1

I'm trying to set up a website on an external web server (IIS 6 on Win 2k3) such that:

  • Anonymous access is denied
  • Users have to log in with their Active Directory username / password
  • I can grant specific permissions to specific users in Windows Explorer

I think I have correctly established a VPN connection between the two servers. In fact the IIS side of it works! However, in Windows Explorer, when I click on the Security tab, I cannot see the AD domain, so I cannot search for the users I need to grant permissions to.

EDIT: Per mfinni, I am adding more detail:

In IIS 6, I can go to a website > Properties > Directory Security > Authentication and Access Control. I can then uncheck "Enable anonymous access," check "Basic Authentication," and then for the "Default Domain" I can click on "Select...". In the popup that appears, I can see the domain! Moreover, when I choose the domain, my website now requires me to authenticate, and the credentials stored in the remote Active Directory work.

On the other hand, I also need finer control over individual files and folders, as I need to grant filesystem permissions to individual AD users. In Windows Explorer (Windows 2003), I right click on a folder, choose the "Security" tab, and click "Add...". This brings up the "Select Users or Groups" dialog. Under "From this location" I see the name of the local machine. This is where the problem is. If this were configured correctly, I would be able to click "Locations..." to see a list AD domains. However, all I see is the name of the local machine.

anonymous
  • 53
  • 1
  • 4

1 Answers1

3

If the IIS machine isn't in the domain (or in a domain that trusts your internal domain), this won't work. If it's in the domain, then your VPN tunnel isn't set up right.

Edit with new info in question - Windows Explorer will only show you users and groups from domains that it knows about : either its own domain, or trusted domains. Is your IIS machine in this domain or a trusting domain?

Further edit - I think there's something wrong with your connection to the domain. Check the event logs on the IIS server.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I apologize, but I am new to all of this, so I don't understand what you're telling me to do here. I *almost* have it working, since IIS can "see" the domain. It's just Windows Explorer that doesn't. – anonymous Jun 13 '11 at 22:09
  • You need to better explain what you mean by that. How does IIS see the domain? In what part of the GUI are you talking about? – mfinni Jun 14 '11 at 01:28
  • @mfinni -- I've added more detail my original question. Thank you! – anonymous Jun 14 '11 at 15:21
  • @mfinni -- On the IIS machine, I went to System Properties > Computer Name > Change. Under "Member of" I chose "Domain" and typed in the AD domain. I then restarted the machine. Had I missed any steps? – anonymous Jun 14 '11 at 15:26
  • Did you do that just now, or had you done it already? – mfinni Jun 14 '11 at 16:11
  • I had already done this prior to asking the question. – anonymous Jun 14 '11 at 17:06
  • OK - then there's something wrong with your connection to the domain. Check the event logs on the IIS server. – mfinni Jun 14 '11 at 17:16