Setting up UNC Path Mapping with Pass-through Authentication in IIS 7 and 7.5 (Windows 2008 and 2008R2)

Just closed off an interesting exercise with my current client – We had to set up a SharePoint site and work out a way to easily manage files stored on a Network Share. These files are secured and only accessible by some users, so we need to ensure that security of the share is not compromised. We also need to make the files accessible using a HTTP path, so we can leverage the “Link to a Document” content type for SharePoint 2010 document libraries (it only takes URL’s starting with HTTP:// or HTTPS:// – you can’t even fake it – Reflector tells us that it does not take anything but a URL). Finally, SharePoint Search will crawl and “security trim” the links to documents that appear within a document library (another reason to use the “Link to a Document” content type).

The department has a limited budget which was entirely consumed by the third party creating the site for them, and so they could not invest in more code to “handle” additional files. The SharePoint platform is in early stages here, and although we’re going to use RBS through SQL it’s far from being set up and ready to rock. So to address the need at a cost that would keep everyone happy (Free) and keep the SQL databases nice and light, we set up a new web site on a SharePoint farm that had the root site configured as the UNC path. These were the key configuration learnings we picked up – hopefully if we ever need to do it again, it won’t be so fiddly.

The Application pool account used to run the web site needs to have access to read the UNC path, subfolders and files. It uses this to check the properties of the Web.config file and the ACL – you can work around it but we decided against it. http://forums.iis.net/p/1149098/1868353.aspx#1868353

Word on the interwebs is that this works when using Basic Authentication only (or anonymous, but there’s not much value in folder security when enabling anonymous access). I did read on a forum article in IIS.net that it required authentication mechanisms that allowed pass-through Authentication, so it’s possible Kerberos might work (but NTLM does not). We were going to set up SSL, so no problems from rogue Wireshark users and basic auth. You would also need the relevant SPN set up to use Kerberos I guess.

You need to set the UNCUserName and Password properties to “” (empty String) and replace the # with a number that represents the IIS Web site ID (in our case it was 3):

cd c:\inetpub\AdminScripts
cscript adsutil.vbs set w3svc/#/root/UNCUserName “”
cscript adsutil.vbs set w3svc/#/root/UNCPassword “”

image

Finally, Run IISRESET to have the settings take effect.

Manage the Security on the target server’s folders – allow everybody read access to the Share (that way you don’t have to adjust it in two places).

You cannot control users ability to view the web.config filename, but you still cannot download it (it’s stopped at the IIS level).

You cannot make the page look pretty. Ours was only an internally-facing Admin page, so no problems there.

Administrators still upload to and from the network share in the traditional way.

Don’t forget to modify the firewall on the IIS Servers if you are using a non-standard port to access the site (we used 9999)

Problem solved – $0 cost.

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Setting up UNC Path Mapping with Pass-through Authentication in IIS 7 and 7.5 (Windows 2008 and 2008R2)

  1. Will Gordon says:

    Omg, your a life saver! I can’t tell you how many sites were talking about editing SPN’s, ect. I ran your 2 little lines of code…instantly worked! I read *somwhere* that adsutil.vbs was depreciated, any thoughts, or insight? Regardless, thank you soooo much!!

  2. John Chertudi says:

    I have an IIS 7.5 server pointing to a Windows 2012 file server, and ran into similar issues. I was successful by:
    1. Setting up virtual directory to the UNC path
    2. Disabling Default Document and Enabling Directory Browse on that virtual directory (that should create the web.config in the UNC root)
    3. Making sure the Application Pool user had Read to the UNC Share permissions, Read to the root folder of the UNC path, and Read to the web.config file in the UNC root.
    4. I did take advantage of IIS.net forum post you referenced that suggested at the virtual directory level set allowSubDirConfig to False (used the IIS configuration editor to do so, nasty thing to navigate)

    That was good enough to let our team browse their file server over SSL/Basic Auth and still maintain permission! I may not have solved this without your post, thanks much.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s