Just closed off an interesting exercise with my current client – We had to set up a SharePoint site and work out a way to easily manage files stored on a Network Share. These files are secured and only accessible by some users, so we need to ensure that security of the share is not compromised. We also need to make the files accessible using a HTTP path, so we can leverage the “Link to a Document” content type for SharePoint 2010 document libraries (it only takes URL’s starting with HTTP:// or HTTPS:// – you can’t even fake it – Reflector tells us that it does not take anything but a URL). Finally, SharePoint Search will crawl and “security trim” the links to documents that appear within a document library (another reason to use the “Link to a Document” content type).
The department has a limited budget which was entirely consumed by the third party creating the site for them, and so they could not invest in more code to “handle” additional files. The SharePoint platform is in early stages here, and although we’re going to use RBS through SQL it’s far from being set up and ready to rock. So to address the need at a cost that would keep everyone happy (Free) and keep the SQL databases nice and light, we set up a new web site on a SharePoint farm that had the root site configured as the UNC path. These were the key configuration learnings we picked up – hopefully if we ever need to do it again, it won’t be so fiddly.
The Application pool account used to run the web site needs to have access to read the UNC path, subfolders and files. It uses this to check the properties of the Web.config file and the ACL – you can work around it but we decided against it. http://forums.iis.net/p/1149098/1868353.aspx#1868353
Word on the interwebs is that this works when using Basic Authentication only (or anonymous, but there’s not much value in folder security when enabling anonymous access). I did read on a forum article in IIS.net that it required authentication mechanisms that allowed pass-through Authentication, so it’s possible Kerberos might work (but NTLM does not). We were going to set up SSL, so no problems from rogue Wireshark users and basic auth. You would also need the relevant SPN set up to use Kerberos I guess.
You need to set the UNCUserName and Password properties to “” (empty String) and replace the # with a number that represents the IIS Web site ID (in our case it was 3):
cscript adsutil.vbs set w3svc/#/root/UNCUserName “”
cscript adsutil.vbs set w3svc/#/root/UNCPassword “”
Finally, Run IISRESET to have the settings take effect.
Manage the Security on the target server’s folders – allow everybody read access to the Share (that way you don’t have to adjust it in two places).
You cannot control users ability to view the web.config filename, but you still cannot download it (it’s stopped at the IIS level).
You cannot make the page look pretty. Ours was only an internally-facing Admin page, so no problems there.
Administrators still upload to and from the network share in the traditional way.
Don’t forget to modify the firewall on the IIS Servers if you are using a non-standard port to access the site (we used 9999)
Problem solved – $0 cost.