2 servers, 1 website, security issue

[musosdev]

Hi guys

Wonder if you could help me out with some security issues I'm having
installing my code on a client's network.

Here's the setup. We've got 2 servers, the first (DC) is a Win2k3 Std
machine running as a domain controller, with Active Directory, etc - and IIS6.

IIS is running an Intranet app, which is setup to use IWA security, and is
running in it's own AppPool on .net framework 2.

The second server (DSQL) is not a DC, but is connected to the network. This
machine is running SQL Server Express, which has the database for the
Intranet app running on the DC. It also had all the user created data for the
Intranet (files generated by the Intranet app).

The SQL side works fine - we got the 2 machines talking and using a specific
account so that, whoever logs in to a client pc and visits the Intranet - it
can connect to the sql and works fine.

The problem is the data folder.

In IIS on DC, we created a virtual directory called IntranetShare, which we
pointed at "\\dsql\IntranetShare", which is a network share coming from DSQL
(C:\Intranet Data" to be precise).

Here's the problem, even though the IIS has Integrated Windows
Authentication, whenever our Intranet tries to load anything from
/IntranetShare/ (ie \\dsql\intranetshare) - windows gives us a "Connect to
server" login box, asking for username and password. Not only that, but even
if you do login, it won't accept the credentials, and just keeps asking to
login.

I'm guessing it's permissions/security - but I'm lost. What have we
missed?!!!?

Thanks in advance!



Dan

 

[Walter Wang [MSFT]]

Hi Dan,

When you created the virtual directory 'IntranetShare' and configured it to
use share "\\dsql\IntranetShare", did you also configured the "Connect As"
account for the network directory? IIS will need to use that account to
connect the resource and return to client browser.

Also, when you said "load anything from /IntranetShare/", do you mean a
simple hyperlink to a resource on the share or read/write file to it using
code?

Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Hi Dan,

In IIS management console, select your virtual directory "/IntranetShare",
right-click, select "properties", in tab "Virtual Directory", you will the
option "A share located on another computer" is selected and there's a
button named "Connect As" at the right side of the field "Network
Directory". This is where you tell IIS how to read the network resource.
You need to use a account that have access to the network share path.

Regarding writing to the network resource, we can leave it alone if that
part is not included in your web application.

Please try configure the "Connect As" and let me know the result. Thanks.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[musosdev]

Hi Walter,

Thanks - I've found it on my test system here. Unfortunately on the real
system, we turned the SQL Server off, so right clicking on the Virtual
Directory it can't find the server so won't show me the properties.

At least I know what to do now - thanks for the help so far, I'll keep you
posted!

Cheers



Dan

 

[musosdev]

Update!

Hello again Walter,

Well, I managed to get access to the server and have set the Connect As
property on the virtual folder in IIS. That has got rid of the "Connect to.."
dialog whenever I try and access any of the files.

However, all the files in the VDir have spaces in the names. The browser is
showing that it's looking for "/myshare/saved/this%2fis%2fmy%2ffile.ext" -
and it's giving me a 500 error?

How can I access these files with the spaces in the names ?!

Thanks,


Dan

 

[Walter Wang [MSFT]]

Hi Dan,

I'm not sure if I fully understand your question. However, isn't space
should be represented by %20 in URL? The %2f is '/'. Where did you get the
generated URL "/myshare/saved/this%2fis%2fmy%2ffile.ext"?


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[musosdev]

Hi Walter,

Sorry I confused you - probably something to do with the fact that I'm
confused!

Unfortunately, I can't get access to that setup again until tomorrow, but
you're probably right regarding the %20, so the path would be..

"%2fmyshare%2fsaved%2fthis%20is%20my%20file.ext"

Assuming that's the case, and "/myshare/" exists as a virtual directory on
my website, with the saved directory and a file called "this is my file.ext"
- it's giving me an 500 error whenever I try and access the files.

The filename it's looking for is pulled from the sql database, and the path
info is stored in appsettings, so my page loads an IFrame with the url..

IFrame.Attributes.Add("src", AppSettings["contractPath"].ToString() +
data("filename"));

I'll have a look tomorrow and keep you posted.

Cheers



Dan

 

[Walter Wang [MSFT]]

Hi Dan,

Apparently the path separator '/' is incorrectly encoded here. You need to
find out which code is encoding the path and saving to database. Normally
the path don't need to be encoded. For example:

Response.Redirect("this is my file.htm");

should work correctly.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.