If you choose to go with Kerberos delegation, this blog post might be useful to help you understand what is going on. Scroll about halfway down where it says 'Situation 5'. http://blogs.msdn.com/b/canberrapfe/archive/2012/01/02/kerberos-troubleshooting.aspx
The basic overview diagram looks like this: [Description: http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-19-00/8372.kerb_2D00_lab_2D00_setup.jpg]<http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-01-19-00/8372.kerb_2D00_lab_2D00_setup.jpg> On WFE01 (web front end 01) i installed the basic IIS setup. Then on the default website i simply added a virtual directory that pointed to \\SQL01\share (literally this step is just a right click on the default web site inside IIS manager - then choose NEW - Virtual Directory). I assumed this would involve Kerberos authentication and require some messing around with SPN's and delegation settings which was exactly what i was looking for. From: [email protected] [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Tuesday, 3 January 2012 12:19 PM To: ozDotNet Subject: RE: Network shares as virtual directories (answer?) Domain Admin is definitely overkill. IUSR etc. are local accounts - whilst the username might exist on another machine, the password is most likely different (unless you manually sync the passwords). If you have an AD domain, then you can create a regular domain user account. Restrict the machines that the user can logon to (the IIS server and the file server), and use that account. The machine running IIS will use the "Connect As" credentials to connect to the File Server. As the account is a domain account, the credentials would be valid on the file server. The other option is to enable Kerberos delegation, but that's a whole different kettle of fish. Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of Greg Keogh Sent: Tuesday, 3 January 2012 7:18 AM To: 'ozDotNet' Subject: Network shares as virtual directories (answer?) After an hour of stuffing around a few days ago I have found a way to overcome the password prompt and 403 errors trying to access files on a network share that is mapped as an IIS virtual directory. Procmon was telling me that NETWORK SERVICE impersonating IUSR was denied access to the network share. I thought that adding accounts like IUSR to the virtual directory would fix the problem, but no matter what accounts or stupid desperate combinations of accounts I added absolutely nothing would change the 403 error. So the problem was elsewhere. There is a option button when you create a virtual directory to change "Connect As ... Path Credentials". It was unclear what to put in the "Specific user" option, so I stuck the domain administrator name and password in. The problem is fixed. The relationship between the various accounts in the different IIS dialogs is unclear. I hope using the domain admin isn't dangerous overkill. I don't think so, as the path is readonly is IIS anyway and shouldn't open an external vulnerability. Greg
<<inline: image001.jpg>>
