certificate that appears in the drop list, that contains my username, the box comes back up, until it fails on the 3rd try.
Any ideas why changing the app pool user would cause this box to come up during authentication?
Dec 07, 2007 09:19 AM|gis-jedi|LINK
At second glance, the pop-up box is just the regular login box shown by Windows Integrated Authentication when IE is configured not to log in automatically. My credentials fail when I enter them in this box, which is probably why the box showed up in the
first place (the automatic login failed for my credentials).
The login also fails if I use the credentials set for the app pool. So I don't know what's going on. Thoughts?
Dec 07, 2007 10:10 AM|gis-jedi|LINK
This explained the cause of the above problem:
I disabled Kerberos authentication, to just use NTLM, and the credentials passed but I still got a "permission denied" error when accessing the remote server. So changing the app pool context didn't resolve the issue. Thank you though.
Dec 07, 2007 02:29 PM|gis-jedi|LINK
For some extra details, this is the configuration I have for the file upload page in the Metabase Explorer:
Is this the correct way to specify UNCUserName?
Dec 08, 2007 06:07 AM|steve schofield|LINK
I use Filemon on the web server and try to reproduce the error, if you filter the Filemon results based on the worker process id (w3wp.exe), it should be pretty easy to see what errors are happening. Did you check the security event log to see if an error
was logged. I would check to make sure the 'share' permissions aren't preventing something.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Dec 08, 2007 06:10 AM|steve schofield|LINK
btw that looks correct. I'm assuming you are setting the username and password so the users account isn't passed. Tthe specific user you created is connecting on behalf of the user to the remote share.
Dec 09, 2007 01:20 PM|gis-jedi|LINK
You are correct about what I want to do Steve.
To make things simple, here is what I'm trying to do:
* I'm authenticating users with Windows Integrated Authentication, but I want to access a remote share through an ASP script under a set of static credentials.
Here is what is happening:
* The remote share is being accessed with the authenticated user's credentials.
I know why I am getting a permissions error message Steve: It is because I don't have delegation enabled for the web server, so when it tries to access the file server under the authenticated user's credentials the access happens under the null session (the
event log on the file server shows that NT AUTHORITY \ ANONYMOUS LOGON logged into the machine). If I enable null sessions, the share access works fine.
So I know what is happening and why the error is occurring, I just don't know how to force a static set of credentials on the remote file access.
Someone told me that since I am accessing the UNC path with the ASP filesystem object it completely bypasses the IIS configuration for the UNC, which makes sense. Apparently UNCUserName and UNCPassword only apply if the user accesses the share through their
browser via a virtual directory. It bears no influence on an ASP script.
So the solution to my problem lies in forcing the ASP filesystem object in using static credentials.
Dec 10, 2007 09:57 AM|steve schofield|LINK
Your post was an interesting challenge so I wanted to see if I could find a solution. I tried creating a virtual directory mapped to a UNC path setting the credentials with a domain account that had the correct permissions. I was running into an issue when
the upload.asp page was hosted on the local web server and trying to access the virtual directory setup to the UNC share.
Here is a workaround that seems to fit your requirements.
1) I created a domain user called UploadSample with some random password.
2) I created a folder on a remote server called UploadSample. I shared the folder and granted the Domain\UploadSample user modify permissions to the remote folder. + I also granted Administrators / SYSTEM full control.
3) In IIS Manager, I created a virtual directory called "UploadSample" mapped to the remote UNC path. Since this is a static user, the anonymous login can be set and not protected using Windows Authentication. This is the only vdir set to anonymous. I
set the anonymous user to a static domain account (Domain\UploadSample).
4) Since you are using ASP, I downloaded
http://www.freeaspupload.net/freeaspupload/download.asp and extracted uploadtester.asp and freeASPUpload.asp to the Remote Share I created in step 2. The upload program files are being hosted on the remote share. I fixed the variable used by the program.
Here is the line you need to correct. uploadsDirVar = "\\DomainFileServer\UploadSample", this variable is in uploadTester.asp.
5) I made sure the rest of the site required Windows Authentication.
6) I hit http://WebServerIPAddress/UploadSample/UploadTester.asp and tested uploading files with no issues.
A few other tricks I did, the UploadSample folder does not have a default document, so when someone goes to
http://WebServerIPAddress/UploadSample/, they'll get a 403 error since no default documents are set. You could even have some logic to redirect them else where. In your application, you link directly to
http://WebServerIPAddress/UploadSample/UploadTester.asp For reference, the application pool was set to use Network Service. Hope this is helpful, it was an interesting challenge.
Dec 12, 2007 09:07 AM|gis-jedi|LINK
Sorry, it was a while before I had a chance to try it out. I know what you mean about the challenge Steve -- there were ideas for workarounds I had, but I wanted to see this way work.
After all of this time I never thought there would be a simple way to do what I wanted to do, but it works perfectly! I only made slight changes to what Steve did. Here's what I did:
* Created a new virtual directory called "Scripts".
* I pointed the virtual directory to the file directory on the web server that contains the same old ASP script I was using before, except now I used a UNC path, tricking IIS into thinking that I am referring to a remote share.
* The virtual directory was configured with the UNCUserName and UNCPassword of the static domain account I was trying to use (the variables are set transparently through the options in the properties window for the share... meaning I didn't edit the metabase
* Disabled anonymous access on the virtual directory and enabled Windows Integrated Authentication.
The LOGON_USER request variable contains the domain username of the client, but the script runs under the static domain account, exactly as I wanted it to.
I appreciate your help Steve and Tom. I'm definitely glad to have this resolved.
Dec 12, 2007 12:47 PM|steve schofield|LINK
Glad you got it working. I'm a little confused on what you mean tricking IIS. Does the 'Scripts' vdir have a local path "d:\domains\example.com\foldername" or a UNC path?
Dec 13, 2007 07:34 AM|gis-jedi|LINK
Dec 13, 2007 08:47 AM|tomkmvp|LINK
I would have thought that changing the app pool account for this would have handled it. The fake UNC path shouldn't be necessary.
Dec 14, 2007 07:47 AM|gis-jedi|LINK
I would think that as well Tom. After several tries I couldn't get it to work though. Dunno.