Pass-Through Authentication - IIS Virtual Directory
(Intranet) I'm trying to setup a website which will serve up files from a network share (\\servername\folder\file). Only users who have access to the network folder through active directory groups should be able to download the files through the website.
This is the setup I have now:
Site:
AppPool: DefaultAppPool
Authentication: Windows Authentication
Subsite:
AppPool: DefaultAppPool
Authentication: Windows Authentication
Virtual Directory:
Physical Path: \\servername\Folder
Physical Path Credentials: Application user (pass-through authentication)
Logon Type: ClearText
When I try to navigate to the site with a link like this: http://webserver/subsite/virtualdirectory/folder/file.xls, I get repeatedly prompted for credentials even though the credentials I enter should be valid. In the Virtual Directory setup, if I change it from pass-through to "specific user", it works but that bypasses the security of the active directory groups.
Am I configuring something incorrectly here?
Note, I already looked at Pass-through authentication not working. IIS 7
There are two separate authentications going on:
- The user is authenticating to your website.
- IIS is authenticating to the file share.
Those are completely separate operations.
I believe you're running into the double hop problem: You can use the user's credentials to authenticate on your server, but you cannot (by default) send those credentials to another server. To enable that, you might be able to setup Kerberos delegation in Active Directory, which can get complicated.
If setting up delegation is not an option, then you will have to find another way to serve those files to the user.
I agree this is a difficult problem to solve if you really want the share permissions of the share to dictate who can download the file through the site. One option is a direct link to the share (if the user's computer has network access to the server):
<a href="file://servername/Folder/somefile.txt">Download</a>
That works in IE, but not in Chrome because Chrome specifically disables file:// links (unless you enable it via plugin).
Another, more complicated option is to pipe the file through your application. Your application can access the file and enumerate the share permissions to see if the user has access, then allow the download if so. But NTFS permissions are notoriously difficult to wade through.
Or just ignore the share permissions and find some other way to determine whether the person should have access (one specific security group, for example) instead of relying on the share permissions.
- Certificate Rebind in IIS 10 using powershell
- Unexpected System.BadImageFormatException: Index not found That is Fixed with Restart
- ASP.NET Core 8 Minimal API throws 404 on deploy in IIS
- Published on webserver core8 api works from POSTMAN and from weserver published frontend but ERR_CONNECTION_RESET from client browser
- Why is my local website not working in IIS
- Unable to launch IIS Express Web Server - Failed to Register URL - Cannot create a file when that file already exists | VS Community 2017
- The session cookie cannot be unprotected when ASP.NET Core 8.0 Web App runs on IIS
- what alternatives are there to using global.asax?
- How to Access Files in ASP.NET Web Forms Application via Virtual Directory on Network Location?
- ASP.NET Core app running on IIS gives Http Error 401.2-Unauthorize
- Cannot connect to SQL SERVER from ASP.NET Web Method
- .NET framework Session State
- IIS - Url Rewrite and subfolers
- ERROR: "The project doesn't know how to run the profile IIS Express" (VS 2019, 16.11.7)
- What is modern way to hosting `node.js` applications on Windows 10 and Windows Server 2012 and newer?
- Python Flask UnderIIS - Docx to Pdf
- How to Host Web API and MVC application on Same Address
- How to solve the HTTP Error 403.14 - Forbidden in Asp.Net Core API?
- [COMException (0x800a141f): Word was unable to read this document. It may be corrupt
- IIS & ASP.NET blocking file
- ASP.NET Core 8.0 MVC web app & IIS 10 - how to include the user name in the IIS log when the cookie authentication is used?
- JSON file create issue on IIS production server
- URL Rewrite rule to redirect http: to https: is not working - IIS 10 - Asp.Net Framework 4.8 - web forms - aspx
- How to host React.js and Node.js app in windows IIS?
- Minimum ASP.NET Core app to redirect to new domain
- HttpClient using PFX transport certificate to stablish connection to third part application
- .Net Framework: exception in w3wp.exe
- docker: Error response from daemon: Ports are not available: listen tcp 0.0.0.0:80: bind:
- change iis localhost from C: to D:
- IIS 10 - HTTP Error 413.1 - Request Entity Too Large