I have a web server setup on a DMZ with an ASP
application that is trying to access JPEGS on a file
server that is not on the DMZ. I have a mapped drive
setup on the web server pointing to the location of the
JPEG images. When the pop-up appears within the ASP
application that shows the JPEGS that are available,
there are no hyperlinks to those JPEG files (this should
be the case if things are setup properly). Everyone
(including the anonymous account for this web server) has
access to the folder with the JPEGS on the file server.
What might I be missing here? Both anonymous and Windows
Integrate Authentication are checked in the Internet

Mapped drives are generally a bad idea because the drive letter of the
mapping exists only for your identity and not for the web server's identity.
Use a real UNC filepath instead.

Read this article on how to configure ACLs on a UNC setup.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/deploy/confeat/RemStorg.asp

In your case, I would pay special attention to the fact you are crossing a
DMZ boundary -- make sure that the internal firewall isn't blocking the web
server access to the file server (though if the web server in the DMZ is
able to access a file server not in the DMZ... I think the file server might
as well be in the DMZ...).

In particular, I think your problem is that because Windows Integrated
Authentication is not delegatable, unless you've configured a specific UNC
User on both web server and file server, it's all going to fail. And in the
case of a specific UNC User or Anonymous user, unless that user account is a
domain account, you will need to create the same identity on both web server
and file server such that their credentials match (i.e. IUSR on the
webserver is not the same as IUSR on the fileserver unless you've sync'd
their password and username). Then, you need to make sure that this
identity has both NTFS ACL to read the content AND that the UNC fileshare
allows that identity to at least read the content AND that the web server is
actually hitting your content as that user.

At the end of the day, it comes down to:
1. What user identity is the web server going to use to access the file
server (i.e. configured UNC Username, or always Anonymous user, or passthru
authentication with sufficient setup)
2. Can the user credentials hop off the web server to the file server.
Windows Integrated Authentication cannot, without delegation. Basic is
insecure sending of username/password, so it can hop.
3. What authorization is given to the user identity on the file server, at
both the UNC share level and the NTFS file level

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
I have a web server setup on a DMZ with an ASP
application that is trying to access JPEGS on a file
server that is not on the DMZ. I have a mapped drive
setup on the web server pointing to the location of the
JPEG images. When the pop-up appears within the ASP
application that shows the JPEGS that are available,
there are no hyperlinks to those JPEG files (this should
be the case if things are setup properly). Everyone
(including the anonymous account for this web server) has
access to the folder with the JPEGS on the file server.
What might I be missing here? Both anonymous and Windows
Integrate Authentication are checked in the Internet
Services Manager for the properties of this new site.

Since this is "just" jpeg images, I would consider somehow pushing /
replicating images from the jpeg server to the web server, possibly using
something other than netbios windows networking, instead of allowing your
web server to poke holes inbound through your firewall using Netbios.


[quoted text, click to view]