|
|
You're in the
iis security
group:Virtual Directory to a remote UNC not working properly
iis security:
Setup:
IIS 6.0, Windows 2003 sp1 server. Web server and UNC server are on the same domain. Using 'Integrated Windows and Digest Authentication on both the Intranet site and the virtual directory on the web server. Problem: When trying to access a file on the virtual directory from outside the domain or on the domain I get the following message "You are not authorized to view this page... You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the web server. HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource (IIS). If I access a file on the UNC from within the domain without using the virtual dir I have no problems. If I access a file on the UNC from outside the domain I get the message "Cannot find 'file://\\flnas01... rest of path' make sure the path or internet address is correct. Any direction or insight would be appreciated! --
Can you describe what you are trying to do so that we can help you with
correct configuration? It sounds like you have a web server and a NAS file server in your Intranet, and you are trying to make the files on the NAS file server available via the web server, to people both inside your Intranet and on the Internet. The behaviors you describe are actually all normal and by-design. [quoted text, click to view] > When trying to access a file on the virtual directory from outside the This is because of "double hop" using NTLM with a UNC Virtual> domain or on the domain I get the following message "You are not authorized > to view this page... Directory. Lots of people hit this, and there are well documented ways to make this scenario work. Please search for those solutions. [quoted text, click to view] > If I access a file on the UNC from within the domain without using the This is because the name "flnas01" is not known to the computer/browser> virtual dir I have no problems. If I access a file on the UNC from outside > the domain I get the message "Cannot find 'file://\\flnas01... rest of path' > make sure the path or internet address is correct. outside the domain. If you got that error by clicking on a link on a web page, it means your web page content is incorrect because it has a UNC file reference (which is valid only on the Intranet OR if you expose the flnas01 server to the entire world outside your domain). If you want the web page to work outside the domain, you will have to find a suitable way to expose your flnas01 server outside the domain, which may not be what you want. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] dhoops wrote:
> Setup: > IIS 6.0, Windows 2003 sp1 server. > Web server and UNC server are on the same domain. > Using 'Integrated Windows and Digest Authentication on both the Intranet > site and the virtual directory on the web server. > > Problem: > When trying to access a file on the virtual directory from outside the > domain or on the domain I get the following message "You are not authorized > to view this page... > You do not have permission to view this directory or page due to the access > control list (ACL) that is configured for this resource on the web server. > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the > requested resource (IIS). > > If I access a file on the UNC from within the domain without using the > virtual dir I have no problems. If I access a file on the UNC from outside > the domain I get the message "Cannot find 'file://\\flnas01... rest of path' > make sure the path or internet address is correct. > > Any direction or insight would be appreciated! > -- > Dave
David,
Thanks for the reply. What you wrote below is exactly what i am trying to do... ie Make files from the NAS file server available to users on the inside on the (Intranet) and from the outside on the (Internet) via our web server in general... These files are linked through pages on the web site. It appears my security is not setup correctly? -- Dave [quoted text, click to view] "David Wang" wrote:
> Can you describe what you are trying to do so that we can help you with > correct configuration? It sounds like you have a web server and a NAS > file server in your Intranet, and you are trying to make the files on > the NAS file server available via the web server, to people both inside > your Intranet and on the Internet. > > The behaviors you describe are actually all normal and by-design. > > > When trying to access a file on the virtual directory from outside the > > domain or on the domain I get the following message "You are not authorized > > to view this page... > This is because of "double hop" using NTLM with a UNC Virtual > Directory. Lots of people hit this, and there are well documented ways > to make this scenario work. Please search for those solutions. > > > > If I access a file on the UNC from within the domain without using the > > virtual dir I have no problems. If I access a file on the UNC from outside > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path' > > make sure the path or internet address is correct. > This is because the name "flnas01" is not known to the computer/browser > outside the domain. > > If you got that error by clicking on a link on a web page, it means > your web page content is incorrect because it has a UNC file reference > (which is valid only on the Intranet OR if you expose the flnas01 > server to the entire world outside your domain). If you want the web > page to work outside the domain, you will have to find a suitable way > to expose your flnas01 server outside the domain, which may not be what > you want. > > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > dhoops wrote: > > Setup: > > IIS 6.0, Windows 2003 sp1 server. > > Web server and UNC server are on the same domain. > > Using 'Integrated Windows and Digest Authentication on both the Intranet > > site and the virtual directory on the web server. > > > > Problem: > > When trying to access a file on the virtual directory from outside the > > domain or on the domain I get the following message "You are not authorized > > to view this page... > > You do not have permission to view this directory or page due to the access > > control list (ACL) that is configured for this resource on the web server. > > HTTP error 401.3 - Unauthorized: Access is denied due to an ACL set on the > > requested resource (IIS). > > > > If I access a file on the UNC from within the domain without using the > > virtual dir I have no problems. If I access a file on the UNC from outside > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path' > > make sure the path or internet address is correct. > > > > Any direction or insight would be appreciated! > > -- > > Dave >
Thanks for the info. Some more requirements need to be gathered before
determining the correct configuration. - Your web pages cannot contain file:// or \\flnas01 links if you want it to work from Internet. If your web page MUST contain file:// or \\flnas01 links, then you will need to open more holes in the firewall to allow RPC and UNC ports as well as publish your flnas01 server to be accessible via the Internet. Obviously, this sort of web page does NOT do what you want - make files on NAS server available via Web Server (instead, it is making your NAS server available via the Internet because your Web Server exposed its name), and this approach is also heavily discouraged due to security concerns. It is easier and safer to configure a UNC vdir on IIS to point to \\flnas01 UNC shares on NAS, and for your web pages to use http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD OF \\flnas01 links). This single page will work from both Intranet and Internet with minimal security concerns. If you do the above, but you want to optimize Intranet traffic to not go through http://public.webserver.IP.address/unc-vdir, then you should create two websites, one internal and the other external. This takes more effort to maintain, and your router may not be smart enough to support it. - Internal website: web page uses \\flnas01 links, and bound to http://internalWebServer - External website: web page uses http://public.webserver.IP.address/unc-vdir links, and bound to http://public.webserver.IP.address - In order for a vdir pointing to UNC share to work, it has to use an Authentication protocol that supports Delegation. NTLM/Digest do not, so your current failure is by-design. Choice of each protocol has its plus and minus, and correct choice depends on your needs. The following URL provides an excellent background and motivation: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx Applying that knowledge to your particular needs: - Anonymous authentication works, but it means ALL users accessing NAS server via the web server appear as the configured Anonymous User on IIS, preventing repudiation (i.e. auditing who accessed what files on the NAS). You may not care about the auditing, in which case Anonymous authentication is easiest. - Basic authentication works, but it passes username/password in the clear, so you must protect it with SSL. This means you have to purchase an SSL Server Certificate and maintain it. If you control all Web Browsers used by your users, you can avoid paying for SSL Server Certificate by creating your own SSL Certificate and inserting it into the Trusted Root Store of all Web Browser machines (remember, you can do this because you control all Web Browsers - if you do not control all Web Browsers of your users, this approach does not work effectively). - Kerberos works, but it requires setting up Active Directory and configuring Delegation. Since you want the solution to work both for Internet and Intranet, the following choices are simplest: - If you want to expose NAS over Web Server and you do not care to know what user accessed which files (i.e. any user can access any file on the NAS), then use Anonymous Authentication on IIS, configure its Anonymous User to be a user that you also ACL the NAS UNC share. - If you want to expose NAS over Web Server and you DO care about which user access which files (i.e. users can only access the files ACL'd to them on the NAS), then use Basic over SSL - If you want to expose NAS over Web Server, you care about which user access which files, and you have an Active Directory already, then configure Protocol Transitioning and you can use any authentication protocol on IIS (including NTLM). There are other solutions, of more complexity, offering different security-based tradeoffs. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] dhoops wrote:
> David, > > Thanks for the reply. What you wrote below is exactly what i am trying to > do... ie Make files from the NAS file server available to users on the inside > on the (Intranet) and from the outside on the (Internet) via our web server > in general... These files are linked through pages on the web site. > > It appears my security is not setup correctly? > > -- > Dave > > > "David Wang" wrote: > > > Can you describe what you are trying to do so that we can help you with > > correct configuration? It sounds like you have a web server and a NAS > > file server in your Intranet, and you are trying to make the files on > > the NAS file server available via the web server, to people both inside > > your Intranet and on the Internet. > > > > The behaviors you describe are actually all normal and by-design. > > > > > When trying to access a file on the virtual directory from outside the > > > domain or on the domain I get the following message "You are not authorized > > > to view this page... > > This is because of "double hop" using NTLM with a UNC Virtual > > Directory. Lots of people hit this, and there are well documented ways > > to make this scenario work. Please search for those solutions. > > > > > > > If I access a file on the UNC from within the domain without using the > > > virtual dir I have no problems. If I access a file on the UNC from outside > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path' > > > make sure the path or internet address is correct. > > This is because the name "flnas01" is not known to the computer/browser > > outside the domain. > > > > If you got that error by clicking on a link on a web page, it means > > your web page content is incorrect because it has a UNC file reference > > (which is valid only on the Intranet OR if you expose the flnas01 > > server to the entire world outside your domain). If you want the web > > page to work outside the domain, you will have to find a suitable way > > to expose your flnas01 server outside the domain, which may not be what > > you want. > > > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > > > > > dhoops wrote: > > > Setup: > > > IIS 6.0, Windows 2003 sp1 server. > > > Web server and UNC server are on the same domain. > > > Using 'Integrated Windows and Digest Authentication on both the Intranet > > > site and the virtual directory on the web server. > > > > > > Problem: > > > When trying to access a file on the virtual directory from outside the > > > domain or on the domain I get the following message "You are not authorized > > > to view this page... > > > You do not have permission to view this directory or page due to the access > > > control list (ACL) that is configured for this resource on the web server.
David,
Thanks for all this great info! I do have a couple of questions for clarity sake: 1. When connecting to the NAS file via 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should I actually be entering the following: 'http://public.webserver.IP.address,(where address is ip address of the webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS such as 'Public'/then the rest of the path on the NAS drive ? 2. Since we have active directory setup on our network you said all I need to do is configure 'Protocol Transitioning' and then I can use any authentication protocol on IIS... Where do I configure 'Protocol Transitioining' ? Thanks-Dave -- Dave [quoted text, click to view] "David Wang" wrote:
> Thanks for the info. Some more requirements need to be gathered before > determining the correct configuration. > > - Your web pages cannot contain file:// or \\flnas01 links if you want > it to work from Internet. > > If your web page MUST contain file:// or \\flnas01 links, then you will > need to open more holes in the firewall to allow RPC and UNC ports as > well as publish your flnas01 server to be accessible via the Internet. > Obviously, this sort of web page does NOT do what you want - make files > on NAS server available via Web Server (instead, it is making your NAS > server available via the Internet because your Web Server exposed its > name), and this approach is also heavily discouraged due to security > concerns. > > It is easier and safer to configure a UNC vdir on IIS to point to > \\flnas01 UNC shares on NAS, and for your web pages to use > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > OF \\flnas01 links). This single page will work from both Intranet and > Internet with minimal security concerns. > > If you do the above, but you want to optimize Intranet traffic to not > go through http://public.webserver.IP.address/unc-vdir, then you should > create two websites, one internal and the other external. This takes > more effort to maintain, and your router may not be smart enough to > support it. > - Internal website: web page uses \\flnas01 links, and bound to > http://internalWebServer > - External website: web page uses > http://public.webserver.IP.address/unc-vdir links, and bound to > http://public.webserver.IP.address > > > - In order for a vdir pointing to UNC share to work, it has to use an > Authentication protocol that supports Delegation. NTLM/Digest do not, > so your current failure is by-design. Choice of each protocol has its > plus and minus, and correct choice depends on your needs. The following > URL provides an excellent background and motivation: > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx > > Applying that knowledge to your particular needs: > - Anonymous authentication works, but it means ALL users accessing > NAS server via the web server appear as the configured Anonymous User > on IIS, preventing repudiation (i.e. auditing who accessed what files > on the NAS). You may not care about the auditing, in which case > Anonymous authentication is easiest. > - Basic authentication works, but it passes username/password in the > clear, so you must protect it with SSL. This means you have to purchase > an SSL Server Certificate and maintain it. If you control all Web > Browsers used by your users, you can avoid paying for SSL Server > Certificate by creating your own SSL Certificate and inserting it into > the Trusted Root Store of all Web Browser machines (remember, you can > do this because you control all Web Browsers - if you do not control > all Web Browsers of your users, this approach does not work > effectively). > - Kerberos works, but it requires setting up Active Directory and > configuring Delegation. > > Since you want the solution to work both for Internet and Intranet, the > following choices are simplest: > - If you want to expose NAS over Web Server and you do not care to know > what user accessed which files (i.e. any user can access any file on > the NAS), then use Anonymous Authentication on IIS, configure its > Anonymous User to be a user that you also ACL the NAS UNC share. > - If you want to expose NAS over Web Server and you DO care about which > user access which files (i.e. users can only access the files ACL'd to > them on the NAS), then use Basic over SSL > - If you want to expose NAS over Web Server, you care about which user > access which files, and you have an Active Directory already, then > configure Protocol Transitioning and you can use any authentication > protocol on IIS (including NTLM). > > There are other solutions, of more complexity, offering different > security-based tradeoffs. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > dhoops wrote: > > David, > > > > Thanks for the reply. What you wrote below is exactly what i am trying to > > do... ie Make files from the NAS file server available to users on the inside > > on the (Intranet) and from the outside on the (Internet) via our web server > > in general... These files are linked through pages on the web site. > > > > It appears my security is not setup correctly? > > > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > Can you describe what you are trying to do so that we can help you with > > > correct configuration? It sounds like you have a web server and a NAS > > > file server in your Intranet, and you are trying to make the files on > > > the NAS file server available via the web server, to people both inside > > > your Intranet and on the Internet. > > > > > > The behaviors you describe are actually all normal and by-design. > > > > > > > When trying to access a file on the virtual directory from outside the > > > > domain or on the domain I get the following message "You are not authorized > > > > to view this page... > > > This is because of "double hop" using NTLM with a UNC Virtual > > > Directory. Lots of people hit this, and there are well documented ways > > > to make this scenario work. Please search for those solutions. > > > > > > > > > > If I access a file on the UNC from within the domain without using the > > > > virtual dir I have no problems. If I access a file on the UNC from outside > > > > the domain I get the message "Cannot find 'file://\\flnas01... rest of path' > > > > make sure the path or internet address is correct. > > > This is because the name "flnas01" is not known to the computer/browser > > > outside the domain. > > > > > > If you got that error by clicking on a link on a web page, it means > > > your web page content is incorrect because it has a UNC file reference > > > (which is valid only on the Intranet OR if you expose the flnas01
1. Yes. Syntax works as
http://server-to-communicate-HTTP-with/virtual-URI So, you should give the public IP of the webserver handling the Website containing the UNC Vdir, and then the vdir mapping you provided (/Public goes to \\flnas01\...), and then the rest of the directory structure follows from that vdir mapping. 2. Read the NAS and IIS6 URL of my prior email. It has all necessary configuration details and links on how to configure //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] dhoops wrote:
> David, > > Thanks for all this great info! I do have a couple of questions for clarity > sake: > > 1. When connecting to the NAS file via > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > I actually be entering the following: > 'http://public.webserver.IP.address,(where address is ip address of the > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > such as 'Public'/then the rest of the path on the NAS drive ? > > 2. Since we have active directory setup on our network you said all I need > to do is configure 'Protocol Transitioning' and then I can use any > authentication protocol on IIS... Where do I configure 'Protocol > Transitioining' ? > > Thanks-Dave > -- > Dave > > > "David Wang" wrote: > > > Thanks for the info. Some more requirements need to be gathered before > > determining the correct configuration. > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > it to work from Internet. > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > need to open more holes in the firewall to allow RPC and UNC ports as > > well as publish your flnas01 server to be accessible via the Internet. > > Obviously, this sort of web page does NOT do what you want - make files > > on NAS server available via Web Server (instead, it is making your NAS > > server available via the Internet because your Web Server exposed its > > name), and this approach is also heavily discouraged due to security > > concerns. > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > \\flnas01 UNC shares on NAS, and for your web pages to use > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > OF \\flnas01 links). This single page will work from both Intranet and > > Internet with minimal security concerns. > > > > If you do the above, but you want to optimize Intranet traffic to not > > go through http://public.webserver.IP.address/unc-vdir, then you should > > create two websites, one internal and the other external. This takes > > more effort to maintain, and your router may not be smart enough to > > support it. > > - Internal website: web page uses \\flnas01 links, and bound to > > http://internalWebServer > > - External website: web page uses > > http://public.webserver.IP.address/unc-vdir links, and bound to > > http://public.webserver.IP.address > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > so your current failure is by-design. Choice of each protocol has its > > plus and minus, and correct choice depends on your needs. The following > > URL provides an excellent background and motivation: > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx > > > > Applying that knowledge to your particular needs: > > - Anonymous authentication works, but it means ALL users accessing > > NAS server via the web server appear as the configured Anonymous User > > on IIS, preventing repudiation (i.e. auditing who accessed what files > > on the NAS). You may not care about the auditing, in which case > > Anonymous authentication is easiest. > > - Basic authentication works, but it passes username/password in the > > clear, so you must protect it with SSL. This means you have to purchase > > an SSL Server Certificate and maintain it. If you control all Web > > Browsers used by your users, you can avoid paying for SSL Server > > Certificate by creating your own SSL Certificate and inserting it into > > the Trusted Root Store of all Web Browser machines (remember, you can > > do this because you control all Web Browsers - if you do not control > > all Web Browsers of your users, this approach does not work > > effectively). > > - Kerberos works, but it requires setting up Active Directory and > > configuring Delegation. > > > > Since you want the solution to work both for Internet and Intranet, the > > following choices are simplest: > > - If you want to expose NAS over Web Server and you do not care to know > > what user accessed which files (i.e. any user can access any file on > > the NAS), then use Anonymous Authentication on IIS, configure its > > Anonymous User to be a user that you also ACL the NAS UNC share. > > - If you want to expose NAS over Web Server and you DO care about which > > user access which files (i.e. users can only access the files ACL'd to > > them on the NAS), then use Basic over SSL > > - If you want to expose NAS over Web Server, you care about which user > > access which files, and you have an Active Directory already, then > > configure Protocol Transitioning and you can use any authentication > > protocol on IIS (including NTLM). > > > > There are other solutions, of more complexity, offering different > > security-based tradeoffs. > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > > > dhoops wrote: > > > David, > > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to > > > do... ie Make files from the NAS file server available to users on the inside > > > on the (Intranet) and from the outside on the (Internet) via our web server > > > in general... These files are linked through pages on the web site. > > > > > > It appears my security is not setup correctly? > > > > > > -- > > > Dave > > > > > > > > > "David Wang" wrote: > > > > > > > Can you describe what you are trying to do so that we can help you with > > > > correct configuration? It sounds like you have a web server and a NAS > > > > file server in your Intranet, and you are trying to make the files on > > > > the NAS file server available via the web server, to people both inside > > > > your Intranet and on the Internet. > > > > > > > > The behaviors you describe are actually all normal and by-design. > > > > > > > > > When trying to access a file on the virtual directory from outside the > > > > > domain or on the domain I get the following message "You are not authorized > > > > > to view this page... > > > > This is because of "double hop" using NTLM with a UNC Virtual
David,
Thanks for the feedback and direction on my 2 questions. I am in the process of making the changes and I have been reading the doc on configuring IIS with remote stored content. I'll let you know how it works out! -- Dave [quoted text, click to view] "David Wang" wrote:
> 1. Yes. Syntax works as > http://server-to-communicate-HTTP-with/virtual-URI > > So, you should give the public IP of the webserver handling the Website > containing the UNC Vdir, and then the vdir mapping you provided > (/Public goes to \\flnas01\...), and then the rest of the directory > structure follows from that vdir mapping. > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > configuration details and links on how to configure > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > dhoops wrote: > > David, > > > > Thanks for all this great info! I do have a couple of questions for clarity > > sake: > > > > 1. When connecting to the NAS file via > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > I actually be entering the following: > > 'http://public.webserver.IP.address,(where address is ip address of the > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > 2. Since we have active directory setup on our network you said all I need > > to do is configure 'Protocol Transitioning' and then I can use any > > authentication protocol on IIS... Where do I configure 'Protocol > > Transitioining' ? > > > > Thanks-Dave > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > Thanks for the info. Some more requirements need to be gathered before > > > determining the correct configuration. > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > it to work from Internet. > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > well as publish your flnas01 server to be accessible via the Internet. > > > Obviously, this sort of web page does NOT do what you want - make files > > > on NAS server available via Web Server (instead, it is making your NAS > > > server available via the Internet because your Web Server exposed its > > > name), and this approach is also heavily discouraged due to security > > > concerns. > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > > OF \\flnas01 links). This single page will work from both Intranet and > > > Internet with minimal security concerns. > > > > > > If you do the above, but you want to optimize Intranet traffic to not > > > go through http://public.webserver.IP.address/unc-vdir, then you should > > > create two websites, one internal and the other external. This takes > > > more effort to maintain, and your router may not be smart enough to > > > support it. > > > - Internal website: web page uses \\flnas01 links, and bound to > > > http://internalWebServer > > > - External website: web page uses > > > http://public.webserver.IP.address/unc-vdir links, and bound to > > > http://public.webserver.IP.address > > > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > > so your current failure is by-design. Choice of each protocol has its > > > plus and minus, and correct choice depends on your needs. The following > > > URL provides an excellent background and motivation: > > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx > > > > > > Applying that knowledge to your particular needs: > > > - Anonymous authentication works, but it means ALL users accessing > > > NAS server via the web server appear as the configured Anonymous User > > > on IIS, preventing repudiation (i.e. auditing who accessed what files > > > on the NAS). You may not care about the auditing, in which case > > > Anonymous authentication is easiest. > > > - Basic authentication works, but it passes username/password in the > > > clear, so you must protect it with SSL. This means you have to purchase > > > an SSL Server Certificate and maintain it. If you control all Web > > > Browsers used by your users, you can avoid paying for SSL Server > > > Certificate by creating your own SSL Certificate and inserting it into > > > the Trusted Root Store of all Web Browser machines (remember, you can > > > do this because you control all Web Browsers - if you do not control > > > all Web Browsers of your users, this approach does not work > > > effectively). > > > - Kerberos works, but it requires setting up Active Directory and > > > configuring Delegation. > > > > > > Since you want the solution to work both for Internet and Intranet, the > > > following choices are simplest: > > > - If you want to expose NAS over Web Server and you do not care to know > > > what user accessed which files (i.e. any user can access any file on > > > the NAS), then use Anonymous Authentication on IIS, configure its > > > Anonymous User to be a user that you also ACL the NAS UNC share. > > > - If you want to expose NAS over Web Server and you DO care about which > > > user access which files (i.e. users can only access the files ACL'd to > > > them on the NAS), then use Basic over SSL > > > - If you want to expose NAS over Web Server, you care about which user > > > access which files, and you have an Active Directory already, then > > > configure Protocol Transitioning and you can use any authentication > > > protocol on IIS (including NTLM). > > > > > > There are other solutions, of more complexity, offering different > > > security-based tradeoffs. > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > > > > dhoops wrote: > > > > David, > > > > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to > > > > do... ie Make files from the NAS file server available to users on the inside > > > > on the (Intranet) and from the outside on the (Internet) via our web server > > > > in general... These files are linked through pages on the web site. > > > > > > > > It appears my security is not setup correctly? > > > > > > > > -- > > > > Dave > > > > > > > > > > > > "David Wang" wrote: > > > > > > > > > Can you describe what you are trying to do so that we can help you with > > > > > correct configuration? It sounds like you have a web server and a NAS
David,
Would you verify my following assumptions: 1. I want this to work so when users are on the inside (Intranet) they do not have to login... Which is how it currently works. When users are coming in from the outside (Internet) they will have to login only once when they enter the site and not when they access a vir-dir file... Will this be OK if all my vir-dir (NAS) links have a public web address? Since we are using Active directory, can the above scenario be accomplished with 'Integrated Windows' authentication? or 'Digest' authentication? or do I need both turned on to make this work? I am reading the documentation but i'm just a little unclear on this aspect. Thanks. -- Dave [quoted text, click to view] "David Wang" wrote:
> 1. Yes. Syntax works as > http://server-to-communicate-HTTP-with/virtual-URI > > So, you should give the public IP of the webserver handling the Website > containing the UNC Vdir, and then the vdir mapping you provided > (/Public goes to \\flnas01\...), and then the rest of the directory > structure follows from that vdir mapping. > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > configuration details and links on how to configure > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > dhoops wrote: > > David, > > > > Thanks for all this great info! I do have a couple of questions for clarity > > sake: > > > > 1. When connecting to the NAS file via > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > I actually be entering the following: > > 'http://public.webserver.IP.address,(where address is ip address of the > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > 2. Since we have active directory setup on our network you said all I need > > to do is configure 'Protocol Transitioning' and then I can use any > > authentication protocol on IIS... Where do I configure 'Protocol > > Transitioining' ? > > > > Thanks-Dave > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > Thanks for the info. Some more requirements need to be gathered before > > > determining the correct configuration. > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > it to work from Internet. > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > well as publish your flnas01 server to be accessible via the Internet. > > > Obviously, this sort of web page does NOT do what you want - make files > > > on NAS server available via Web Server (instead, it is making your NAS > > > server available via the Internet because your Web Server exposed its > > > name), and this approach is also heavily discouraged due to security > > > concerns. > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > > OF \\flnas01 links). This single page will work from both Intranet and > > > Internet with minimal security concerns. > > > > > > If you do the above, but you want to optimize Intranet traffic to not > > > go through http://public.webserver.IP.address/unc-vdir, then you should > > > create two websites, one internal and the other external. This takes > > > more effort to maintain, and your router may not be smart enough to > > > support it. > > > - Internal website: web page uses \\flnas01 links, and bound to > > > http://internalWebServer > > > - External website: web page uses > > > http://public.webserver.IP.address/unc-vdir links, and bound to > > > http://public.webserver.IP.address > > > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > > so your current failure is by-design. Choice of each protocol has its > > > plus and minus, and correct choice depends on your needs. The following > > > URL provides an excellent background and motivation: > > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx > > > > > > Applying that knowledge to your particular needs: > > > - Anonymous authentication works, but it means ALL users accessing > > > NAS server via the web server appear as the configured Anonymous User > > > on IIS, preventing repudiation (i.e. auditing who accessed what files > > > on the NAS). You may not care about the auditing, in which case > > > Anonymous authentication is easiest. > > > - Basic authentication works, but it passes username/password in the > > > clear, so you must protect it with SSL. This means you have to purchase > > > an SSL Server Certificate and maintain it. If you control all Web > > > Browsers used by your users, you can avoid paying for SSL Server > > > Certificate by creating your own SSL Certificate and inserting it into > > > the Trusted Root Store of all Web Browser machines (remember, you can > > > do this because you control all Web Browsers - if you do not control > > > all Web Browsers of your users, this approach does not work > > > effectively). > > > - Kerberos works, but it requires setting up Active Directory and > > > configuring Delegation. > > > > > > Since you want the solution to work both for Internet and Intranet, the > > > following choices are simplest: > > > - If you want to expose NAS over Web Server and you do not care to know > > > what user accessed which files (i.e. any user can access any file on > > > the NAS), then use Anonymous Authentication on IIS, configure its > > > Anonymous User to be a user that you also ACL the NAS UNC share. > > > - If you want to expose NAS over Web Server and you DO care about which > > > user access which files (i.e. users can only access the files ACL'd to > > > them on the NAS), then use Basic over SSL > > > - If you want to expose NAS over Web Server, you care about which user > > > access which files, and you have an Active Directory already, then > > > configure Protocol Transitioning and you can use any authentication > > > protocol on IIS (including NTLM). > > > > > > There are other solutions, of more complexity, offering different > > > security-based tradeoffs. > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > > > > dhoops wrote: > > > > David, > > > > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to > > > > do... ie Make files from the NAS file server available to users on the inside
David,
I have broken through! Woo Hoo!! My current authentication method on the Web Server is only set to Integrated Windows and I have configured Active directory to have the Web Server delegate for all protocols... When I tested from an outside address I only had to logon to the site and then accessing the file on the nas drive worked with no additional logon. When I tested internally I did not have to logon to the site, but when I accessed the file on the nas drive I had to logon with my username and password to access the file... I said save my password and from that point on I did not have to logon again from the Intranet (internally). Will other users have to do this or is there a config setting i can employ to avoid having a logon dialog pop-up when accessing nas files from the intranet??? Thanks. -- Dave [quoted text, click to view] "David Wang" wrote:
> 1. Yes. Syntax works as > http://server-to-communicate-HTTP-with/virtual-URI > > So, you should give the public IP of the webserver handling the Website > containing the UNC Vdir, and then the vdir mapping you provided > (/Public goes to \\flnas01\...), and then the rest of the directory > structure follows from that vdir mapping. > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > configuration details and links on how to configure > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > dhoops wrote: > > David, > > > > Thanks for all this great info! I do have a couple of questions for clarity > > sake: > > > > 1. When connecting to the NAS file via > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > I actually be entering the following: > > 'http://public.webserver.IP.address,(where address is ip address of the > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > 2. Since we have active directory setup on our network you said all I need > > to do is configure 'Protocol Transitioning' and then I can use any > > authentication protocol on IIS... Where do I configure 'Protocol > > Transitioining' ? > > > > Thanks-Dave > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > Thanks for the info. Some more requirements need to be gathered before > > > determining the correct configuration. > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > it to work from Internet. > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > well as publish your flnas01 server to be accessible via the Internet. > > > Obviously, this sort of web page does NOT do what you want - make files > > > on NAS server available via Web Server (instead, it is making your NAS > > > server available via the Internet because your Web Server exposed its > > > name), and this approach is also heavily discouraged due to security > > > concerns. > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > > OF \\flnas01 links). This single page will work from both Intranet and > > > Internet with minimal security concerns. > > > > > > If you do the above, but you want to optimize Intranet traffic to not > > > go through http://public.webserver.IP.address/unc-vdir, then you should > > > create two websites, one internal and the other external. This takes > > > more effort to maintain, and your router may not be smart enough to > > > support it. > > > - Internal website: web page uses \\flnas01 links, and bound to > > > http://internalWebServer > > > - External website: web page uses > > > http://public.webserver.IP.address/unc-vdir links, and bound to > > > http://public.webserver.IP.address > > > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > > so your current failure is by-design. Choice of each protocol has its > > > plus and minus, and correct choice depends on your needs. The following > > > URL provides an excellent background and motivation: > > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx > > > > > > Applying that knowledge to your particular needs: > > > - Anonymous authentication works, but it means ALL users accessing > > > NAS server via the web server appear as the configured Anonymous User > > > on IIS, preventing repudiation (i.e. auditing who accessed what files > > > on the NAS). You may not care about the auditing, in which case > > > Anonymous authentication is easiest. > > > - Basic authentication works, but it passes username/password in the > > > clear, so you must protect it with SSL. This means you have to purchase > > > an SSL Server Certificate and maintain it. If you control all Web > > > Browsers used by your users, you can avoid paying for SSL Server > > > Certificate by creating your own SSL Certificate and inserting it into > > > the Trusted Root Store of all Web Browser machines (remember, you can > > > do this because you control all Web Browsers - if you do not control > > > all Web Browsers of your users, this approach does not work > > > effectively). > > > - Kerberos works, but it requires setting up Active Directory and > > > configuring Delegation. > > > > > > Since you want the solution to work both for Internet and Intranet, the > > > following choices are simplest: > > > - If you want to expose NAS over Web Server and you do not care to know > > > what user accessed which files (i.e. any user can access any file on > > > the NAS), then use Anonymous Authentication on IIS, configure its > > > Anonymous User to be a user that you also ACL the NAS UNC share. > > > - If you want to expose NAS over Web Server and you DO care about which > > > user access which files (i.e. users can only access the files ACL'd to > > > them on the NAS), then use Basic over SSL > > > - If you want to expose NAS over Web Server, you care about which user > > > access which files, and you have an Active Directory already, then > > > configure Protocol Transitioning and you can use any authentication > > > protocol on IIS (including NTLM). > > > > > > There are other solutions, of more complexity, offering different > > > security-based tradeoffs. > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > > > > dhoops wrote: > > > > David, > > > > > > > > Thanks for the reply. What you wrote below is exactly what i am trying to
The reason you get a login popup from Intranet is because browsers do
not auto-login to Internet address by default. What is going on is this: - From Internet - when you access http://public.webserver.ip/ , web browser does not auto-login by default and pop up the login dialog box. After logging in, it eventually accesses a page with NAS URL that looks like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls under the authentication to http://public.webserver.ip/ hence no additional logins - From Intranet - when you access http://internalWebServerIP/ , web browser auto-login by default for Intranet. After logging in, it eventually accesses a page with NAS URL that looks like http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address is in Internet Zone by default and browser does not auto-login, thus you get a login dialog box In other words, using a NAS URL of http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a login dialog box regardless of where the user came from BECAUSE it is considered a dotted IP-address and a part of Internet Zone which does not auto-login. I do not understand why you do not create NAS URLs using relative links that look like: <A src="/UNC-vdir/SomeFile.ext">SomeFile.ext</A> Because that is no longer a dotted-IP address and would fall under auto-login in Intranet and manual login on Internet. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] dhoops wrote:
> David, > > I have broken through! Woo Hoo!! > > My current authentication method on the Web Server is only set to Integrated > Windows and I have configured Active directory to have the Web Server > delegate for all protocols... > > When I tested from an outside address I only had to logon to the site and > then accessing the file on the nas drive worked with no additional logon. > > When I tested internally I did not have to logon to the site, but when I > accessed the file on the nas drive I had to logon with my username and > password to access the file... I said save my password and from that point on > I did not have to logon again from the Intranet (internally). > > Will other users have to do this or is there a config setting i can employ > to avoid having a logon dialog pop-up when accessing nas files from the > intranet??? > > Thanks. > -- > Dave > > > "David Wang" wrote: > > > 1. Yes. Syntax works as > > http://server-to-communicate-HTTP-with/virtual-URI > > > > So, you should give the public IP of the webserver handling the Website > > containing the UNC Vdir, and then the vdir mapping you provided > > (/Public goes to \\flnas01\...), and then the rest of the directory > > structure follows from that vdir mapping. > > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > > configuration details and links on how to configure > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > dhoops wrote: > > > David, > > > > > > Thanks for all this great info! I do have a couple of questions for clarity > > > sake: > > > > > > 1. When connecting to the NAS file via > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > > I actually be entering the following: > > > 'http://public.webserver.IP.address,(where address is ip address of the > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > > > 2. Since we have active directory setup on our network you said all I need > > > to do is configure 'Protocol Transitioning' and then I can use any > > > authentication protocol on IIS... Where do I configure 'Protocol > > > Transitioining' ? > > > > > > Thanks-Dave > > > -- > > > Dave > > > > > > > > > "David Wang" wrote: > > > > > > > Thanks for the info. Some more requirements need to be gathered before > > > > determining the correct configuration. > > > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > > it to work from Internet. > > > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > > well as publish your flnas01 server to be accessible via the Internet. > > > > Obviously, this sort of web page does NOT do what you want - make files > > > > on NAS server available via Web Server (instead, it is making your NAS > > > > server available via the Internet because your Web Server exposed its > > > > name), and this approach is also heavily discouraged due to security > > > > concerns. > > > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > > > OF \\flnas01 links). This single page will work from both Intranet and > > > > Internet with minimal security concerns. > > > > > > > > If you do the above, but you want to optimize Intranet traffic to not > > > > go through http://public.webserver.IP.address/unc-vdir, then you should > > > > create two websites, one internal and the other external. This takes > > > > more effort to maintain, and your router may not be smart enough to > > > > support it. > > > > - Internal website: web page uses \\flnas01 links, and bound to > > > > http://internalWebServer > > > > - External website: web page uses > > > > http://public.webserver.IP.address/unc-vdir links, and bound to > > > > http://public.webserver.IP.address > > > > > > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > > > so your current failure is by-design. Choice of each protocol has its > > > > plus and minus, and correct choice depends on your needs. The following > > > > URL provides an excellent background and motivation: > > > > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx > > > > > > > > Applying that knowledge to your particular needs: > > > > - Anonymous authentication works, but it means ALL users accessing > > > > NAS server via the web server appear as the configured Anonymous User > > > > on IIS, preventing repudiation (i.e. auditing who accessed what files > > > > on the NAS). You may not care about the auditing, in which case > > > > Anonymous authentication is easiest. > > > > - Basic authentication works, but it passes username/password in the > > > > clear, so you must protect it with SSL. This means you have to purchase > > > > an SSL Server Certificate and maintain it. If you control all Web
Thanks David!
I will try creating relative links for the UNC-vdir to resolve this issue. -- Dave [quoted text, click to view] "David Wang" wrote:
> The reason you get a login popup from Intranet is because browsers do > not auto-login to Internet address by default. > > What is going on is this: > - From Internet - when you access http://public.webserver.ip/ , web > browser does not auto-login by default and pop up the login dialog box. > After logging in, it eventually accesses a page with NAS URL that looks > like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls > under the authentication to http://public.webserver.ip/ hence no > additional logins > - From Intranet - when you access http://internalWebServerIP/ , web > browser auto-login by default for Intranet. After logging in, it > eventually accesses a page with NAS URL that looks like > http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address > is in Internet Zone by default and browser does not auto-login, thus > you get a login dialog box > > In other words, using a NAS URL of > http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a > login dialog box regardless of where the user came from BECAUSE it is > considered a dotted IP-address and a part of Internet Zone which does > not auto-login. > > I do not understand why you do not create NAS URLs using relative links > that look like: > <A src="/UNC-vdir/SomeFile.ext">SomeFile.ext</A> > > Because that is no longer a dotted-IP address and would fall under > auto-login in Intranet and manual login on Internet. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > dhoops wrote: > > David, > > > > I have broken through! Woo Hoo!! > > > > My current authentication method on the Web Server is only set to Integrated > > Windows and I have configured Active directory to have the Web Server > > delegate for all protocols... > > > > When I tested from an outside address I only had to logon to the site and > > then accessing the file on the nas drive worked with no additional logon. > > > > When I tested internally I did not have to logon to the site, but when I > > accessed the file on the nas drive I had to logon with my username and > > password to access the file... I said save my password and from that point on > > I did not have to logon again from the Intranet (internally). > > > > Will other users have to do this or is there a config setting i can employ > > to avoid having a logon dialog pop-up when accessing nas files from the > > intranet??? > > > > Thanks. > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > 1. Yes. Syntax works as > > > http://server-to-communicate-HTTP-with/virtual-URI > > > > > > So, you should give the public IP of the webserver handling the Website > > > containing the UNC Vdir, and then the vdir mapping you provided > > > (/Public goes to \\flnas01\...), and then the rest of the directory > > > structure follows from that vdir mapping. > > > > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > > > configuration details and links on how to configure > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > dhoops wrote: > > > > David, > > > > > > > > Thanks for all this great info! I do have a couple of questions for clarity > > > > sake: > > > > > > > > 1. When connecting to the NAS file via > > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > > > I actually be entering the following: > > > > 'http://public.webserver.IP.address,(where address is ip address of the > > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > > > > > 2. Since we have active directory setup on our network you said all I need > > > > to do is configure 'Protocol Transitioning' and then I can use any > > > > authentication protocol on IIS... Where do I configure 'Protocol > > > > Transitioining' ? > > > > > > > > Thanks-Dave > > > > -- > > > > Dave > > > > > > > > > > > > "David Wang" wrote: > > > > > > > > > Thanks for the info. Some more requirements need to be gathered before > > > > > determining the correct configuration. > > > > > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > > > it to work from Internet. > > > > > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > > > well as publish your flnas01 server to be accessible via the Internet. > > > > > Obviously, this sort of web page does NOT do what you want - make files > > > > > on NAS server available via Web Server (instead, it is making your NAS > > > > > server available via the Internet because your Web Server exposed its > > > > > name), and this approach is also heavily discouraged due to security > > > > > concerns. > > > > > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > > > > OF \\flnas01 links). This single page will work from both Intranet and > > > > > Internet with minimal security concerns. > > > > > > > > > > If you do the above, but you want to optimize Intranet traffic to not > > > > > go through http://public.webserver.IP.address/unc-vdir, then you should > > > > > create two websites, one internal and the other external. This takes > > > > > more effort to maintain, and your router may not be smart enough to > > > > > support it. > > > > > - Internal website: web page uses \\flnas01 links, and bound to > > > > > http://internalWebServer > > > > > - External website: web page uses > > > > > http://public.webserver.IP.address/unc-vdir links, and bound to > > > > > http://public.webserver.IP.address > > > > > > > > > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > > > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > > > > so your current failure is by-design. Choice of each protocol has its > > > > > plus and minus, and correct choice depends on your needs. The following > > > > > URL provides an excellent background and motivation: > > > > > > > > > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx > > > > > > > > > > Applying that knowledge to your particular needs: > > > > > - Anonymous authentication works, but it means ALL users accessing > > > > > NAS server via the web server appear as the configured Anonymous User
David,
I like the idea of using the <a src="/unc-vdir/somefile.ext">SomeFile.ext</a>... Currently I use the following xml to code to display the my pages in question... <node label="Email Contacts" url="http://public-ip-address/Public/IT information/Tips/Contacts - Keeping track.doc" /> And this works fine with the new security settings i've implemented except for the unwanted logins in the Intranet screnarios... I need to find a way to embed the html code you've suggested in my xml code... I do not know the exact syntax, but I think you can use a element ![cdata[ ]] to accomplish this... Any thoughts? -- Dave [quoted text, click to view] "David Wang" wrote:
> The reason you get a login popup from Intranet is because browsers do > not auto-login to Internet address by default. > > What is going on is this: > - From Internet - when you access http://public.webserver.ip/ , web > browser does not auto-login by default and pop up the login dialog box. > After logging in, it eventually accesses a page with NAS URL that looks > like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls > under the authentication to http://public.webserver.ip/ hence no > additional logins > - From Intranet - when you access http://internalWebServerIP/ , web > browser auto-login by default for Intranet. After logging in, it > eventually accesses a page with NAS URL that looks like > http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address > is in Internet Zone by default and browser does not auto-login, thus > you get a login dialog box > > In other words, using a NAS URL of > http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a > login dialog box regardless of where the user came from BECAUSE it is > considered a dotted IP-address and a part of Internet Zone which does > not auto-login. > > I do not understand why you do not create NAS URLs using relative links > that look like: > <A src="/UNC-vdir/SomeFile.ext">SomeFile.ext</A> > > Because that is no longer a dotted-IP address and would fall under > auto-login in Intranet and manual login on Internet. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > dhoops wrote: > > David, > > > > I have broken through! Woo Hoo!! > > > > My current authentication method on the Web Server is only set to Integrated > > Windows and I have configured Active directory to have the Web Server > > delegate for all protocols... > > > > When I tested from an outside address I only had to logon to the site and > > then accessing the file on the nas drive worked with no additional logon. > > > > When I tested internally I did not have to logon to the site, but when I > > accessed the file on the nas drive I had to logon with my username and > > password to access the file... I said save my password and from that point on > > I did not have to logon again from the Intranet (internally). > > > > Will other users have to do this or is there a config setting i can employ > > to avoid having a logon dialog pop-up when accessing nas files from the > > intranet??? > > > > Thanks. > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > 1. Yes. Syntax works as > > > http://server-to-communicate-HTTP-with/virtual-URI > > > > > > So, you should give the public IP of the webserver handling the Website > > > containing the UNC Vdir, and then the vdir mapping you provided > > > (/Public goes to \\flnas01\...), and then the rest of the directory > > > structure follows from that vdir mapping. > > > > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > > > configuration details and links on how to configure > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > dhoops wrote: > > > > David, > > > > > > > > Thanks for all this great info! I do have a couple of questions for clarity > > > > sake: > > > > > > > > 1. When connecting to the NAS file via > > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > > > I actually be entering the following: > > > > 'http://public.webserver.IP.address,(where address is ip address of the > > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > > > > > 2. Since we have active directory setup on our network you said all I need > > > > to do is configure 'Protocol Transitioning' and then I can use any > > > > authentication protocol on IIS... Where do I configure 'Protocol > > > > Transitioining' ? > > > > > > > > Thanks-Dave > > > > -- > > > > Dave > > > > > > > > > > > > "David Wang" wrote: > > > > > > > > > Thanks for the info. Some more requirements need to be gathered before > > > > > determining the correct configuration. > > > > > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > > > it to work from Internet. > > > > > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > > > well as publish your flnas01 server to be accessible via the Internet. > > > > > Obviously, this sort of web page does NOT do what you want - make files > > > > > on NAS server available via Web Server (instead, it is making your NAS > > > > > server available via the Internet because your Web Server exposed its > > > > > name), and this approach is also heavily discouraged due to security > > > > > concerns. > > > > > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > > > > OF \\flnas01 links). This single page will work from both Intranet and > > > > > Internet with minimal security concerns. > > > > > > > > > > If you do the above, but you want to optimize Intranet traffic to not > > > > > go through http://public.webserver.IP.address/unc-vdir, then you should > > > > > create two websites, one internal and the other external. This takes > > > > > more effort to maintain, and your router may not be smart enough to > > > > > support it. > > > > > - Internal website: web page uses \\flnas01 links, and bound to > > > > > http://internalWebServer > > > > > - External website: web page uses > > > > > http://public.webserver.IP.address/unc-vdir links, and bound to > > > > > http://public.webserver.IP.address > > > > > > > > > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > > > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > > > > so your current failure is by-design. Choice of each protocol has its
David,
Disregard my prior email... I have resolved my issue... The following xml code resolves the login issue both from the internet and intranet... <node label="Public Test" url="../Public/IT information/Tips\Contacts - Keeping track.doc" /> This uses the unc-vdir path and references back to the root of the default site, which works for both the intranet and internet. Thanks for all your help! Have a good holiday! -- Dave [quoted text, click to view] "David Wang" wrote:
> The reason you get a login popup from Intranet is because browsers do > not auto-login to Internet address by default. > > What is going on is this: > - From Internet - when you access http://public.webserver.ip/ , web > browser does not auto-login by default and pop up the login dialog box. > After logging in, it eventually accesses a page with NAS URL that looks > like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls > under the authentication to http://public.webserver.ip/ hence no > additional logins > - From Intranet - when you access http://internalWebServerIP/ , web > browser auto-login by default for Intranet. After logging in, it > eventually accesses a page with NAS URL that looks like > http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address > is in Internet Zone by default and browser does not auto-login, thus > you get a login dialog box > > In other words, using a NAS URL of > http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a > login dialog box regardless of where the user came from BECAUSE it is > considered a dotted IP-address and a part of Internet Zone which does > not auto-login. > > I do not understand why you do not create NAS URLs using relative links > that look like: > <A src="/UNC-vdir/SomeFile.ext">SomeFile.ext</A> > > Because that is no longer a dotted-IP address and would fall under > auto-login in Intranet and manual login on Internet. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > dhoops wrote: > > David, > > > > I have broken through! Woo Hoo!! > > > > My current authentication method on the Web Server is only set to Integrated > > Windows and I have configured Active directory to have the Web Server > > delegate for all protocols... > > > > When I tested from an outside address I only had to logon to the site and > > then accessing the file on the nas drive worked with no additional logon. > > > > When I tested internally I did not have to logon to the site, but when I > > accessed the file on the nas drive I had to logon with my username and > > password to access the file... I said save my password and from that point on > > I did not have to logon again from the Intranet (internally). > > > > Will other users have to do this or is there a config setting i can employ > > to avoid having a logon dialog pop-up when accessing nas files from the > > intranet??? > > > > Thanks. > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > 1. Yes. Syntax works as > > > http://server-to-communicate-HTTP-with/virtual-URI > > > > > > So, you should give the public IP of the webserver handling the Website > > > containing the UNC Vdir, and then the vdir mapping you provided > > > (/Public goes to \\flnas01\...), and then the rest of the directory > > > structure follows from that vdir mapping. > > > > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > > > configuration details and links on how to configure > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > dhoops wrote: > > > > David, > > > > > > > > Thanks for all this great info! I do have a couple of questions for clarity > > > > sake: > > > > > > > > 1. When connecting to the NAS file via > > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > > > I actually be entering the following: > > > > 'http://public.webserver.IP.address,(where address is ip address of the > > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > > > > > 2. Since we have active directory setup on our network you said all I need > > > > to do is configure 'Protocol Transitioning' and then I can use any > > > > authentication protocol on IIS... Where do I configure 'Protocol > > > > Transitioining' ? > > > > > > > > Thanks-Dave > > > > -- > > > > Dave > > > > > > > > > > > > "David Wang" wrote: > > > > > > > > > Thanks for the info. Some more requirements need to be gathered before > > > > > determining the correct configuration. > > > > > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > > > it to work from Internet. > > > > > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > > > well as publish your flnas01 server to be accessible via the Internet. > > > > > Obviously, this sort of web page does NOT do what you want - make files > > > > > on NAS server available via Web Server (instead, it is making your NAS > > > > > server available via the Internet because your Web Server exposed its > > > > > name), and this approach is also heavily discouraged due to security > > > > > concerns. > > > > > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD > > > > > OF \\flnas01 links). This single page will work from both Intranet and > > > > > Internet with minimal security concerns. > > > > > > > > > > If you do the above, but you want to optimize Intranet traffic to not > > > > > go through http://public.webserver.IP.address/unc-vdir, then you should > > > > > create two websites, one internal and the other external. This takes > > > > > more effort to maintain, and your router may not be smart enough to > > > > > support it. > > > > > - Internal website: web page uses \\flnas01 links, and bound to > > > > > http://internalWebServer > > > > > - External website: web page uses > > > > > http://public.webserver.IP.address/unc-vdir links, and bound to > > > > > http://public.webserver.IP.address > > > > > > > > > > > > > > > - In order for a vdir pointing to UNC share to work, it has to use an > > > > > Authentication protocol that supports Delegation. NTLM/Digest do not, > > > > > so your current failure is by-design. Choice of each protocol has its > > > > > plus and minus, and correct choice depends on your needs. The following > > > > > URL provides an excellent background and motivation: > > > > >
I recommend that you use:
<node label="Public Test" url="/Public/IT information/Tips/Contacts - Keeping track.doc" /> Because it: 1. matches up with your actual URL. I recommend against using parent paths (../ ). 2. Please use "/" instead of "\" (which was originally in front of "Contacts") in a URL It is a common mistake, and some programs will automatically flip "\" to "/" (and vice versa) depending on situation, but not all programs. So it is a good habit to know. Basically, "\" is commonly used as the Windows directory separator, so it only applies when you are providing a name for a File on a Windows machine. "/" is commonly used as the URL segment separator as well as on filesystems of on Unix or Linux. In this case, you are providing a name for URL. Thus you should use "/" and not "\". //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] dhoops wrote:
> David, > > Disregard my prior email... > > I have resolved my issue... The following xml code resolves the login issue > both from the internet and intranet... > > <node label="Public Test" url="../Public/IT information/Tips\Contacts - > Keeping track.doc" /> > > This uses the unc-vdir path and references back to the root of the default > site, which works for both the intranet and internet. Thanks for all your > help! > > Have a good holiday! > > -- > Dave > > > "David Wang" wrote: > > > The reason you get a login popup from Intranet is because browsers do > > not auto-login to Internet address by default. > > > > What is going on is this: > > - From Internet - when you access http://public.webserver.ip/ , web > > browser does not auto-login by default and pop up the login dialog box. > > After logging in, it eventually accesses a page with NAS URL that looks > > like http://public.webserver.ip/UNC-vdir/SomeFile.ext , which falls > > under the authentication to http://public.webserver.ip/ hence no > > additional logins > > - From Intranet - when you access http://internalWebServerIP/ , web > > browser auto-login by default for Intranet. After logging in, it > > eventually accesses a page with NAS URL that looks like > > http://public.webserver.ip/UNC-vdir/SomeFile.ext . This dotted address > > is in Internet Zone by default and browser does not auto-login, thus > > you get a login dialog box > > > > In other words, using a NAS URL of > > http://public.webserver.ip/UNC-vdir/SomeFile.ext will always require a > > login dialog box regardless of where the user came from BECAUSE it is > > considered a dotted IP-address and a part of Internet Zone which does > > not auto-login. > > > > I do not understand why you do not create NAS URLs using relative links > > that look like: > > <A src="/UNC-vdir/SomeFile.ext">SomeFile.ext</A> > > > > Because that is no longer a dotted-IP address and would fall under > > auto-login in Intranet and manual login on Internet. > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > > > dhoops wrote: > > > David, > > > > > > I have broken through! Woo Hoo!! > > > > > > My current authentication method on the Web Server is only set to Integrated > > > Windows and I have configured Active directory to have the Web Server > > > delegate for all protocols... > > > > > > When I tested from an outside address I only had to logon to the site and > > > then accessing the file on the nas drive worked with no additional logon. > > > > > > When I tested internally I did not have to logon to the site, but when I > > > accessed the file on the nas drive I had to logon with my username and > > > password to access the file... I said save my password and from that point on > > > I did not have to logon again from the Intranet (internally). > > > > > > Will other users have to do this or is there a config setting i can employ > > > to avoid having a logon dialog pop-up when accessing nas files from the > > > intranet??? > > > > > > Thanks. > > > -- > > > Dave > > > > > > > > > "David Wang" wrote: > > > > > > > 1. Yes. Syntax works as > > > > http://server-to-communicate-HTTP-with/virtual-URI > > > > > > > > So, you should give the public IP of the webserver handling the Website > > > > containing the UNC Vdir, and then the vdir mapping you provided > > > > (/Public goes to \\flnas01\...), and then the rest of the directory > > > > structure follows from that vdir mapping. > > > > > > > > 2. Read the NAS and IIS6 URL of my prior email. It has all necessary > > > > configuration details and links on how to configure > > > > > > > > > > > > //David > > > > http://w3-4u.blogspot.com > > > > http://blogs.msdn.com/David.Wang > > > > // > > > > > > > > > > > > dhoops wrote: > > > > > David, > > > > > > > > > > Thanks for all this great info! I do have a couple of questions for clarity > > > > > sake: > > > > > > > > > > 1. When connecting to the NAS file via > > > > > 'http://public.webserver.IP.address/unc-vdir/blahblahblah links' ... Should > > > > > I actually be entering the following: > > > > > 'http://public.webserver.IP.address,(where address is ip address of the > > > > > webserver)/unc-vdir,where unc-vdir is the name I give the unc-vdir on IIS > > > > > such as 'Public'/then the rest of the path on the NAS drive ? > > > > > > > > > > 2. Since we have active directory setup on our network you said all I need > > > > > to do is configure 'Protocol Transitioning' and then I can use any > > > > > authentication protocol on IIS... Where do I configure 'Protocol > > > > > Transitioining' ? > > > > > > > > > > Thanks-Dave > > > > > -- > > > > > Dave > > > > > > > > > > > > > > > "David Wang" wrote: > > > > > > > > > > > Thanks for the info. Some more requirements need to be gathered before > > > > > > determining the correct configuration. > > > > > > > > > > > > - Your web pages cannot contain file:// or \\flnas01 links if you want > > > > > > it to work from Internet. > > > > > > > > > > > > If your web page MUST contain file:// or \\flnas01 links, then you will > > > > > > need to open more holes in the firewall to allow RPC and UNC ports as > > > > > > well as publish your flnas01 server to be accessible via the Internet. > > > > > > Obviously, this sort of web page does NOT do what you want - make files > > > > > > on NAS server available via Web Server (instead, it is making your NAS > > > > > > server available via the Internet because your Web Server exposed its > > > > > > name), and this approach is also heavily discouraged due to security > > > > > > concerns. > > > > > > > > > > > > It is easier and safer to configure a UNC vdir on IIS to point to > > > > > > \\flnas01 UNC shares on NAS, and for your web pages to use > > > > > > http://public.webserver.IP.address/unc-vdir/blahblahblah links (INSTEAD
David, Thanks for the feedback! I will implement your suggestions to make the site more global and not just windows oriented. In addition, I want to thank you for your help and direction on this entire security project. You greatly simplified things for me. -- Dave [quoted text, click to view] "David Wang" wrote: > I recommend that you use: > <node label="Public Test" url="/Public/IT information/Tips/Contacts - > Keeping track.doc" /> > > Because it: > 1. matches up with your actual URL. I recommend against using parent > paths (../ ). > 2. Please use "/" instead of "\" (which was originally in front of > "Contacts") in a URL > > It is a common mistake, and some programs will automatically flip "\" > to "/" (and vice versa) depending on situation, but not all programs. > So it is a good habit to know. > > Basically, "\" is commonly used as the Windows directory separator, so > it only applies when you are providing a name for a File on a Windows > machine. "/" is commonly used as the URL segment separator as well as > on filesystems of on Unix or Linux. > > In this case, you are providing a name for URL. Thus you should use "/" > and not "\". > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > dhoops wrote: > > David, > > > > Disregard my prior email... > > > > I have resolved my issue... The following xml code resolves the login issue > > both from the internet and intranet... > > > > <node label="Public Test" url="../Public/IT information/Tips\Contacts - > > Keeping track.doc" /> > > > > This uses the unc-vdir path and references back to the root of the default > > site, which works for both the intranet and internet. Thanks for all your > > help! > > > > Have a good holiday! > > > > -- > > Dave > > > > > > "David Wang" wrote: > > > > > The reason you get a login popup from Intranet is because browsers do > > > not auto-login to Internet address by default. > > > > > > What is going on is this: > > > - From Internet - when you access http://public.webserver.ip/ , web > > > browser does not auto-login by default and pop up the login dial |