How do I configure IIS to allow access to network resources for PHP scripts?

Question

I am currently working on a PHP front-end that joins together a series of applications running on separate servers; many of these applications generate files that I need access to, but these files (for various reasons) reside on their parent servers.

If I, from the command line, issue a bit of script such as:

<?php
var_dump(glob("\\\\machine-name\\some\\share\\*"));

I will get the full contents of that directory, proving that there's no problem programmatically with PHP reading the contents of a UNC share. However, if I try to execute the same script from the web server, I get an empty array -- more specifically, if I use more explicitly functions designed to "open" a directory like it was a file, I get access errors.

I believe this to be a permissions issue, but I am not a server/network administrator type, so I'm not sure what I need to do to correct this and get my script running, and the links I've checked out have not been a terrible amount of help, perhaps due to my background, or lack thereof as far as IIS is concerned, coupled with the fact that we are not actually using .NET for this.

Relevant Stats: Windows Server 2008 Standard SP2 IIS 7.0 PHP 5.2.9

I will be connecting to two types of servers: a few other nearly-identical Server 2008 machines, and a machine running embedded XP.

Links that have not been particularly helpful but maybe I am just misreading:

• http://support.microsoft.com/?id=306158
• http://support.microsoft.com/kb/207671/EN-US/
• http://support.microsoft.com/kb/280383/

Answer 1

Your PHP application runs using a service account, and this is the user account whose credentials are used to access the network resources. The default for IIS is to use a local account of the web server for this, and that account doesn't have permissions to access network resources (because it's a local account).

You should configure the IIS application pool for your web site to run using a domain user account, and then give that user account the appropriate permissions on the network share.

If you don't have an Active Directory domain, or those two servers aren't member of it, things get a little more tricky, but it can be done anyway by creating two user accounts with the same usernames and passwords on both servers.

Answer 2

As you guessed this is a permissions problem... the user that the IIS worker process is running as is a local account on the machine (most likely IUSER_<MACHINENAME>), and that user isn't authenticated (nor does the acocunt even exist!) on the other machines you're trying to browse via UNC

Just as a test, you can go into IIS manager and change what the IIS service is running as for that website... I'm using terminology from Server 2003/IIS 6 though because I don't have a Server 2008 box handy right now. If you poke around in the IIS 7 manager you should be able to find where you can set the user that the worker process runs as.

Answer 3

If you are using "Windows Server 2008 Standard SP2 IIS 7.0", WHY do you read articles on Windows-es/IIS-es from the previous millenium?
You cannot have anything that those article "APLLIES TO:" sections describe, like IIS3.0-5.0 (mainly IIS 4.0), classic ASP (deprecated in 1999), deprecated FrontPage Extensions, ASP.NET.0-1.1 (C#.NET/VB.NET 2002) and context of workstations in workgroup!

Do you have AD/DC?

Plz read my answer to Impersonation NOT working - Network Share