Unable to browse the web application pointed to a share located on another computer

  • Article

I got an interesting issue a few days back which I would like to share with everyone. The story goes as follows.J

My customer had configured the virtual directory of his application to point to a share located on another computer as \\{server}\{share}.

They were using a user called “x.x.x.x\User1” for the “Connect as” user, where x.x.x.x is the IP address of the remote server. This user is an identical user created on both the web server and the fileserver and they share the same username and password. The web server is running Windows 2003 SP1 while the file server is running Windows 2000 SP4. Both the machines are under the same work-group.

This virtual directory is configured under a separate application pool whose identity is “x.x.x.x\User1”.

When we access the web page through IIS, we get Access denied due to ACL's.

The filemon showed,

1831 11:18:23 AM w3wp.exe:7624 OPEN \\x.x.x.x\share\test.html ACCESS DENIED WebServer\User1

We saw that the customer was able to browse the pages on a different box with the same configuration.

We checked the setting on working environment and all looks similar.
We ran the netmon utility and saw that the client is going through a Proxy server and something is blocking the execution.

We checked the metabase of the non-working server and saw that the UNCUserName="User1". This means that it will try to access the UNC share using local user account and since that will not be visible on the target server; it will fail with an error. Also there is no IP added in the username and thus it would be difficult to resolve the identity.

RESOLUTION:
We installed authdiag tool on the non-working server and ran it. We saw that the LogonType that is being sent is "Network" instead of "Network Cleartext", which is the default in IIS6. The output was something like the below,

<AuthMonRow Number="6" tid="0x9e8" Date="date" Name="User1" Success="Yes" Error_Number="0" UserName="User1" Domain="Domain" LogonType="Network" time_taken="0 ms" />

We changed the logonmethod property in the IIS metabase to 3 (cleartext logon) and this fixed the issue for us. Please refer the More Information part in this blog to know how to change this value.

CAUSE:

This issue occurs because of a change in the value for the Windows Server 2003 (IIS 6.0) LogonMethod metabase property. The LogonMethod property determines how IIS will pass the anonymous user account to a remote server. By default, Windows 2000 (IIS 5.0) uses an MD_LOGON_INTERACTIVE value for the type of the LogonMethod property. Conversely, Windows Server 2003 uses a default value of MD_LOGON_NETWORK_CLEARTEXT for the type of the LogonMethod method.

Note   The type of logon session created is controlled by the LogonMethod IIS Metabase setting. The default is an interactive logon session, which requires the account to have the "Allow Log on Locally" user privilege.

MORE INFORMATION:

How to change the LogonMethod property in IIS Metabase:

Note Always back up the metabase before you edit it.

Change the LogonMethod property for a specific Web site on the Windows Server 2003-based computer

To change the LogonMethod property for a specific Web site, follow these steps.

1. Determine the Web site ID. To do this, follow these steps:

a. Click Start, click Run, type notepad, and then click OK.
b. On the File menu, click Open.
c. In the Files of type list, click All Files.
d. Locate the following folder:
%windir%\System32\Inetsrv
e. Click MetaBase.xml, and then click Open.
f. On the Edit menu, click Find.
g. Type iiswebserver, and then click Find Next.
h. In the IISWebServer element, locate the ServerComment attribute. The value of the ServerComment attribute is the name of your Web site, For example, the name of your Web site may be Default Web Site.

Note To find additional Web sites, click Find Next until you find the Web site that you want.
i. In the IISWebServer element, locate the Location attribute. For example, the Location attribute may appear as the following:
/LM/W3SVC/1
In this example, the Web site ID is 1.

2. At a command prompt, open the Drive:\Inetpub\AdminScripts folder, type the following command, and then press ENTER:

cscript adsutil.vbs set w3svc/WebSiteID/logonmethod 2
Note WebSiteID is the Web site ID that you found in step 1.i.

The following response appears, indicating the new LogonMethod property value.
logonmethod : (INTEGER) 2

3. Close the command prompt, and then close Notepad.

Change the LogonMethod property for all Web sites on the Windows Server 2003-based computer

1. At a command prompt, open the Drive:\Inetpub\AdminScripts folder, type the following command, and then press ENTER:

cscript.exe adsutil.vbs set w3svc/logonmethod 2
The following response appears, indicating the new LogonMethod property value.
logonmethod : (INTEGER) 2

2. Close the command prompt.

The following table illustrates the behavior for the LogonMethod property in Windows Server 2003:

Logon type

LogonMethod property value

Logon right that is required

Security ID (SID)

Access token outgoing credentials

Network with clear text

3 -MD_LOGON_NETWORK_CLEARTEXT

Network

NT AUTHORITY\NETWORK_CLEARTEXT

Yes

Network

2 -MD_LOGON_NETWORK

Network

NT AUTHORITY\NETWORK

No

Batch

1 - MD_LOGON_BATCH

Batch

NT AUTHORITY\BATCH

Yes

Interactive

0 -MD_LOGON_INTERACTIVE

Interactive

NT AUTHORITY\INTERACTIVE

Yes

MORE READING:

How to access network files from IIS applications

https://support.microsoft.com/kb/207671/