3

Setup:

  • A web server (Windows 2012 R2, IIS 8.5) outside of domain (called MY_WEB_SERVER)
  • A virtual directory pointing to a NAS server on a domain (called MY_NAS_SERVER)
  • An application set on virtual directory to give the virtual directory its own app in the app pool (called AccessNAS)

Problem: The credentials are rejected by the NAS server, most likely because the ones IIS sends are not the ones we want it to send.

I have configured the app in app pool with a custom identity (username: MY_NAS_SERVER\nas_account). This account exists on the NAS. However, the connection is refused. If I look at ProcMon, I see two ACCESS_DENIED notices on CreateFile, and they both were attempted not using my given custom identity, but "MY_WEB_SERVER\nas_account".

How do I prevent the substitution of "MY_NAS_SERVER" with "MY_WEB_SERVER", so that the credentials I provide are the ones used?

And can this be done without a web.config file on the NAS server?

MPelletier
  • 51
  • 11
  • Have you tried creating a local account on the web server and the NAS server both with the same username and password? Then set the app pool to use that username and password. – Mass Nerder Jan 12 '16 at 19:54
  • @MassNerder Yes, that was my first attempt, but what I see in ProcMon is the Web server sending "MY_WEB_SERVER\nas_account" rather than "nas_account" or "MY_NAS_SERVER\nas_account". The NAS server refuses the "MY_WEB_SERVER\nas_account" name. – MPelletier Jan 12 '16 at 20:12
  • What about doing something like logging on as the app pool user, mapping a drive to to the NAS, then point your config to the drive. – Mass Nerder Jan 13 '16 at 16:14
  • @MassNerder That was suggested (and I really wanted that TBH) but rejected for other reasons. Namely that they want IIS to control everything. – MPelletier Jan 13 '16 at 16:38
  • have you tried using ".\username" in the app pool identity? – Mass Nerder Jan 13 '16 at 17:36

1 Answers1

0

IIS app pool has never worked as its advertised for me either. You can't configure an app pool to a specific user and then access a file share with pass-through authentication. You need to add specific user path credentials for each virtual directory.

BruceLeroy
  • 176
  • 4
  • Even so, this too fails. – MPelletier Jan 12 '16 at 22:35
  • Try changing to specific user path credentials and then redo the ProcMon. You should also try connecting as WORKGROUP\nas_account instead of MY_NAS_SERVER\nas_account. – BruceLeroy Jan 12 '16 at 22:56
  • A workaround has been found, namely that the web servers were put on the domain. I couldn't test your solution. I really wanted to (with the workgroup). I'm giving you the prize nonetheless for your time. – MPelletier Jan 13 '16 at 16:39