0

For space reasons, we need to move some files off our main file/webserver to another network fileserver. However, the original file/webserver is still responsible for providing access to these files, so that everything is seamless to the users.

I can provide transparent file access by using DFS on the original server. I can also provide transparent web access using an IIS Virtual Directory.

However, Perl CGI scripts running on the webserver can't access the new (remote) fileserver using UNC paths. This code snippet:

if (-e "\\\\server\\share\\file") { print "Found it\n"; }
else { print "Not found\n"; }

works on my local PC, but not on the webserver. I've been Googling around, and have run into similar examples, but no solutions.

Some environment info:

  • Original File/Webserver: Windows Server 2003

  • New Fileshare: IT NAS server, but I have full control over permissions, and have granted the local "IUSR" account from the Webserver permission to read this share

  • IIS: Version 6

  • IIS Authentication: Integrated Windows Authentication

  • IIS Virtual Directory: configured to use a single AD user's security credentials to access the destination dir

Any help would be greatly appreciated!

jimtut
  • 217
  • 1
  • 3
  • 13

1 Answers1

0

I'm not sure the IUSR_ account has network access? A google search will confirm.

Simon Catlin
  • 5,232
  • 3
  • 17
  • 20
  • I don't think it does either, but I can't think of any other way to allow Perl CGI access to a UNC dir. – jimtut Oct 27 '10 at 21:16
  • Granting "Everyone" read access on the new fileshare doesn't work. There must be something in IIS that doesn't allow access to UNC paths? Or requires some other kind of authentication or impersonation? – jimtut Oct 27 '10 at 21:26
  • I mean I believe Windows/IIS actively stops the IUSR_ account from using network resources - part of the "secure by default" mind set. You can configure the ID that IIS runs under; can't remember where without having a nose around. Worth a try? – Simon Catlin Oct 27 '10 at 21:31
  • There are dozens of other ASP.NET and CGI apps running on the server. Changing the user for all of them could be risky. I was hoping for a setting that could be localized to a directory, or something the Perl script could do to "authenticate" for the UNC share. – jimtut Oct 28 '10 at 17:52
  • Experiment... Follow this procedure: to retrieve your IUSR_xxxxx password. Then do a "runas /user:IUSR_xxxxx cmd.exe". Then, from the CMD window, see if you can access the UNC. – Simon Catlin Oct 28 '10 at 18:27
  • I don't have the required adsutil.vbs mentioned in the Windows IT Pro article, so I can't extract the IUSR password. Someone else mentioned trying to create a separate App Pool running under AD/network credentials, so I'll try that... – jimtut Oct 29 '10 at 20:45