1

I am trying to setup a virtual directory in IIS7 to a network share folder, however I am getting access denied errors.

I have created a user on both servers with identical names and passwords, and given read+write permissions on the folder for that user, I have then used the 'Connect As' option on the virtual directory and selected my newly created user. I have also selected my new user for the application pool on both servers just to be sure.

I am using Process Monitor to monitor the files / folder, each time i try and access the virtual directory through a web browser I can see Access Denied on the file i am accessing. Process monitor recognises that I am using my newly created user too.

Is there anything more I need to do or check...i have read numerous forums which repeat the same information which I have tried.

The access denied error seems to be on a 'web.config' file in the virtual directory rather than the file I am accessing in the browser. I have tried with a barebones web.config file in the directory (with full permissions for my user) and also with no web.config file...same result.

UPDATE:

I get this when clicking 'Test Settings' on the VD basic settings option:

The server is configured to use pass-through authentication with a custom account to access the specified physical path. This account cannot access the path because the account does not have Read access. Grant the account Read access to the path and test these settings again.

However i have ensure my new user has full permissions on the networked machine.

Thank You, Paul

Paul Hinett
  • 1,205
  • 3
  • 11
  • 19

3 Answers3

1

Well i have got it working now, even though im not 100% sure how.

I removed all current shared connections to the network server using 'net use * /delete' on both machines...just to ensure that no connections were currently active.

Then created shared folders using the 'Share' option when right clicking a folder. Gave this folder the permissions for my new user...removed my virtual directory in IIS, created a new one using the shared folder ('//ip address/sharedfoldername/') instead of accessing it like before ('//ip address/c$/inetpub/sharedfolder/').

This worked and im not pulling my hair out any more...i beleive it may have been using authentication from a previous connection made (i mapped a network drive).

Thought I would post this in case anyone else has any issues.

Paul

Paul Hinett
  • 1,205
  • 3
  • 11
  • 19
0

You don't need to set up the user on both servers. Set up the user on the server that is sharing the files, and use SERVERNAME\Username for the login credentials when configuring IIS' Connect As settings.

Hyppy
  • 15,458
  • 1
  • 37
  • 59
  • I don't think that works under IIS 7. Edit: Paul said it better next: – TristanK Mar 21 '11 at 13:23
  • I beleive that only works if you are using a DOMAIN, i am simply using workgroups (both called Workgroup). – Paul Hinett Mar 21 '11 at 13:23
  • We use it to access a non-domain CIFS share on an EMC Celerra without a problem, as well as a share on a non-domain Windows 2003 server. Both are being accessed from a Windows 2008 R2 server. – Hyppy Mar 21 '11 at 13:37
  • when i try to add a user from another server, it says it can't find it...when i click location button, it only has the option of the local server. – Paul Hinett Mar 21 '11 at 13:40
  • Just type it in manually. If the files are being shared from ServerX and UserY has permissions to it, then the username should be "ServerX\UserY" – Hyppy Mar 21 '11 at 13:46
  • Hyppy it wont let me add a user like that, it says it can't find it. Tristan...what do you mean by a mirrored user account locally...i do have the same user setup on local machine and networked machine. In my browser i simply get 500 - internal server error though. I only see the access denied error in process monitor. I have tried enabling detailed errors on the VD but still get 500...could this be related? – Paul Hinett Mar 21 '11 at 13:57
  • Paul: I'd be tempted to try a Failed Request Tracing trace of the request, see what's happening and when from the request's perspective. The Access Denied might be a red herring. My comment about mirrored accounts was for Hyppy; I can't think of a way to get this working with the configuration he's described. Doesn't mean it doesn't work, just that I don't know how :) – TristanK Mar 21 '11 at 14:01
  • Just turned on failed request tracing, however nothing appears to be getting logged..no log file has been created. – Paul Hinett Mar 21 '11 at 14:15
  • If there's no file (and you've enabled failed request tracing and created a rule that'd catch any status output), the App Pool isn't getting to the request, meaning (most likely) the App Pool identity can't read that location. I'd sanity-check that the web.config file has NTFS permissions that include the app pool identity; otherwise, I'm stumped, I'd look at security event logs, WAS tracing. – TristanK Mar 21 '11 at 21:41
0

If you're requiring Windows Authentication, you may find that IIS is trying to impersonate the user. Does it work if you configure Anonymous authentication, and use the Application Pool Identity (which is the same user that has UNC permission, right?) as the anonymous user account?

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • just tried using pass through authentication for the VD which uses the app pool user (my new user), still no luck. same access denied error in process monitor. – Paul Hinett Mar 21 '11 at 13:28
  • And Anonymous authentication for the client? If you're impersonating a user with Windows authentication in a Workgroup scenario, I think it's going to fail (NTLM = one hop only; no Kerb capability). – TristanK Mar 21 '11 at 13:31
  • Yes i beleive i am already using anonymous authentication...where would i check this in IIS7? on the authentication option in IIS on the site, or on my virtual directory? – Paul Hinett Mar 21 '11 at 13:34
  • Either - the closest setting is effective if they're both defined. – TristanK Mar 21 '11 at 13:42
  • yeah tried that, still exactly the same issue. – Paul Hinett Mar 21 '11 at 13:49