IIS6 Virtual Directory 500 Error on Remote Share

Question

We have our servers at the server farm in a domain. Let's call it LIVE.

Our developer computers live in a completely separate corporate domain, miles and miles away. Let's call it CORP.

We have a large central storage unit (unix) that houses images and other media needed by many webservers in the server farm. The IIS application pools run as (let's say) LIVE\MediaUser and use those credentials to connect to a central storage share as a virtual directory, retrieve the images, and serve them as if they were local on each server.

The problem is in development.

On my development machine. I log in as CORP\MyName. My IIS 6 application pool runs as Network Service. I can't run it as a user from the LIVE domain because my machine isn't (and can not be) joined to that domain.

I try to create a virtual directory, point it to the same network directory, click Connect As, uncheck the "Always use the authenticated user's credentials when validating access to the network directory" checkbox so that I can enter the login info, enter the credentails for LIVE\MediaUser, click OK, verify the password, etc.

This doesn't work. I get "HTTP Error 500 - Internal server error" from IIS.

The IIS log file reports sc-status = 500, sc-substatus = 16, and sc-win32-status = 1326.

The documentation says this means "UNC authorization credentials are incorrect" and the Win32 status means "Logon failure: unknown user name or bad password."

This would be all and good if it were anywhere close to accurate. I double- and trouble-checked it. Tried multiple known good logins. The IIS manager allows me to view the file tree in its window, it's only the browser that kicks me out.

I even tried going to the virtual directory's Directory Security tab, and under Authentication and Access Control, I tried using the same LIVE domain username for the anonymous access credential. No luck.

I'm not trying to run any ASP, ASP.NET, or other dynamic anything out of the virtual directory. I just want IIS to be able to load static images, css, and js files.

If anyone has some bright ideas I would be most appreciative!

Answer 1

Ir my memory is correct, this depends on the user account that is used by authentication with IIS. If the virtual directory is set up for anonymous, then depending on the version of IIS it will use a local machine account called IUSER_MACHINENAME. Here is a technet article that explains how to change the user account used for anonymous authentication in IIS 6.0.

Answer 2

We have this same situation. As the above poster mentioned, IIS is trying to use the IUSER_XXXX account to authenticate for anonymous access, but that account needs to exist on the both machines. You can still get passthrough authentication working in separate domains.

This works with a remote Windows file server due to the way NetLogon processes domain names -- I'm not sure if it will work with a Unix server:

Following your example, you'd create a domain user in your local domain ('CORP\MediaUser') with the SAME logon name and password as the 'LIVE\MediaUser' account. Then, set up the virtual directory using the 'LIVE\MediaUser' credentials as you did before, but this time set up 'CORP\MediaUser' as the Anonymous User for that virtual directory. It should then work.

This will also work a local account ('MYMACHINE\MediaUser') so long as the logon name and password are the same as the remote account.