views:

1509

answers:

2

When setting up a virtual directory under IIS using a UNC path to a remote share, what user identity should I be expecting to see the read request to the share come under?

I've setup the above scenario and configured the user under 'Connect As' as a known user who has permissions on the remote share, which I checked with Windows Explorer.

However, when trying to access a file from within a web browser on the share using http://localhost/myfiles/atestfile.txt, I am getting an HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application error returned. 'myfiles' is mapped to the remote share and atestfile.txt resides in the shared folder.

If I use sysinternals filemon application to see what process and user the read request to the share is being carried out under, then I get the details that the request is through the w3wp.exe process and the user is shown as "NT AUTHORITY\NETWORK".

I was expecting the user to be shown as the user I confugured under the 'Connect As' option.

Any guidance appreciated.

A: 

If i recall correctly (used iis about 4 years ago) it was IUSR_. I'm not sure that it's still so, but give it a try.

Edit: try to give a look at this post, maybe you will find some clues ;)

Alekc
Well, the IUSR_computername isn't what you want. But the link Alekc gave does describe the IIS identity thing a little.
Mufasa
A: 

Did you try it also with other file extensions than "txt", maybe "test.html"? What DLL is used for txt in the ISAPI extensions configuration (web -> Home Directory -> Configuration...)?

The section "To configure security and authentication for a virtual directory" in the MSDN article "How to: Create and Configure Virtual Directories in IIS 5.0 and 6.0" should contain the information you'll need for finding the right configuration.

I guess the account used in the security settings should be able to access the network share. This could be accomplished inserting the account in the right group or changing that account.

splattne
I've tried different extensions and get the same error. I've even added the Everyone user to the share and get the same error returned, which to me would indicate an issue in the IIS config and not the share permissiions?
Did you try to connect "manually" in Windows with the credentials? "Run..." and then "\\remoteServer\share" and looging on...
splattne
connecting manually works like you say, but I think thats because when I check the user accessing the resource it is the user I logged onto the machine with. When trying to access the resource through a virtual directory it is using NT AUTHORITY\NETWORK.
Do you mark the virtual directory as application? if you only need static files (html, txt, images), you could remove the "application" and uncheck "script execution" permission. maybe the worker process is looking for a config file or something similar...
splattne
The virtual directory isn't marked as an application as I only need to read static files. So no execute permissions are needed. At present all I'm trying to do is server up a static html page.
Directory security is setup to use only anonymous access using a local user on the web server. The same is applied to the virtual directory for directory security. Except the Connect As is set to a user which has access rights to the remote share.
I'll try to do the same setup. Which OS and IIS (Windows Server 2003 or Windows Vista - developer machine) are you using?
splattne
Windows Server 2003, IIS 6, the only other complication is the web server is in a DMZ and the file share is in a domain. The users for iis directory security are local to the DMZ web server, and the Connect As user is a domain user account (with access to the share)