I have a Web server running on machine A. I want pages from this Web server to be able to write information to sections of the file system on machine B. I'm using Windows NT 4.0 Service Pack 5 (SP5) and Microsoft IIS 4.0, and I've turned off Anonymous access. Both machines are in the same domain. I created a virtual directory on A, pointed it at the proper location on B, and supplied a name and password as prompted. Everything works, except that anyone who accesses the directory on A or B has the permissions of the name and password I specified during the creation of the virtual directory. Can I use the NT 4.0 permissions I applied to the original resource to control user access?
Before I answer your question, I must warn you that my solution involves enabling pass-through authentication for IIS 4.0, which Microsoft doesn't recommend and therefore doesn't support. Pass-through authentication lets you achieve your goal, but it's likely to have side effects (e.g., Microsoft Index Server won't be able to index the virtual directory). The good news is that Microsoft built pass-through authentication into IIS 5.0 and, as far as I can tell, supports the configuration in this version.
Before you enable pass-through authentication for either IIS 5.0 or IIS 4.0, be sure to back up your metabase. You also need to determine the Web site number assigned to the site in the metabase, which you can easily do using MetaEdit. MetaEdit comes with the Microsoft Windows 2000 Resource Kit (for IIS 5.0) and the Microsoft Internet Information Server Resource Kit (for IIS 4.0). Be sure to use the most recent version of MetaEdit—MetaEdit 2.1. The Microsoft article "FILE: How to Download, Install, and Uninstall the IIS MetaEdit 2.1 Utility" (http://support
.microsoft.com/support/kb/articles/q232/
0/68.asp) provides more information and the tool for download.
In IIS 5.0, to enable pass-through authentication on the Protected virtual directory in the default Web site, you type the code in Listing 1 at a command prompt. You substitute your Web site number for 1 and the name of your virtual directory for Protected.
You must also enable for the Web site or the virtual directory an authentication mode that supports remote access to resources, which means you must use one of these modes: Anonymous with IIS control password disabled; Basic, Integrated Windows (this mode will work only if all your users use Microsoft Internet Explorer—IE—5.0 on Windows 2000 systems); or Certificate Mapping (the IIS 5.0 version, not Windows Mapper). You enable the authentication mode in the Web site or virtual directory properties.
To enable pass-through authentication in IIS 4.0, perform these steps:
- Enable an authentication mode that supports remote access to resources, which means you must use one of these modes: Basic or Anonymous with Automatic Password Synchronization turned off.
- Locate the adsutil.vbs utility script, which is usually in the \winnt\system32inetsrv\adminsamples directory.
- At a command prompt, type
adsutil set w3svc/1/root/vdir/UNCUserName ""
where 1 is the Web site number and vdir is the name of your virtual directory.
- Type
adsutil set w3svc/1/root/vdir/UNCPassword ""
- Type
adsutil set
w3svc/1/root/vdir/
UNCAuthenticationPassThrough TRUE
- Type
net stop iisadmin /y
- Type
net stop start w3svc
As a result of enabling pass-through authentication for a virtual directory in IIS 4.0, you'll see an error in the Microsoft Management Console (MMC) associated with the virtual directory. However, the procedure will work. Note that any changes you make to the virtual directory through MMC will overwrite your modifications. And please remember that Microsoft neither supports nor recommends this configuration in IIS 4.0.