Remote Content w/ Windows Intergrated Authentication

Question

User-363534632 posted

Hi guys,

I have an intranet IIS 6.0 web server that has the default website configured for anonymous access. For a particular page used for file upload, I want to be able to retrieve the login name of domain users to associate with their uploaded files.

I set up the file upload page for Windows Integrated Authentication and removed the Anonymous authentication for that page. The rest of the site is still set up for Anonymous access. I can correctly extract the username from an ASP script when the user uploads a file.

The problem that I am having is that the IIS 6.0 pass-through authentication is trying to kick in, and I am getting permissions errors when trying to create a file on a remote share to write the uploaded file contents to (probably because I haven't set up the webserver for delegation in AD). But I want the remote file access to run under a certain domain account and DISABLE pass-through authentication.

Microsoft seems to indicate that it is possible to access remote content as a specified user account:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8a0e917a-795c-49b7-8896-f46291b289d6.mspx?mfr=true

Key quote:

"If you want IIS to use a specific user when accessing remote content, set the UNCUsername and UNCPassword properties in the IIS metabase. For information about setting these properties, see the UNCUserName Metabase Property and the UNCPassword Metabase Property." 

Since the UNCUsername and UNCPassword are set for the default web site, which is configured for anonymous access, I would think the setting would trickle down to the upload page and that account would be used for all remote file access. Apparently not?

I also tried using a virtual directory with a specified user account that points to the remote share:

* Virtual directory code:

Set oFile = oFS.CreateTextFile(server.mappath("/UserFiles") & "\" & strSaveFile, True)

* Non-virtual directory code:

Set oFile = oFS.CreateTextFile("\\geofiles\UserFiles\" & strSaveFile, True) 

But this did not help. 

I would appreciate any advice on disabling pass-through authentication. Thank you!

Answer 1

User-823196590 posted

Do you want to use the authenticated user credentials or the UNCUserName to access the remote directory?

Did you see this too?
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

Answer 2

User-363534632 posted

Hi Tom,

I would like to use an existing user account (whether it be through UNCUserName, or some other method) to access remote content, rather than the authenticated user.

I did in fact see that link, and Figure 6 seems to indicate that what I want to do is possible. Is there some issue with the context that the ASP script is running under? Does it override the UNCUserName setting?

 

Answer 3

User-823196590 posted

I would suggest that your try to set the app pool for this site to run under a domain account and then make sure that domain account has permissions to the remote server files.  IIRC, ASP will use this app pool account for file write operations while IIS will use the UNCUserName account for client browse access ...

Answer 4

User-363534632 posted

OK, I tried changing the app pool to a domain user that has administrative rights over the web server, but when I try to visit the file upload page (the one that requires authentication) in IE, I get a pop up box that asks me for a certificate. When I use the certificate that appears in the drop list, that contains my username, the box comes back up, until it fails on the 3rd try.

Any ideas why changing the app pool user would cause this box to come up during authentication?

Answer 5

User-363534632 posted

At second glance, the pop-up box is just the regular login box shown by Windows Integrated Authentication when IE is configured not to log in automatically. My credentials fail when I enter them in this box, which is probably why the box showed up in the first place (the automatic login failed for my credentials).

 The login also fails if I use the credentials set for the app pool. So I don't know what's going on. Thoughts?

Answer 6

User-363534632 posted

This explained the cause of the above problem:

 http://support.microsoft.com/kb/871179/en-us

I disabled Kerberos authentication, to just use NTLM, and the credentials passed but I still got a "permission denied" error when accessing the remote server. So changing the app pool context didn't resolve the issue. Thank you though.

Answer 7

User-363534632 posted

For some extra details, this is the configuration I have for the file upload page in the Metabase Explorer:

KeyType: IIsWebFile

UNCUserName: mydomain\MyDomainAccount

UNCPassword: mypassword

AuthFlags: 4

WAMUserName: mydomain\MyDomainAccount

WAMUserPass: mypassword

 

Is this the correct way to specify UNCUserName?

Answer 8

User1073881637 posted

I use Filemon on the web server and try to reproduce the error, if you filter the Filemon results based on the worker process id (w3wp.exe), it should be pretty easy to see what errors are happening.  Did you check the security event log to see if an error was logged.  I would check to make sure the 'share' permissions aren't preventing something.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/9b908f1e-8c17-4cc1-ac61-ffd0df854950.mspx?mfr=true

 

Answer 9

User1073881637 posted

btw that looks correct.  I'm assuming you are setting the username and password so the users account isn't passed.  Tthe specific user you created is connecting on behalf of the user to the remote share.

Answer 10

User-363534632 posted

You are correct about what I want to do Steve.

 
To make things simple, here is what I'm trying to do:

* I'm authenticating users with Windows Integrated Authentication, but I want to access a remote share through an ASP script under a set of static credentials. 

 Here is what is happening:

* The remote share is being accessed with the authenticated user's credentials.

 

I know why I am getting a permissions error message Steve: It is because I don't have delegation enabled for the web server, so when it tries to access the file server under the authenticated user's credentials the access happens under the null session (the event log on the file server shows that NT AUTHORITY \ ANONYMOUS LOGON logged into the machine). If I enable null sessions, the share access works fine.

So I know what is happening and why the error is occurring, I just don't know how to force a static set of credentials on the remote file access.

Someone told me that since I am accessing the UNC path with the ASP filesystem object it completely bypasses the IIS configuration for the UNC, which makes sense. Apparently UNCUserName and UNCPassword only apply if the user accesses the share through their browser via a virtual directory. It bears no influence on an ASP script.

So the solution to my problem lies in forcing the ASP filesystem object in using static credentials. 

Answer 11

User1073881637 posted

Your post was an interesting challenge so I wanted to see if I could find a solution. I tried creating a virtual directory mapped to a UNC path setting the credentials with a domain account that had the correct permissions.  I was running into an issue when the upload.asp page was hosted on the local web server and trying to access the virtual directory setup to the UNC share.   

Here is a workaround that seems to fit your requirements.

1) I created a domain user called UploadSample with some random password.

2) I created a folder on a remote server called UploadSample.  I shared the folder and granted the Domain\UploadSample user modify permissions to the remote folder. + I also granted Administrators / SYSTEM full control.

3) In IIS Manager, I created a virtual directory called "UploadSample" mapped to the remote UNC path.  Since this is a static user, the anonymous login can be set and not protected using Windows Authentication.  This is the only vdir set to anonymous.  I set the anonymous user to a static domain account (Domain\UploadSample).

4) Since you are using ASP, I downloaded http://www.freeaspupload.net/freeaspupload/download.asp  and extracted uploadtester.asp and freeASPUpload.asp to the Remote Share I created in step 2.  The upload program files are being hosted on the remote share.  I fixed the variable used by the program.  Here is the line you need to correct.  uploadsDirVar = "\\DomainFileServer\UploadSample", this variable is in uploadTester.asp. 

5) I made sure the rest of the site required Windows Authentication.

6) I hit http://WebServerIPAddress/UploadSample/UploadTester.asp and tested uploading files with no issues.

A few other tricks I did, the UploadSample folder does not have a default document, so when someone goes to http://WebServerIPAddress/UploadSample/, they'll get a 403 error since no default documents are set. You could even have some logic to redirect them else where.  In your application, you link directly to http://WebServerIPAddress/UploadSample/UploadTester.asp    For reference, the application pool was set to use Network Service.  Hope this is helpful, it was an interesting challenge.

Answer 12

User-363534632 posted

Sorry, it was a while before I had a chance to try it out. I know what you mean about the challenge Steve -- there were ideas for workarounds I had, but I wanted to see this way work.

After all of this time I never thought there would be a simple way to do what I wanted to do, but it works perfectly! I only made slight changes to what Steve did. Here's what I did:

* Created a new virtual directory called "Scripts".
* I pointed the virtual directory to the file directory on the web server that contains the same old ASP script I was using before, except now I used a UNC path, tricking IIS into thinking that I am referring to a remote share.
* The virtual directory was configured with the UNCUserName and UNCPassword of the static domain account I was trying to use (the variables are set transparently through the options in the properties window for the share... meaning I didn't edit the metabase manually).
* Disabled anonymous access on the virtual directory and enabled Windows Integrated Authentication.

The LOGON_USER request variable contains the domain username of the client, but the script runs under the static domain account, exactly as I wanted it to.

 I appreciate your help Steve and Tom. I'm definitely glad to have this resolved.

Answer 13

User1073881637 posted

Glad you got it working.  I'm a little confused on what you mean tricking IIS.  Does the 'Scripts' vdir have a local path "d:\domains\example.com\foldername" or a UNC path?

Answer 14

User-363534632 posted
The path is a UNC path to a local directory; I meant I "tricked" IIS into thinking it was looking at a remote share by specifying it as a UNC path. ASP scripts in the Scripts vdir run under user permissions when I use a local path, as you can imagine.

Answer 15

User-823196590 posted

I would have thought that changing the app pool account for this would have handled it.  The fake UNC path shouldn't be necessary.

Answer 16

User-363534632 posted

I would think that as well Tom. After several tries I couldn't get it to work though. Dunno.