iis security: Hi!

I am trying to set up webDAV folders using digest authentication. The
event log shows the account authenticating correctly and everything
works when trying to access a folder that is on the web server, but when
trying to access a folder on another machine through a UNC name, after 3
attempts, IIS returns:

"You are not authorized to view this page - You do not have permission
to view this directory or page due to the access control list (ACL) that
is configured for this resource on the Web server."

This occus, even if the authenticating account is a domain
administrator. It is also clearly not a straightforward permissions
problem, because the account has access when using basic authentication.

It is almost as if, IIS does not have enough or the correct information
to complete the network request when using digest authentication, but
somehow does have what it needs for local access.

Any help would be appreciated.

regards,

[quoted text, click to view]

In fact, the event log shows the web server attempting an anonymous

[quoted text, click to view]

Actually, this is a very straight forward problem. The concept you are
missing is "delegation".

[quoted text, click to view]

Here is the basic problem. Assume that the remote user authenticates to the
front-end web server using some user identity. Why should the front-end web
server be able to re-use that user identity to access resources on another
server unknown to the remote user?

Before you scoff at the question by saying "why, that's what most websites
do", consider a more pointed example. Suppose a user authenticates to the
web server, why should the web server be able to use your identity to
withdraw all the money from your bank.

Both examples are exactly the same thing to the web server, yet clearly you
want one to happen while the other to NOT happen. How you control this is
through delegation and using an authentication protocol that supports
delegation.

Basic authentication is implicit delegation. It passes the username/password
to the server, who can use it at will. The user only hopes that the server
doesn't do something bad with the implicit trust. Kerberos supports
delegation. NTLM/Digest do not support delegation. This should explain what
you are seeing.

Here is a URL that explains a bit more:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx


Thus, if you want the client to use digest and also want delegated access to
backend UNCs, a easy solution is to use Windows Server 2003 and protocol
transition to do this securely. Of course, you can always re-invent the
wheel by implementing your own custom authentication protocol instead of
using the openly designed Kerberos protocol, but then you are in charge of
all the security details.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hi!

I am trying to set up webDAV folders using digest authentication. The
event log shows the account authenticating correctly and everything
works when trying to access a folder that is on the web server, but when
trying to access a folder on another machine through a UNC name, after 3
attempts, IIS returns:

"You are not authorized to view this page - You do not have permission
to view this directory or page due to the access control list (ACL) that
is configured for this resource on the Web server."

This occus, even if the authenticating account is a domain
administrator. It is also clearly not a straightforward permissions
problem, because the account has access when using basic authentication.

It is almost as if, IIS does not have enough or the correct information
to complete the network request when using digest authentication, but
somehow does have what it needs for local access.

Any help would be appreciated.

regards,
Alan.

Hi!

Thanks very much for the information. The article is interesting and I
might even try to work through the configuration one day, but I decided
to go back to the basics and found I could not even make WebDAV work
satisfactorily that way, so I have decided to abondon it. It looks like
a promising technology that does not really work.

Even with open anonymous access, although I can create a web folder
across the Internet from Windows 2000, I can't from Windows XP. Windows
XP still requires a user name and password of some sort and no user name
and password combination works. Since most of our remote staff use
Windows XP, that renders it useless.

regards,

You mean you cannot get WebDAV of a UNC share working when you use Pass-thru
Basic authentication? This should work on IIS6 by default, and it takes a
bit more tweaking on IIS5.

URL (talks about IIS6, but same concepts apply to IIS5 and has a bunch of
related URLs):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx )

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hi!

Thanks very much for the information. The article is interesting and I
might even try to work through the configuration one day, but I decided
to go back to the basics and found I could not even make WebDAV work
satisfactorily that way, so I have decided to abondon it. It looks like
a promising technology that does not really work.

Even with open anonymous access, although I can create a web folder
across the Internet from Windows 2000, I can't from Windows XP. Windows
XP still requires a user name and password of some sort and no user name
and password combination works. Since most of our remote staff use
Windows XP, that renders it useless.

regards,
Alan.

David,

Once again you have found an interesting article. Thank you.

I found I was not able to connect to a WebDAV folder across the Internet
from Windows XP at all - even if the folder was configured for pass-thru
basic authentication or even no authentication (anonymous). Windows 2000
was working fine in both cases.

Windows XP was asking for a user name and password, even with anonymous
access and was rejecting every user name and password combination I
supplied.

In the end, while researching whether I might have better luck with
WebDAV on Apache, I found an article that refered to Microsoft knowledge
base article 298353. This was useful in that it confirmed the problem,
but was otherwise the singularly most useless knowledge base article I
have come across as it provides neither resolution nor work-around nor a
time frame for one. It conveys the distinct sense of "Its broken. Tough!
Live with it!"

Fortunately, the same article that referred me to the knowledge base
provided a work around - add "/." or "/#" to the WebDAV URL when
creating the web folder in Windows XP. The full article can be found at
http://www.atarex.com/services/support/webdav-msft.shtml.

Using that, I can make Windows XP work, so I will revive the project at
some point in the future and make use of the delegation information you
supplied earlier. I am running out of time now. I will make use of FTP
in the mean time.

regards,
Alan.

[quoted text, click to view]