Red stop sign appears in MMC on UNC-mapped content directory

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:

Symptoms

When you map a home folder or virtual folder to a share that is located on another computer, a red stop sign icon may be displayed in the Internet Service Manager (ISM) next to the resource that is mapped to the universal naming convention (UNC) path.

Cause

When you map content to a UNC, Internet Information Server (IIS) requires connect as credentials that are used to impersonate all users that connect to the UNC resource from the Web or FTP site. Although the connect as credentials are used to establish a connection to the UNC path, IIS uses the credentials of the logged on user to enumerate, or list, the files in a given folder. When you reference resources that are not located on the IIS server, permissions problems can occur because the security resources (that is, groups and accounts) on the IIS server may not have a security context on the remote (UNC) server.

Workaround

Although Microsoft does not recommended using UNC-mapped content on high-capacity Web sites, the following workarounds are available:

  • Create an account on the UNC server that has the same username and password as the user account that is being used to access Web pages on the IIS server. Both the connect as user and the authenticated user (the user that is connecting from the Web browser) need to have the appropriate new technology file system (NTFS) permissions on the UNC share to access the content. Note that the files on the UNC server should be treated as content.

    NOTE: If you are using anonymous authentication, by default this is the IUSR_ServerName on the IIS server. However, if you are using Basic authentication, any user account that browses UNC-mapped content must have a security context on the remote computer (that is, either a domain account or each corresponding username and password must be created on the UNC server).



  • Note that the files on the UNC server should be treated as content.Promote both the IIS and UNC servers to be domain controllers in the same Microsoft Windows NT 4.0 or Microsoft Windows 2000 domains. This works because domain controllers share the same security accounts database.NOTE: Microsoft does not recommend installing IIS on a domain controller, due to the performance degradation that is caused by authentication and other domain functionality that is provided by a domain controller.

Status

This behavior is by design.

More Information

In addition to decreasing performance of Web applications by pulling content from the network rather than from a local disk, using UNC-mapped content makes managing security more difficult. Windows NT and Windows 2000 treat each server as its own security entity. Based on this implementation, each computer manages its own resources and controls access to the files for which it is responsible. Because each server is responsible for managing resources on itself, it is not possible to manage and control access to resources on another computer; the remote computer is responsible for these resources.

NOTE: One exception to this implementation is domain controllers that are in the same domain, which all share the same security database and can manage resources on other domain controllers that are in the same domain.

References

For more information on troubleshooting permissions between IIS and the UNC servers, see the following articles in the Microsoft Knowledge Base:
185874 How to troubleshoot permissions in Internet Information Server 4.0

271214 Unable to access FoxPro databases on Netware 5 server from IIS 5.0

For more information, see the following articles in the Microsoft Knowledge Base:
280383 IIS Security Recommendations When You Use a UNC Share and Username and Password Credentials
282060 Resources for securing Internet Information Services

Eigenschaften

Artikelnummer: 269009 – Letzte Überarbeitung: 25.06.2009 – Revision: 1

Feedback