0

I have 2 win2k3 servers in a DMZ, with no domain. Server A hosts a classic ASP site, and needs to save some files on a share on Server B.

A user account (testshare) has been created on both Server A and Server B, with the same username / password.

A Virtual Directory has been created in IIS on Server A. It has been assigned the "testshare" account as the user within the "Directory Security > Authentication and access control" tab of IIS, and integrated windows security has been unchecked. An Application Pool has been created and assigned to this Virtual Directory, and the "testshare" account has been configured as the application pool identity.

Server B has a share created (\ServerB\Share001), and has "Everyone" permissions set on the share, and on the NTFS file permissions for the share.

When I am logged onto Server A, I can type "\ServerB\Share001\" in windows explorer, and view the share.

When I attempt to access the share from an ASP script within the Virtual Directory on Server A, I receive a "Path not found" error.

When I look in the Event Log of server B to trace the error, I find:

Logon Failure:
Reason: Unknown user name or bad password
User Name: IUSR_SERVERA
Domain: SERVERA

I would expect that the user name would be "testshare", rather than "IUSR_SERVERA".

I would also expect the share to work, regardless of the user account accessing it, as it has "Everyone" permissions set.

Can anyone provide some pointers to debug this?

Thank you Jack

edit

I originally assigned just the "testshare" account permissions on the share. When this did not work, I assigned the "everyone" permissions. I do not want the "everyone" permissions set, I have just enabled that to see if it was permissions related to that account. As the "everyone" permissions are set, it looks like something else I'm unable to diagnose.

Jack
  • 103
  • 2

1 Answers1

0

EDIT:

After reviewing the docs, I think the best solution is to use the [UncUserName][1] metabase property.

You can set UncUserName and UncPassword properties to your testshare credentials that are mirrored on both servers.

You can set this property and IIS6 will use that user and password to access the UNC share instead of the IUSR.

unhappyCrackers1
  • 977
  • 1
  • 6
  • 18
  • I'm using Classic ASP so this is not an option... Thank you though – Jack Jul 12 '12 at 15:13
  • As the share has "Everyone" permissions set - surely the IUSR account would be allowed access? – Jack Jul 12 '12 at 16:31
  • @Jack, that would seem logical, but I think you may need to put the IUSR into the *Users* group because by default it is a member of *Guests*. – unhappyCrackers1 Jul 12 '12 at 16:49
  • I'm not able to do this on the advice of the security team in charge of the servers. The most they'd allow is the testshare account, which will be ran from one page in the site, as they dont want to grant the IUSR account access to ServerB... – Jack Jul 12 '12 at 17:06
  • @Jack, then setup impersonation for the testshare user and give it access to the share on ServerB. – unhappyCrackers1 Jul 12 '12 at 17:48
  • how can I setup impersonation for classic asp user? The link provided is for .net – Jack Jul 13 '12 at 09:44
  • @Jack, in IIS Manager | Home Directory tab, what do you have for Application Protection? Try setting it to medium and I believe IIS will use the anonymous user instead of the IUSR and I think that should solve your issue. See here: http://imar.spaanjaars.com/287/how-do-i-determine-the-security-account-that-iis-uses-to-run-my-web-site – unhappyCrackers1 Jul 13 '12 at 13:22
  • @Jack, you can use the UncUserName and UncPassword metabase properties to effectively "impersonate" the user accessing UNC shares. http://msdn.microsoft.com/en-us/library/ms524996(v=vs.90).aspx#unc – unhappyCrackers1 Jul 13 '12 at 13:58