iis 6 ignoring NTFS permissions

Thank you for your quick response

I know the ACL's are correct because these shares are productions shares
currently mapped to many users and they permissions are correct.

I have no problem with the idea that iis 6 is configured incorrectly but
haven't discerned where the setup is incorrect, if you can point me in the
right direction I'd appreciate it

It was very odd today though (hence sporadically) that I changed the
permissions numerous times - they seemed to be behaving but at one point when
I removed a group for access and the user was appropriately denied, when I
added the group back on it, the user stayed denied.... I had to leave it for
a while and then when I simply refreshed later to pick up where I had left
off, 'magically' the permissions worked as expected. Anyways, I am not having
any problems duplicating the correct results and making the permission work
as expected using anonymous authentication.

I had already looked over the webpage you mentioned however, the problem
that I am having is that if I change the Virtual Directory to authenticate
with Integrated Windows Authentication, the NTFS permissions are not obeyed.
With the directory I was testing (above) making the permissions work right
only happens when the logon is via Anonymous as soon as I switched it to
Integrated Windows - two subdirectories that a user was not able to access
previously are now open w/o adjusting the acl.

So any clues as to why this is the behaviour (that is rather unexpected to
me) is occuring and how to correct the issue so that Integrated Windows
Authentication obeys NTFS permissions would be greatly appreciated.





"David Wang" wrote:

> IIS6 is not "ignoring" NTFS permissions in a UNC directory. And ACLs
> do not sporadically apply. The core Windows NT security features are
> solid and won't allow that.
>
> What your observations show is that you have some combination of:
> 1. inadequately ACL'd the NTFS and UNC share
> 2. Misordered ACLs on the resources
> 3. you have misconfigured IIS6.
>
> FYI: The behavior that you want is possible, but not with your current
> configuration. Please read this URL on how to do it:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
> technologies/webapp/iis/remstorg.mspx
>
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Jan 28, 10:48 am, Littlelegs <Littlel... RemoveThis @discussions.microsoft.com>
> wrote:
> > We have set up a clean server, installed IIS 6 and created a new Virtual
> > Directory from a UNC share that has very specific NTFS permissions on the
> > various folders. We have set it for Integrated Windows Authentication but the
> > NTFS permissions are being ignored - ie NTFS permissions even had a specific
> > deny for a user and they could still get access.
> >
> > If Integrated Windows Authentication is set, does the access take the
> > Administrator credentials from the account that set up the Virtual Directory?
> > (Though I can't see this being the case thought I should ask...)
> >
> > On my home network, if I set Anonymous access with ISUR_Computername, the
> > NTFS permissions apply sporadically but at least the error is with access
> > denied (401.3) rather than open permissions.
> >
> > We are setting this up for a trial with the Google appliance. It has to be
> > complicated this way because the appliance doesn't yet take folder/file
> > permissions into account when serving pages internally for a Enterprise - any
> > folders crawled are accessible to all... apparently this is getting fixed for
> > March sometime.
> >
> > I would love to hear from anyone else using the Google appliance and the
> > steps involved in setting up...
>
>
 >> Stay informed about: iis 6 ignoring NTFS permissions 

Please re-read the article again. You are missing details from it
regarding Integrated Authentication and pass-thru authentication onto
a UNC virtual directory. In particular, you need to understand and
configure delegation.

I am confused by your other experiments involving anonymous
authentication -- it has no relevance with your Integrated
Authentication/Pass-thru authentication observations. Integrated
Authentication(NTLM) is subject to double-hop and lacks delegation
while anonymous is totally different security-wise, so the two
experiments are not comparable.

I highly suggest re-reading and following the URL I provided because
it answers all your questions and gives you step-by-step instructions
on how to correctly configure your scenario.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Jan 28, 6:07 pm, Littlelegs <Littlel....TakeThisOut@discussions.microsoft.com>
wrote:
> Thank you for your quick response
>
> I know the ACL's are correct because these shares are productions shares
> currently mapped to many users and they permissions are correct.
>
> I have no problem with the idea that iis 6 is configured incorrectly but
> haven't discerned where the setup is incorrect, if you can point me in the
> right direction I'd appreciate it
>
> It was very odd today though (hence sporadically) that I changed the
> permissions numerous times - they seemed to be behaving but at one point when
> I removed a group for access and the user was appropriately denied, when I
> added the group back on it, the user stayed denied.... I had to leave it for
> a while and then when I simply refreshed later to pick up where I had left
> off, 'magically' the permissions worked as expected. Anyways, I am not having
> any problems duplicating the correct results and making the permission work
> as expected using anonymous authentication.
>
> I had already looked over the webpage you mentioned however, the problem
> that I am having is that if I change the Virtual Directory to authenticate
> with Integrated Windows Authentication, the NTFS permissions are not obeyed.
> With the directory I was testing (above) making the permissions work right
> only happens when the logon is via Anonymous as soon as I switched it to
> Integrated Windows - two subdirectories that a user was not able to access
> previously are now open w/o adjusting the acl.
>
> So any clues as to why this is the behaviour (that is rather unexpected to
> me) is occuring and how to correct the issue so that Integrated Windows
> Authentication obeys NTFS permissions would be greatly appreciated.
>
>
>
> "David Wang" wrote:
> > IIS6 is not "ignoring" NTFS permissions in a UNC directory. And ACLs
> > do not sporadically apply. The core Windows NT security features are
> > solid and won't allow that.
>
> > What your observations show is that you have some combination of:
> > 1. inadequately ACL'd the NTFS and UNC share
> > 2. Misordered ACLs on the resources
> > 3. you have misconfigured IIS6.
>
> > FYI: The behavior that you want is possible, but not with your current
> > configuration. Please read this URL on how to do it:
> >http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
> > technologies/webapp/iis/remstorg.mspx
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Jan 28, 10:48 am, Littlelegs <Littlel....TakeThisOut@discussions.microsoft.com>
> > wrote:
> > > We have set up a clean server, installed IIS 6 and created a new Virtual
> > > Directory from a UNC share that has very specific NTFS permissions on the
> > > various folders. We have set it for Integrated Windows Authentication but the
> > > NTFS permissions are being ignored - ie NTFS permissions even had a specific
> > > deny for a user and they could still get access.
>
> > > If Integrated Windows Authentication is set, does the access take the
> > > Administrator credentials from the account that set up the Virtual Directory?
> > > (Though I can't see this being the case thought I should ask...)
>
> > > On my home network, if I set Anonymous access with ISUR_Computername, the
> > > NTFS permissions apply sporadically but at least the error is with access
> > > denied (401.3) rather than open permissions.
>
> > > We are setting this up for a trial with the Google appliance. It has to be
> > > complicated this way because the appliance doesn't yet take folder/file
> > > permissions into account when serving pages internally for a Enterprise - any
> > > folders crawled are accessible to all... apparently this is getting fixed for
> > > March sometime.
>
> > > I would love to hear from anyone else using the Google appliance and the
> > > steps involved in setting up...- Hide quoted text -- Show quoted text -
 >> Stay informed about: iis 6 ignoring NTFS permissions