Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. How to Enable Pass-through Authentication for UNC Virtual Directories

How to Enable Pass-through Authentication for UNC Virtual Directories

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1

↑ Back to the top

Summary

When a user sets up a virtual directory that maps a UNC path to a remote computer, Internet Information Server (IIS) or Internet Information Services (IIS) requests a user name and password to create that link to the remote computer. Any attempt to view the content on the virtual directory uses the credentials of the user that was typed in, even if the user was authenticated by IIS.

You can set up IIS 4.0 or IIS 5.0 to pass the user name and password entered for Basic authentication, and use this pass-through authentication to connect to the remote share. Windows NT Challenge/Response authentication is not supported, because it does not send the password for the UNC connection.


↑ Back to the top

More Information

To set up pass-through authentication, do the following:
  1. Create a UNC virtual directory. Verify that the connection to the remote content works and that browsing to that virtual directory does not return errors.
  2. If you want to use anonymous connections to the computer, do the following:
    1. In the properties for that virtual root, click the Directory Security tab.
    2. Click the Edit button next to Anonymous Access and Authentication Control.
    3. On the Edit button under Allow Anonymous Access, click to uncheck the Enable Automatic Password Synchronization checkbox.
    4. If you do not want Anonymous access, uncheck the box.
  3. Turn on Basic Authentication. Please note that the user's domain name, user name, and password are sent over the network without data encryption. To ensure security, the Web administrator can install SSL on this virtual link to force encryption of the password.
  4. Turn off Windows NT Challenge/Response. NT Challenge/Response authentication does not allow for delegation of user accounts to remote shares. Only Basic Authentication and Anonymous authentication allow for this (Anonymous MUST be set as in step 2).
  5. Open a command prompt, and change to the %systemroot%\System32\Inetsrv\Adminsamples directory. (Note: %systemroot% is usually winnt on most systems).
  6. At the prompt, type the following:
    adsutil set w3svc/#/root/*vdir*/UNCUserName ""
    (where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)

  7. At the prompt, type the following:
    adsutil set w3svc/#/root/*vdir*/UNCPassword ""
    (where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)

  8. At the prompt, type the following:
    adsutil set w3svc/#/root/*vdir*/UNCAuthenticationPassThrough TRUE
    (where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1.)

  9. At the prompt, type the following:
    net stop iisadmin /y
  10. At the prompt, type the following:
    net start w3svc
Internet Service Manager will now show this virtual directory as an error. This is normal, because the Internet Service Manager looks for a username and password on a UNC virtual directory, but none exists.

When your users connect and authenticate, the name they type in will be used to connect over the UNC connection to the remote share or content. The Webmaster can now set share-level or NTFS-level permissions, and the user account typed in by the client will be the one used to check against the ACL of these objects.


Note: Any change to this virtual directory in the Internet Service Manager changes the metabase settings above. Therefore, the above steps will need to be performed again.

↑ Back to the top

Keywords: kbiis2007swept, kbhowto, kb

↑ Back to the top

Article Info
Article ID : 214806
Revision : 1
Created on : 1/7/2017
Published on : 6/22/2014
Exists online : False
Views : 166