Problem in making DFS Sub-Structure available with HTTP on IIS 10.0

Question

User877943214 posted

Hi,

 

i want to make the "Projects" Part of our DFS Structure accessible by HTTP. (\\company.com\dfs\projects\...)

• I've installed IIS on Server 2019 (webserver.company.com)
• Set up an Application Pool "Projects" (No Managed Code / Classic / Identity is a Domain Technical User)
• Set up a WebSite "Projects" With Application Pool "Projects". Authentication: Anonymous Disabled; Windows Authentication Enabled (No Kernel Mode)
• Now i've added a Virtual Directory "Projects" which points to \\company.com\dfs\projects

 

In IIS Manager i can expand the DFS trees without any problems.

I can explore every folder

I can browse it locally by URL (https://localhost/Projects/location/test) (it takes some time until i get the page)

 

But when i try to access https://webserver.company.com/projects/ from another computer, i always get a window for username / password . No matter what user i use, the window always reappears.

 

ISS Log Message:

2020-09-24 10:56:49 172.16.3.29 GET /projects/location/test/ - 443 Domain\user 172.22.77.16 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 3 5 11

Tried different things.. but with no success. 

Any ideas?

Thanks in advance!

Answer 1

User-848649084 posted

Make sure your login account on the pc is a member in the domain and IE  has the Automatic Logon.try to set the application pool identity to the network service.and the remote computer is in the same LAN.assig proper permission to the shared folder.

use process monitor to troubleshoot the issue:

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

refer this link for more detail:

https://forums.iis.net/t/1217515.aspx

Answer 2

User877943214 posted

Login Account is Member of the Domain and has the necessary rights.
IE is is configured for automatic Logon
Application pool identiy to "Network Service" don't change anything.
Computers can access Webserver on 80/443 (+smb)
Permissions are 100% fine.

I think this could be some kind of a "double hop issue", but i dont understand how to fix..

Thank you

Tom

Answer 3

User-848649084 posted

you could refer this below link for double hope issue:

https://weblogs.asp.net/owscott/iis-windows-authentication-and-the-double-hop-issue#:~:text=The%20reason%20is%20because%20of,up%20your%20first%20%27hop%27.

Answer 4

User877943214 posted

I have already found this Thread.
The articles linked in this Thread are 11 Years old.. 
We have already an Server 2012 doing this job without problems.. but we need to replace this server :/
But the same configuration don't work on Server 2019 :(

Answer 5

User-848649084 posted

this below are the recent documents link:

https://techcommunity.microsoft.com/t5/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/ba-p/324644

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463

Answer 6

User877943214 posted

Thank you soo much.. 

The first link was a big step forward!

This led me also to this tool: https://docs.microsoft.com/en-us/archive/blogs/surajdixit/kerberos-configuration-manager-for-internet-information-services-server

This tool and a missing Delegation on the target Server does the trick!!
(Also helpful: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/constrained-delegation-access-denied)

So the problem is solved :-)