Virtual Directory Authentication
IIS virtual directories use one account to connect users; the Microsoft Management Console uses another account to view the virtual directory. Learn how these two accounts interact.
December 15, 2002
Virtual Directory Authentication
To study virtual directory authentication, create identical user accounts called Vdiruser on both your Web server and your file server and assign the same strong password to both accounts. Then, be sure to clear the User must change password at next logon check box. On the file server, create a user account that's identical to the user account you use to log on to Microsoft Management Console (MMC) on the Web server. Make that user a member of the local Administrators group.
Create a shared folder on the file server. Assign NTFS Full Control permission to the local Administrators group and Read permission to Vdiruser. Place a few files in the folder so that you'll have something to look at when you use Microsoft Internet Explorer (IE) to browse to the virtual directory.
Next, create a virtual directory on the IIS system. Enter the path \file_server IP_addressshare_name in the Directory text box. Enter Vdiruser and the associated password when prompted. When prompted for permissions, select the Read and Browse check boxes. The result is a browsable virtual directory that maps to the remote file server. To test your configuration, open IE and browse to http://iis_server IP_address/virtual_directory. (You'll need to enable Anonymous Authentication for the Web site first.)
Now, let's see what happens when you misconfigure the virtual directory. On the IIS server, open the MMC Internet Information Services snap-in, open the virtual directory's Properties dialog box, click Connect As, and enter the username Bogus and any password. Close the MMC console. Open a command prompt and type
iisreset
This little test has an interesting outcome. Open the Internet Information Services console. You can see the remote folder's contents, but the virtual directory object is marked with an error icon. You can enumerate the virtual directory's contents because IIS uses the valid user account with which you've logged on to the IIS server to enumerate the files on the remote system. But if you use IE to browse to the virtual directory, authentication will fail because the remote system can't authenticate the user account you specified for the virtual directory. Open the virtual directory's Properties dialog box again, change the user account in the Connect As setting back to Vdiruser, and enter the correct password. This action removes the error icon and restores IE access to the virtual directory.
Now, change the password of the file server's matching Administrator account so that it no longer is identical to the account you use to log on to MMC. If you're logged on to the file server with the matching account, log off the file server, then log on again. Open a command prompt on the IIS server and type
iisreset
You might not see an error icon by the virtual directory, but you won't be able to enumerate the virtual directory's files. However, you'll still be able to access the virtual directory through IE.
About the Author
You May Also Like