(Intranet) I'm trying to setup a website which will serve up files from a network share (\\servername\folder\file). Only users who have access to the network folder through active directory groups should be able to download the files through the website.
Site:
AppPool: DefaultAppPool
Authentication: Windows Authentication
Subsite:
AppPool: DefaultAppPool
Authentication: Windows Authentication
Virtual Directory:
Physical Path: \\servername\Folder
Physical Path Credentials: Application user (pass-through authentication)
Logon Type: ClearText
When I try to navigate to the site with a link like this: http://webserver/subsite/virtualdirectory/folder/file.xls, I get repeatedly prompted for credentials even though the credentials I enter should be valid. In the Virtual Directory setup, if I change it from pass-through to "specific user", it works but that bypasses the security of the active directory groups.
Am I configuring something incorrectly here?
Note, I already looked at Pass-through authentication not working. IIS 7
There are two separate authentications going on:
Those are completely separate operations.
I believe you're running into the double hop problem: You can use the user's credentials to authenticate on your server, but you cannot (by default) send those credentials to another server. To enable that, you might be able to setup Kerberos delegation in Active Directory, which can get complicated.
If setting up delegation is not an option, then you will have to find another way to serve those files to the user.
I agree this is a difficult problem to solve if you really want the share permissions of the share to dictate who can download the file through the site. One option is a direct link to the share (if the user's computer has network access to the server):
<a href="file://servername/Folder/somefile.txt">Download</a>
That works in IE, but not in Chrome because Chrome specifically disables file:// links (unless you enable it via plugin).
Another, more complicated option is to pipe the file through your application. Your application can access the file and enumerate the share permissions to see if the user has access, then allow the download if so. But NTFS permissions are notoriously difficult to wade through.
Or just ignore the share permissions and find some other way to determine whether the person should have access (one specific security group, for example) instead of relying on the share permissions.