Wednesday, April 10, 2013

Using WebDav on IIS 7 to access UNC Paths

In this post I want to show you step by step how to connect to a file share using webdav on IIS 7. For this post I assume:
  • that you have already an IIS installed on the server 
  • that you have installed WebDav or enabled the WebDav Feature on IIS.
  • the server on which is IIS installed can reach the file share.

1: CREATE APPLICATION POOL

The first step is to create a seperate application pool on the IIS.
  • Open the program "Internet Information Services Manager".
  • Click on "Application Pools"
  • Click on "Add Application Pool" on the right menu
  • Name it "WebDav". Let the rest as it.
  • Right click on the new created Application Pool "WebDav" and select "Advanced Settings". Pay attention to the following attributes:
    • .Net Framework Version: No Managed Code
    • Identity: The identity of the Application Pool should be an account which has permissions to read the file share.
    • Load User Profile: Should be set to "False"


2: CREATE WEB SITE

The second step is to create a site.

  • Click on "Sites"
  • Click on "Add Web Site" on the right menu
  • Use following properties  
    • Name : WebDav
    • Application Pool: WebDav
    • Physical Path: A Path on the server
    • Host Name: The URL to connect to the webdav
Settings when creating a new web site

3: ADD WEBDAV AUTHORING RULE

Now we have to allow everybody to use WebDav.

  • Click on the Website "WebDav" and open "WebDav Authoring Rules" in the Features list (This Feature is only visible if you installed WebDav).
  • Click on "Add Authoring Rule" on the right pane.
  • Check following boxes and click OK.


4: CREATE A VIRTUAL PATH (APPLICATION)

In this step you have to add a virtual path to a file share. A virtual path is something like a symbolic link in linux. You define an alias path which can show to a local path on the server or even to a network path.

  • Right click on the Web Site "WebDav"
  • Click on "Add Virtual Directory"
  • Enter an alias and the path to the file share
  • Click on "Test Settings" to check the connection.
  • Now right click on the new created virtual path and select "Convert to an application". Applications in IIS can have their own application pool and authentications.


5: KERBEROS AND DOUBLE HOP

We have to use Kerberos authetication because the user credential must be delegated by the IIS Server to the file share. NTLM cannot delegate credentials and therefore we have to use Kerberos. Because there is a server in the middle you often have to deal with the double hop issue.

First let us check the authetication setting in our application.

  • Click on your new virtual application "J" and select the feature "Authentication"
  • You'll see a lot of authentication methods. Disable all except "Windows Authentication"
  • Richt click on "Windows Authetication" and select "Advanced Settings". Ensure that the checkbox for "Enable kernel-mode Authetication" is checked. Close the dialog.
  • Right click on "Windows Authetication" again and select "Providers". Ensure that "Negotiate" sits  on the top of "NTLM".


Now you've to check some requirements for Kerberos

  1. The computer must have the rights to delegate Kerberos Tickets. Therefore activate in your Active Directory the option "Trust this computer for delegation to any service".
  2. The the SPNs for your computer, your application pool account. When you try to connect to the WebDav and a login prompt appears, than you can be sure that the SPNs are not set correctly. Ask your Domain Admin to set the SPNs correctly.

    We have enabled the "kernel-mode" option so I think that it would be enough to set the SPNs for your computer account, but I haven't tested it yet.

    To set the SPNs the Domain Admins are using the SetSPN command. The paramters shoul be:

    Web application: http://webserver.mydomain.com
    Server Name: WIN1001

    SetSPN -s HOST/WIN1001
    SetSPN -s HOST/WIN1001.mydomain.com
    SetSPN -s HTTP/webserver.mydomain.com
    SetSPN -s HTTP/webserver


6: TESTING THE ACCESS

If all settings are done you should now be able to access the share via webdav. Go to a client and open the windows explorer.

If you already have a dns entry for webdav try to connect via \\webdav\J. J was our virtual path.


If you don't have a dny entry you can try to use the server name like \\WIN1010\J. To use this you have to change the bindings in the IIS Website.

To change the bindings:

  1. Go to your IIS Server and open the Internet Information Services Manager.
  2. Right Click on the website "WebDav". Select "Edit Bindings"
  3. Click on "Add"
  4. Don't change anything in the dialog and click on OK.
  5. Now your Website is listening to all request coming to your server. 
  6. If you have other web site it can be that the binding exists anywhere else. If so than enter the Server Name as Host Name in the bindings or delete the other binding.





No comments: