You can set up IIS 4.0 or IIS 5.0 to pass the user name and password entered for Basic authentication, and use this pass-through authentication to connect to the remote share. Windows NT Challenge/Response authentication is not supported, because it does not send the password for the UNC connection.
- Create a UNC virtual directory. Verify that the connection to the remote content works and that browsing to that virtual directory does not return errors.
- If you want to use anonymous connections to the computer, do the following:
- In the properties for that virtual root, click the Directory Security tab.
- Click the Edit button next to Anonymous Access and Authentication Control.
- On the Edit button under Allow Anonymous Access, click to uncheck the Enable Automatic Password Synchronization checkbox.
- If you do not want Anonymous access, uncheck the box.
- Turn on Basic Authentication. Please note that the user's domain name, user name, and password are sent over the network without data encryption. To ensure security, the Web administrator can install SSL on this virtual link to force encryption of the password.
- Turn off Windows NT Challenge/Response. NT Challenge/Response authentication does not allow for delegation of user accounts to remote shares. Only Basic Authentication and Anonymous authentication allow for this (Anonymous MUST be set as in step 2).
- Open a command prompt, and change to the %systemroot%\System32\Inetsrv\Adminsamples directory. (Note: %systemroot% is usually winnt on most systems).
- At the prompt, type the following:adsutil set w3svc/#/root/*vdir*/UNCUserName ""(where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)
- At the prompt, type the following:adsutil set w3svc/#/root/*vdir*/UNCPassword ""(where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)
- At the prompt, type the following:adsutil set w3svc/#/root/*vdir*/UNCAuthenticationPassThrough TRUE(where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1.)
- At the prompt, type the following:net stop iisadmin /y
- At the prompt, type the following:net start w3svc
When your users connect and authenticate, the name they type in will be used to connect over the UNC connection to the remote share or content. The Webmaster can now set share-level or NTFS-level permissions, and the user account typed in by the client will be the one used to check against the ACL of these objects.
Note: Any change to this virtual directory in the Internet Service Manager changes the metabase settings above. Therefore, the above steps will need to be performed again.
Article ID: 214806 - Last Review: Jun 22, 2014 - Revision: 1