Psst! Did you know DevelopmentNow is a mobile web site design agency?

Contact us for help mobilizing your site, or to sign up for our beta Mobile Web SDK!
all groups > iis security > february 2007 >

iis security : Virtual Directory Security


Rusty
2/10/2007 12:28:00 PM
I have IIS 6.0 set up on a Windows 2003 server. I have installed a Web site
and am using Basic Authentication for Domain users inside or outside the LAN
to access the site. This works however, the navigation of my web site is
such that the user starts in parent .htm files that are apparently using
Default Web Site authentication but I have some Virtual directories that once
accessed, ask for authentication again and will not allow access. They are
Roger Abell [MVP]
2/12/2007 8:19:28 AM
Check that the NTFS permissions on those inaccessible
virtual folders matches what is working on the root area.
You should be aware that use of basic authentication with
those domain account is exposing the needed login information
on the traversed network, which you indicate includes external
network links.

[quoted text, click to view]

Rusty
2/13/2007 7:53:00 AM
The NTFS permissions are all normal. Security looks the same as the security
for Default Web Page. The difference is that the problem directory is a
Virtual Directory.
1) Why is it asking me to authenticate if I already authenticated at the
Home Web Page?
2) Why can I not authenticate no matter what account I use including admin
account?

[quoted text, click to view]
David Wang
2/14/2007 4:35:22 AM
#1. When you enable Authentication, the Web Server *always* require
the browser to prove its identity for *every* applicable resource. The
fact that you authenticated at the Home Web Page is not relevant. It
is the web browser which must remember to automatically "prove" your
initially authenticated access at "Home Web Page" to the web server,
so that the user does not see repeated login prompts.

#2. This usually indicates an invalid server-side configuration. You
should disclose the IIS web log entries related to those 401 requests
to determine the cause.

You want to read the following blog entries to help clear up common
user misconceptions about authentication and security.

http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_Denied_to_Administrators_or_Anonymous_User.aspx


At this point, I suspect you need to tell us:
1. All authentication protocols enabled at each problematic URL
2. Are any of the vdirs pointing to UNC shares and if so, are you
using Pass-Thru Auth or specifying UNC user credentials
3. If Anonymous authentication is enabled, are the anonymous user
credentials correct.
4. The IIS Web log entry corresponding to each failed request. In
particular, I want the HTTP status, sub-status, and Win32 error codes
because they ease diagnosing the misconfiguration.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



[quoted text, click to view]

Roger Abell [MVP]
2/14/2007 5:06:10 AM
Please clarify what you are meaning by Virtual Directory.
This term only means that the directory does not exist within the
content tree's physical store at the location where it is made to
appear. Are you by chance also intending to mean that this
virtual is sourced from a different server? If so then we need
to verify access/authentication issues going to the remote.

[quoted text, click to view]

Ken Schaefer
2/15/2007 12:40:03 AM
This is not how things should work.

If you have anonymous authentication disabled, then IIS will always ask for
credentials (for each and every page), however your browser should continue
sending the same credentials for each request (after you have authenticated
successfully on the first request).

So the potential issues are:
a) IIS is denying access, even though you are supplying credentials. I would
run FileMon (formly sysinternals tool - now available from the Microsoft
website) on the server, and see which user account is being denied access to
the file.

b) your browser is not supplying credentials at all, and is instead
prompting the user to supply credentials. You can verify this by looking in
the IIS logfiles (there should be nothing logged for the remote user cs-user
field), or by using a packet capture tool like Ethereal (aka WireShark).

Cheers
Ken


--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

[quoted text, click to view]
Rusty
2/15/2007 2:23:30 PM
Thanks all of you. The virtual directory that worked was on the local
server. The virtual directory that was redundantly asking for authentication
was on another server. I made an entry in the "Connect As" field and all is
well.

Thanks again

[quoted text, click to view]
Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about iis security
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008