1

We have our servers at the server farm in a domain. Let's call it LIVE.

Our developer computers live in a completely separate corporate domain, miles and miles away. Let's call it CORP.

We have a large central storage unit (unix) that houses images and other media needed by many webservers in the server farm. The IIS application pools run as (let's say) LIVE\MediaUser and use those credentials to connect to a central storage share as a virtual directory, retrieve the images, and serve them as if they were local on each server.

The problem is in development.

On my development machine. I log in as CORP\MyName. My IIS 6 application pool runs as Network Service. I can't run it as a user from the LIVE domain because my machine isn't (and can not be) joined to that domain.

I try to create a virtual directory, point it to the same network directory, click Connect As, uncheck the "Always use the authenticated user's credentials when validating access to the network directory" checkbox so that I can enter the login info, enter the credentails for LIVE\MediaUser, click OK, verify the password, etc.

This doesn't work. I get "HTTP Error 500 - Internal server error" from IIS.

The IIS log file reports sc-status = 500, sc-substatus = 16, and sc-win32-status = 1326.

The documentation says this means "UNC authorization credentials are incorrect" and the Win32 status means "Logon failure: unknown user name or bad password."

This would be all and good if it were anywhere close to accurate. I double- and trouble-checked it. Tried multiple known good logins. The IIS manager allows me to view the file tree in its window, it's only the browser that kicks me out.

I even tried going to the virtual directory's Directory Security tab, and under Authentication and Access Control, I tried using the same LIVE domain username for the anonymous access credential. No luck.

I'm not trying to run any ASP, ASP.NET, or other dynamic anything out of the virtual directory. I just want IIS to be able to load static images, css, and js files.

If anyone has some bright ideas I would be most appreciative!

David Boike
  • 111
  • 2
  • 4

4 Answers4

1

I agree with not joining the CORP machine to the LIVE domain, but is there any reason you cannot establish a one-way trust between them? Basically, either LIVE needs to be able to validate CORP\user, or CORP needs to be able to successfully pass a LIVE\user credential (which it cannot if it has no knowledge of that domain, even though IIS 6's management console doesn't make this too clear).

Essentially the domains have to have some knowledge of each other, so AD can do its thing. The UNC share isn't telling you its not validated (that would be a HTTP 400 class error). The DEV server is telling you (via 500.16) that it cannot create a token for the creds you gave it, b/c it has no idea what the LIVE domain is, so kerberos can't create a token for it.

TechNet on HTTP 500.16: ...

to do this, IIS uses a Windows logon API to obtain a security token that it can use to impersonate a security identity when accessing the remotely stored content.

Taylor
  • 394
  • 1
  • 3
  • While I'm sure this would solve the problem, it's a non-starter due to organizational (I don't exert any control over the CORP domain) and security considerations (that it may not be a good idea to have any sort of relationship between them AT ALL). – David Boike Jun 28 '12 at 16:53
1

I have had this problem before. Here are two suggestions, both of which are not ideal and may not even be possible in your environment:

  1. Have the files stored on a share on a non-domain server. That way both the live and development servers would be able to access them.

  2. Run a daily job to copy the necessary files from the live server to development (via FTP, FTPS or some other means).

Fred Jonas
  • 186
  • 3
  • #2 is untenable just because any replication delay would make development against it a nightmare. – David Boike Jun 28 '12 at 16:55
  • #1 on the other hand gives me another idea, now that I'm re-reading this months later: I'm having my IT director look into the possibility of creating a second CIFS endpoint with a different name not attached to the domain and operating off of the same file system. – David Boike Jun 28 '12 at 16:56
0

Ensure that the user account you are using to access the shared folder (e.g. LIVE\MediaUser) has permission to "Log on as a service" and "Access this computer from the network".

You set this up on the server hosting the shared folder, in:

Administrative Tools -> Computer Management -> Local Security Settings -> Local Policies -> User Rights Assignment

Melethril
  • 1
  • 1
    Unfortunately it is an EMC storage system, not Windows, so this really doesn't seem to apply in my case, but it might be helpful to people who are. – David Boike Jun 28 '12 at 16:50
0

i've solved this problems using a domain user for Anonymous user that is allowed to access to remote share on Domain Controller It works fine.

Sincerely