IIS Informant

I have a Web server running on machine A. I want pages from this Web server to be able to write information to sections of the file system from machine B. I'm using NT 4.0 with SP5 and IIS 4.0, and I've turned off Anonymous access. Both machines are in the same domain. I create a virtual directory on A, point it at the proper location on B, and supply a name and password as prompted. Everything works, except that anyone who accesses this directory has the permissions of the name and password I specified during the creation of the virtual directory. Can I use the NT permissions I applied to the original resource to control user access?

Before I answer your question, I must warn you that my solution involves enabling pass-through authentication for IIS 4.0, which Microsoft doesn't recommend and therefore doesn't support. Enabling pass-through authentication lets you achieve your goal, but it's likely to have side effects (e.g., Microsoft Index Server won't be able to index the virtual directory). There is a sunny side here, however: Microsoft built this capability into IIS 5.0 and, as far as I can tell, supports the configuration in that version.

Before you make these adjustments, be sure to back up your metabase. You also need to determine the Web site number assigned to the site in the metabase, which you can easily do using MetaEdit. MetaEdit comes with the Microsoft Windows 2000 Resource Kit (IIS 5.0) or the Microsoft Internet Information Server Resource Kit (IIS 4.0). (Be sure to use the new version of MetaEdit—MetaEdit 2.1. The Microsoft article "FILE: How to Download, Install, and Uninstall the IIS MetaEdit 2.1 Utility" (http://support.microsoft .com/support/kb/articles/q232/0/68 .asp) provides both information and the tool for download.

In IIS 5.0, the code in Listing 1 enables pass-through authentication on a virtual directory called Protected in the default Web site. You need to substitute the correct Web site number for 1 and the name of the virtual directory for Protected.

Next, you must enable an authentication mode that supports remote access to resources, which means you must use one of these modes:

• Anonymous with IIS control password disabled
• Basic
• Integrated Windows (only if your users all use IE 5.0 on Win2K systems; otherwise, this won't work)
• Certificate Mapping (IIS 5.0 version, not Windows Mapper)

In IIS 4.0, here's how you enable pass-through authentication:

1. Enable an authentication mode that supports remote access to resources, which means you must use either
   • Basic
   • Anonymous with Automatic Password Synchronization turned off
2. Locate the adsutil.vbs utility script, which is usually in the \winnt\sys
   tem32\inetsrv\adminsamples directory.
3. At a command prompt, type adsutil set w3svc/#/root/*vdir*/UNCUserName#=<the Web site number in the metabase>. (You can use MetaEdit to identify this number. Vdir is the name of the virtual directory you're trying to affect.)
4. Repeat Step 3, but type adsutil set w3svc/#/root/*vdir*/UNCPassword.
5. Repeat Step 3, but type adsutil set w3svc/#/root/*vdir*/UNCAuthenticationPassThrough TRUE.
6. Type net stop iisadmin /y.
7. Type net stop start w3svc.

As a result of this procedure, you'll see an error in the Microsoft Management Console (MMC) associated with this virtual directory. However, the procedure will work. Note that any changes you make to the virtual directory through the MMC overwrite your modifications. Please remember—Microsoft neither supports nor recommends this configuration in IIS 4.0.

End of Article

   Previous  1  2  [3]  Next