We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IIS 7 Virtual Directory to Other ServerRSS

7 replies

Last post Aug 10, 2009 02:35 AM by LesterDK

  • IIS 7 Virtual Directory to Other Server

    Apr 28, 2009 11:27 AM|derekw44|LINK

     I am trying to create several virtual directories on 1 server that will point to files on another server in IIS 7 on Windows Server 2008. In IIS6, all I had to do was make anonymous authentication use a user that had access to the files. In IIS7, I can't get it to work. I setup the virtual directory with the username and password but I get a 500.19 error "Cannot read configuration file due to insufficient permissions". I can't imagine that I really have to put a web.config in a directory that just contains images and no application files. If I click on the directory in IIS Manager, I get that error about the web.config file on anything that I click on such as the Authentication section. Also, writing to files from the virtual directory seems to work just fine so I don't think there is anyway that I have an access problem. I have given the directory access to the IIS_IUSR group.

     Note: I have figured out that this is a permissions issue. If I view the Security log in EventViewer on the server that contains the files, I can see that when I go to the virtual directory..Basic Settings...Test Settings, everything comes up successful and in the security log it shows as coming from the correct user that I setup. However, if I click on the Authentication button or I just try to access one of the files from the browser, the security log shows a login from "ANONYMOUS LOGON". Not sure how to change that. I have the application pool and the virtual directory both set to connect as a user I created. Do I also need to add a location element in my web.config that uses impersonate?

    IIS7 asp.net windows 2008

  • Re: IIS 7 Virtual Directory to Other Server

    Apr 28, 2009 01:01 PM|anilr|LINK

    It is not that you have to put a web.config file in the location - it is that IIS has to check whether there is/isn't web.config file at the location and read it if it is there.  Now, reading the web.config file has to happen as either the worker process identity/virtual directory user identity - so, you have to give that identity at least list access to the remote share.

    The easiest way to configure this may be to set the application pool identity (worker process identity) to the user that has access to the files and then configure anonymous authentication to just use the application pool identity.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: IIS 7 Virtual Directory to Other Server

    Apr 28, 2009 01:25 PM|derekw44|LINK

     That's what I'm trying to do. I have the application pool, the site, the virtual directory, and the anonymous user for the site all set to the user that I have setup. The user is a part of the IIS_IUSR group and for NTFS permissions that group has Full Control. When I do Test Settings for the virtual directory, it says everything is ok and on the server that has the files, the security log shows login by that user. But when I go to a file from the browser or I click on any of the buttons in IIS Manager for the virtual directory (Authentication, etc.), I get the 500.19 error about the web.config. In IIS 6, there was a checkbox for a virtual directory for directory browsing. I don't see anything like that in IIS 7. Is there something I need to do for that?

  • Re: IIS 7 Virtual Directory to Other Server

    May 08, 2009 04:37 PM|anilr|LINK

    In that case, the user does not have access to the unc share.  You can probably use procmon to find out more.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: IIS 7 Virtual Directory to Other Server

    May 15, 2009 04:30 AM|LesterDK|LINK

     I'm having the same problem.

     From my IIS7 I got a virtual folder accessing af subdir of another site on another server (IIS6) and from time to time I get the "cannot read the configuration file" in IIS7 manager when looking at the virtual folders settings. Furthermore when accessing the website on II7 and the files that are taken from the virtual folder are needed, they all result in an 500 error.

    It's an easy fix though, open the web.config on the IIS6 machine and re-save it. Problem solved - atleast for a while as it will occur again later again at sporadic intervals.

    "The network bios name limit has been reached" appear in the eventlog aswell on the IIS7 machine. Making me think the share itself is the problem.

     Found http://support.microsoft.com/kb/810886 but have not tried the solution yet.

    In my case its multiple sites having a virtual folder on the UNC share, so that the amount of sessions using the UNC is quite high is not a shock.

  • Re: IIS 7 Virtual Directory to Other Server

    Jul 23, 2009 04:02 PM|bvanburenx|LINK

    I had this same nightmare.

    What is confusing is that both the IIS7 applications pool account and the physical path account of the virtual directory must have access to the UNC.   This can be trickey if you are not in a domain (in the DMZ) where you want to have shared access to a drive by your front-end servers.. You would think that that running the pool as a network service and setting the UNC as UNCservername\user for the path credentials should work. It does not.

    I had had to create new accounts on the server with the username/password that were the same as configured Username/password of the UNC.  (I tested this with a NAS UNC and another windows 2008 server UNC) .  

    Then set the app pool and file path creds of the virtual directory to use these accounts.  Note the path creds do not include the server name.

    Watching in procmon you will see both accounts being used with the app pool account making a connection (whose purpose is I think to read the config file) then impersonating the file path user to serve up the content. 

    It would seem that a check box on the the config indicating the use the app pool account if desired to access the UNC would simplify things since the account will have need it anyway. 

     

    Hope this helps somebody else.

     

     

      

     

     

     

     

     

      

     

    In my case I had to add the

    FilePath access denied IIS 7 Vitual Directory

  • Re: IIS 7 Virtual Directory to Other Server

    Jul 27, 2009 10:48 PM|vicquall|LINK

    I agee that this is a nightmare.

    Your suggested scenario comes closest to mine in attempting to resolve the issue of connecting to a virtual directory in another domain with iis7 

    I have default configured instance of ii7 running in domain DMZ. I wish to access documents, .pdf, .xls etc, in a folder DOCS in domain MAIN. I have created a share on the DOCS folder as DOCS_SHARE and given full permission to the share to user MAIN\DocReader.

    In iis7, I have created a virtual directory DOCS_BASE with physical path \\MAIN\DOCS_SHARE. I have created a user DMZ\DocReader with the same password as MAIN\DocUser and made DocReader, (omitting the domain prefix), the user to connect as.

    When I test the connect as settings for virtual directory DOCS_BASE the user is authenticated as valid but is not authorised to access \\MAIN\DOCS_SHARE. Thats problem one.

    As I can't get past this point I have not yet addressed the issue of the application pool identity attempting to access a non existant web.config file in \\MAIN\DOCS_SHARE.

    I have used procmon and verify that if I leave the Application Pool identity as NETWORKSERVICES, when I try to access the directory from an application, the user NT AUTHORITY\NETWORK SERVICE is attempting to access a web.config file and failing.

    Any assistance/guidance would be much appreciated as this is driving me nuts. No such problems with iis5.1.

    bvanburenx

    I had this same nightmare.

    What is confusing is that both the IIS7 applications pool account and the physical path account of the virtual directory must have access to the UNC.   This can be trickey if you are not in a domain (in the DMZ) where you want to have shared access to a drive by your front-end servers.. You would think that that running the pool as a network service and setting the UNC as UNCservername\user for the path credentials should work. It does not.

    I had had to create new accounts on the server with the username/password that were the same as configured Username/password of the UNC.  (I tested this with a NAS UNC and another windows 2008 server UNC) .  

    Then set the app pool and file path creds of the virtual directory to use these accounts.  Note the path creds do not include the server name.

    Watching in procmon you will see both accounts being used with the app pool account making a connection (whose purpose is I think to read the config file) then impersonating the file path user to serve up the content. 

    It would seem that a check box on the the config indicating the use the app pool account if desired to access the UNC would simplify things since the account will have need it anyway. 

     

    Hope this helps somebody else.

     

     

      

     

     

     

     

     

      

     

    In my case I had to add the

    virtual directory connect as application pool identity

  • Re: IIS 7 Virtual Directory to Other Server

    Aug 10, 2009 02:35 AM|LesterDK|LINK

     Interesting - yet frustrating and not intuitive at all.

    So in essence, when you add a website and specify a user to run the site in, the site will run with that user, but the app pool itself will still use Network Service as default?

    Will have to play around with this a bit, or server architecture is kindda tricky.