locked
IIS7 WEBDAV and UNC PATH to Windows File Servers RRS feed

  • Question

  • User-388653480 posted

    Hi all, done a bit of searching and not been able to find an answer to this issue.

    I have a Windows 2003 Server with IIS6 and Webdav this server has Virtual Directories connecting to UNC Share paths where users can log on and gain access to their files on our windows file servers over the internet via https and using basic auth,I have the the virtual directories set to "always use the authenticated user's credentials when validing access to the network directory" and all works nice and well and users only gain access to folders they should

     Also these servers are all apart of an Active Directory Domain (expect end clients connecting via https)

     Now i have read on this site about setting up WebDav in IIS7 and i have attempted to setup pretty much the same configuration as above with not alot of luck, i did read about IIS7 wanting some Path Creds to gain access to a UNC path but would use "User Creds" for access but this does not seem to be true in my case, so i figure i must be doing it wrong. I was hoping that Pass Thru would work but of course i get an Error 500 and if i do give some Path Creds its that account it uses when surfing the Folders not the "Basic Creds i supply when i auth against IIS using basic auth

    Does anyone have a good URL or Info for setting this up or tell me what i could be doing wrong.

    As i have followed as per instructions on this site i think i have everything required to run correctly. Also created a folder locally on the IIS server with premissions works with no issues.

     Thanks

    Tuesday, October 14, 2008 10:47 PM

Answers

  • User-388653480 posted

     OK, a nights sleep does wonders.

     All sorted now

    Of course maybe where i was reading didn't put it in or maybe i just cant read period 

    But for anyone else

    Created application pool. no managed code and set to run as a domain account with access to the UNC path, then turned VDIR into application running in this application pool

     

     

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, October 15, 2008 4:03 PM

All replies

  • User-388653480 posted

     OK, a nights sleep does wonders.

     All sorted now

    Of course maybe where i was reading didn't put it in or maybe i just cant read period 

    But for anyone else

    Created application pool. no managed code and set to run as a domain account with access to the UNC path, then turned VDIR into application running in this application pool

     

     

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, October 15, 2008 4:03 PM
  • User-167917759 posted
    Hi, I am trying to do exactly the same thing. Can you perhaps post a mini-guide with the steps you performed to get this working? Thanks!
    Tuesday, December 2, 2008 9:32 PM
  • User-388653480 posted

    Ok first off in IIS7 you need to create a new application Pool, I called mine Webdav<o:p></o:p>

    <o:p> </o:p>

    This application pool needs to be set to run “no Managed Code”<o:p></o:p>

    <o:p> </o:p>

    You also need to set the Identity of this application Pool to a domain account with Access to the Server shares you want to display via webdav <o:p></o:p>

    I have a service account that is a domain admin so I just used that account so far I have not tested if a non domain admin account will work BUT I see no reason why it should not work as long as the account has access to the share (which from memory is the important thing)

     

    Also in application settings pool, set Load User Profile to False <o:p></o:p>

    <o:p> </o:p>

    Next will be to add the Virtual Directory and set the Connect as settings to application user (Pass thru) <o:p></o:p>

    <o:p> </o:p>

    Final step is to then set the Virtual Directory as an application and use the application pool you have created  above and all should work<o:p></o:p>

     
    Tuesday, December 2, 2008 9:47 PM
  • User-167917759 posted
    Thanks for such a quick reply. I am going to try this very soon, but am concerned about using a domain admin account for the app pool. I'll write back with the results of trying to limit the rights of the pool. -jonathan
    Tuesday, December 2, 2008 10:54 PM
  • User-388653480 posted

     Sure, It does not use the "application pool" account for access to folders it still uses the "users" logons for access, no idea why they did this, but a normal account with access to the share should still work let me know, i do plan to change mine to an account with less access also

     

    Cheers

     

    Tuesday, December 2, 2008 11:01 PM
  • User-1632447106 posted

    Hi guys, I am trying to do the exact same thing. I used to have home directories shared off a UNC path with WebDAV using IIS6 and 2003 Server. Now I want to port it over to 2008 and IIS7.

    Setup is as follows

    • 2008 server standard running IIS7
    • An application pool called "WebDAV" has been created and uses the account "domain\binduser". This user has read permission to the root of the share.
    • The virtual directory student has been created off the default web root. The physical path is \\files\student where all the home directories are stored.
    • The virtual directory is set to run using the WebDAV application pool.
    • Windows Authentication is turned on for student and all other auth methods are off.
    • Directory Browsing is turned on for student

    When I go to navigate to the page from any logged in client in our network, the user authentication box comes up. The WebDAV site I am trying to host is an intranet zone and i can confirm that the browser is sending the negotiation - I used wireshark to see what was happening in the auth process and I can see all the Negotiate HTTP headers

    If I access the site from the server it is hosted on using http://localhost/student it logs in fine and uses the logged in user account. If I access the site from the server but use its hostname instead (its called vpn) http://vpn/student I get the same authentication prompt as if I were a remote machine.

    As a test, I shared a directory C:\test on the web server and set it to the virtual path /test. I turned on Windows Authentication and turned off all other auth methods. I could access this share fine. The problems seem to only be happening with UNC shares. 

    Finally, if I use basic authentication, I can log in successfully - regardless if I am accessing from the server of from another PC. Basic auth is not ideal as it will prompt the users for their auth details and not pass them through using Kerberos/NTLM (or whichever auth method Windows decides to use).

    I have read through many forums here and been googling for the last few days so this is really a last resort.

    Thanks in advance :D

    Thursday, March 5, 2009 9:47 PM
  • User-1632447106 posted

    I kinda figured it out. I thought I'd post it here for completeness sake.

    Kerberos was failing and not authenticating properly. I thought that IIS7 would change the authenticate method to NTLM but It kept failing on Kerberos and continued asking for a user name/password.

    I eventially ended up changing the website to bind to a different host name other than the name of the server. If you want to do kerberos auth on a website under a different host name other that the one of the server the site is hosted off, you also need to use the setspn utility to add a Service Principal Name record to AD. Without this the auth will fail. EG: setspn -A HTTP/hostname.of.site realservername. The real server name needs to be the NetBIOS name of the server. After adding this record, authentication worked : D.

    I still dont know exactly why kerberos wouldn't work using the default web site that already setup with IIS7 and using the actual server name. I tried using the setspn utility like setspn -A HTTP/servername servername but this didn't work either.

    I also found out that the reason I could connect using localhost on the web server was because Internet Explorer always connects using NTLM rather than kerberos which was working fine.

    If you are still having issues, you can disable Kerberos completely and just use NTLM. This isn't available in the IIS server manager, but needs some manual work. Although not reccomended, Google can help you out here.

    Tuesday, March 24, 2009 4:29 AM
  • User-388653480 posted

    Hi Thanks for your input to my Post, I hope you can all contribute, i am updating this with a question emailed to me and my response, you may have something to add.

     This was sent to me

    I have an IIS7 webserver with webdav. I have a secure site and an application under that site at points at the UNC path of my fileserver. Basic Authentication and Anonymous Auth are enabled.

    If I try to open a webdav folder (a subfolder of my application path https://site.edu/student/accountname) the basic auth challenge comes up and sometimes it will work just fine. Other times I type in the correct credentials and it comes back. After challenging me 3 times is gives up. It's completely random as well. Sometimes I can get in the first time. Sometimes it will ask me once and fail, then I'll wait 30 seconds, type in my credentials again and it will work. Sometimes it won't work at all no matter how many times I try.

     Any ideas?

    Much appreciated

    My response to this was.

     Hey there

    I have had this issue before but with my old windows 2003 server and webdav to a unc share.

    Turns out it was a permissions issue on the file server

    In my configuration i have a student file server with \\server\student$\a\b\abc   so if your username was say "bob12" then your share would be \\server\student$\b\o\bob12

    bob12 was a student so was apart of a group called "STUDENT"

    What i had to do for webdav was the following, as per my instructions i had my webdav application running as an account WebDav, i had to ensure that this account had access to my share but also be able to read/modify the web.config that sat in the root of my share e.g \\server\student$

    I also had to ensure that the group "Student" had "List directory" permissions set on "\b\o" directories but not  set on the students folder, i did this with a powershell script that set the permission inherited but them revoked the permission on the folder "bob12" i also have a powershell that creates the user and folders and apart of that process is to revoke the "STUDENT" group premission off the folder for the user

    This should get over your issues with "Auth" and it keep coming back for the username and password, i found with my one that it was trying to "Touch" the folder but didn't have the acl set so would come back with the username and password box

    P.S i dont think you should have "Anonymous" set it should be disabled and only "Basic" set
     

     

    Wednesday, July 1, 2009 1:55 AM
  • User1078284431 posted

    HELLO,

     

     I AM THE SYS ADMIN FOR A NEW SCHOOL. I SET UP WEBDAV WEBFOLDERS FOR FACULTY AND STAFF DEPARTMENTS BUT WOULD ALOS LIKE TO ADD IT FOR STUDENTS. I HAVE SOME ISSUES AND ONE IS WITH PERMISSIONS. I AM NEW TO POWERSHELL. WOULD YOU BE WILLING TO SHARE SOME MORE DETAILED INFORMATION REGARDING THE PERMISSION SCRIP?

     

    THANKS

    Thursday, July 30, 2009 10:59 PM
  • User-388653480 posted

    Hi there, As i am working full on all the time, please email me if you require help or follow me on Twitter, I have written a website that wraps around my webdav install and i do use powershell but use icacls/cacls for premissions as per CMD

     

     

    Wednesday, December 9, 2009 3:00 PM
  • User-1546925416 posted

    Thanks for the guide dkenna. Really appreciate it.

    Does anyone know if I can use variables in the UNC path, so that I can grant different users access to different shares? i.e.

    "\\server\share\%username%\MyDocuments"

    If not, is there another method that could be used?

    Thanks in advance.

    Paul

    Friday, January 1, 2010 11:59 AM
  • User-388653480 posted

     Hi there Paul

    Cant use variables i have some source code that deals with mappings 

    I will go find it now and post it up 

     

    Cheers

     

    Thursday, January 28, 2010 2:02 PM
  • User-388653480 posted

    This is edited as i have removed parts that deal with logos etc

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            If LogonUser = Nothing Then
                Dim LogonName As String = User.Identity.Name.ToLower  'Request.ServerVariables("LOGON_USER").ToLower
                Dim RemoteIp As String = Request.ServerVariables("REMOTE_ADDR")
                Dim Position As String = LogonName.Replace("YOUDOMAIN\", String.Empty)
                LogonUser = Position
                getdrives()
            End If

    End Sub

    Private Sub getdrives() 

            Dim adds As New DirectorySearcher(ADC)
            adds.Filter = ("CN=" & LogonUser)
            Dim oResult As SearchResult = adds.FindOne
            If (oResult.Properties.Contains("givenName")) Then
                name = oResult.GetDirectoryEntry().Properties("givenName").Value.ToString()
                homedir = oResult.GetDirectoryEntry().Properties("homedirectory").Value.ToString()
            End If
            Dim oUser As DirectoryEntry = oResult.GetDirectoryEntry

            If User.IsInRole("DOMAIN\STAFF") Then
                Dim part As String = homedir.ToLower.Replace("\\server\staff$\".ToLower, String.Empty)
                Dim part2 As String = part.Replace("\", "/")
                filesrv = "/STAFFH/" & part2

    hyplnk1.NavigateUrl = filesrv

    End If

    End Sub

     

    Thursday, January 28, 2010 2:16 PM
  • User-1546925416 posted

    Thanks dkenna,

    I really appreciate you posting the code up. It looks like that will really help. Can you advise how I would implement it?

    :-)

    Many thanks,

    Paul

    Friday, January 29, 2010 4:33 AM
  • User-388653480 posted

    Basically this is an ASPX.net page written in VB.net

    Create a default.aspx/default.vb using with Visual Studio or Dreamweaver

     You can create a link in default.aspx e.g hyplnk1

     Of course this code depends on you having your homedirectory set in AD

     however it can be modified if this is not set in your AD but you do know your share paths

    Ours are set using \\server\share\a\b\abill where its the first and second letters of the username for our folder structure

    so if i have created a webdav point of STAFFH which = \\server\share then when i do the query against AD i strip out the server name and just use the \a\b\abob as i showed in my last post

    if you dont have this set in AD then using the lines below would give you the same effect

    Dim a As String
    Dim b As String 

    a = LogonUser.Substring(0, 1)
    b = LogonUser.Substring(1, 1)

    so i have just taken the first and second letter from the username and of course my path would be

    filesrv = "/STAFFH/" & a & "/" & b & "/" & LogonUser

    I know some people do use the 1st letter of the users first and last name for their folder structure but if you have this information in AD then you can request and strip it in code also.

    This code is good if you also want to have instructions for your users on how to create a web folder as you can display the path to their web folder instead of some general instructions

    Here are a screenshot of mine

    Monday, February 1, 2010 4:56 PM
  • User-388653480 posted

    i would also say that i do have one pitfall which i can resolve but just have not had the time and thats in regards to directory listing where if they are in the root e.g \a\b\abob and click parent they will see \a\b however i have cacls the premissions so they cant see anyone elses home drive and as such can not access it, since most people use the site for a quick file grab or just instructions on mapping a web folder it has not been an issue.

    Monday, February 1, 2010 5:04 PM
  • User-388653480 posted

    HELLO,

     

     I AM THE SYS ADMIN FOR A NEW SCHOOL. I SET UP WEBDAV WEBFOLDERS FOR FACULTY AND STAFF DEPARTMENTS BUT WOULD ALOS LIKE TO ADD IT FOR STUDENTS. I HAVE SOME ISSUES AND ONE IS WITH PERMISSIONS. I AM NEW TO POWERSHELL. WOULD YOU BE WILLING TO SHARE SOME MORE DETAILED INFORMATION REGARDING THE PERMISSION SCRIP?

     

    THANKS

    Hi there

    cacls "$hmdir" /t /e /g:$domain\$usrn

    icacls $hmdir /setowner $usrn /T /C
    cacls "$hmdir" /r $domain\$group /t /e

    Where $hmdir is the PS value for directory or share path

    $domain = YOURDOMAIN

    $usrn = username

    I also have a revoke for the users group e.g if they are either say STAFF or STUDENT

     

    Monday, February 1, 2010 7:56 PM
  • User-525142526 posted

    Hi dkenna,

    I followed your miniguide above, but ended up with a strange behaviour. Users can access the share over http and set up a network drive, they can browse through the directory and create files... but cannot open/read files. For more details see here: http://forums.iis.net/p/1185879/2009911.aspx

    Do you have any idea whats going wrong? thanks for any help!

    Friday, January 6, 2012 4:59 AM
  • User1112036436 posted

    I have an issue too, it's driving me up the wall.

    Basically, we can't authenticate to internal file shares set up for WebDAV via external clients. Our current setup is a newly installed member server in our DMZ running IIS 7.5 with a virtual folder pointing to our internal LAN file server.

     When logging onto the member server as Domain Admin (with PRP rights in the DMZ), all files are accessible for browsing from within IIS over port 80. However, authentication fails when attempting to log in to the Vodafone Data Wizard portal (a 3rd party app that manages our iDevices over SSL) which is configured to accept connections from mobile devices.

    The Vodafone Wizard is configured for SSO and the member server's machine account has read/write access to the internal file share. When logging onto the member server as local administrator and attempting to expand the virtual folder that points to the internal file server, the error message "Logon failure: unknown username or bad password." appears

     It's probably worth noting that we've put an RODC into the DMZ (opened up all required ports) and the member server's secrets are cached on it. Also, the member server account is part of the PerimeterNetwork Allow and PRP Allowed groups in our AD.

    So far, I've tried:

    • Creating a separate Application Pool for WebDAV using No Managed Code with Classic pipeline.
    • Installed Application Development, URL Authorization and HTTP Redirection.
    • Gave Allow All Users rights to the server in .Net Authorization rules.
    • Gave Allow All Users rights to the server in IIS Authorization rules.
    • Enabled ASP.Net Impersonation on the server.
    • Checked requestFiltering exception was in place for WebDAV for write access to web.config.
    • Converted virtual folder to an Application.
    • Gave member server's machine account write access to the internal file share.
    • Directory Browsing is enabled.
    • Basic authentication works from the member server to the fileshare, tested using the browsing functionality in IIS.

    Stumped.

    Any help greatly appreciated!

    Tuesday, January 10, 2012 11:33 AM
  • User-388653480 posted
    Hey guys, checked my old works email to find your questions. Just letting you know i will read them and have a think about it.. both may be related to permissions. One other thing I have found with Folder and files is if they have funny non http formed names.. you will be unable to open or access them.. I am trying to think of an example of this but since I am not longer at that job, I don't have the jobs related these issues any more. Also one other thing is around allowing certain file types .. so for example by default you cant open a .vb file, there is a way to allow this but cant remember off the top of my head.
    Wednesday, January 11, 2012 3:11 PM
  • User1112036436 posted

     Heya,

     Managed to solve our issue, http://support.microsoft.com/default.aspx?scid=kb;en-US;2545850

     That, AND our 3rd party vendor had their portal misconfigured. :/!

    Cheers!

    Friday, January 13, 2012 12:43 PM