Key Links
IISTraining.com
hands-on, fast track,
up-to-date training on IIS 5 and 6
IIS Lists
moderated email
discussions on IIS related topics
IIS Boards
online
IIS bulletin boards
About Brett Hill
Advertising Info
if you're interested in
reaching thousands of IIS administrators.
Privacy Statement
IISAnswers Articles
Enabling Pass-through-authentication for IIS 4 and IIS 5
by Brett Hill
When you create a virtual directory that is mapped to a remote share, you must provide the username and password that the remote system will honor to access the share. Then, every access to the virtual directory is carried out in the security context of the provided username/password. The question frequently arises “can I configure IIS to use the logged on user’s credentials instead of those provided when I created the virtual directory.” This is called, pass through authentication and as it turns out, you can enable pass through authentication for both IIS 4 and IIS 5. However, in IIS 4 pass through authentication is unsupported.
IIS 5
Enabling pass through authentication requires two things.
1. Use an authentication method that supports pass through authentication.
- Anonymous with IIS control password disabled
- Basic
- Integrated Windows if everyone uses IE 5.0 on Win2K systems which are part of a domain. In this situation Kerberos will be used.
- Certificate Mapping (IIS 5.0 version, not Windows Mapper)
2. Modify the metabase to enable it.
You can edit the metabase with script or using metaedit. The ASP code below will enable pass-through authentication for IIS 5 on a virtual directory called ‘Protected’ in the default Web site. You need to substitute the correct Web site number for 1 and the name of the virtual directory for ‘Protected’.
<%
Dim oVDr
Set oVD = GetObject("IIS://localhost/W3SVC/1/Root/Protected")
oVD.UNCAuthenticationPassThrough = True
oVD.SetInfo
Set oVD = Nothing
%>
(Note:
Internally, IIS uses numbers not website names to distinguish between the
virtual websites. The web number is assigned in sequence as sites are
created. You can determine the website number using MetaEdit 2.2 available
from Microsoft at http://support.microsoft.com/support/kb/articles/q232/0/68.asp
or by typing c:\inetpub\adminscripts\cscript findweb.vbs “Web Site
Name” where Web Site Name is the name that shows in the Internet
Services Manager for the website. It is case sensitive.)
IIS 4
As mentioned before, enabling pass through authentication is not supported by Microsoft for IIS 4. It will cause some things to fail such as indexing the content of the affected virtual directories. Nevertheless, it can be done and I prefer to leave these decision in the hands of the people who may need it. The following information is from a KB article that has since been deleted from the MS website.
In IIS 4.0, here's how you enable pass-through authentication:
1. Enable an authentication mode that supports remote access to resources, which means you must use either Basic or Anonymous with Automatic Password Synchronization turned off.
2. Locate the adsutil.vbs utility script, which is usually in the \winnt\system32\inetsrv\adminsamples directory.
3. At a command prompt, type adsutil set w3svc/#/root/*vdir*/UNCUserName
#=<the Web site number in the metabase>. (You can use MetaEdit to identify this number. Vdir is the name of the virtual directory you're trying to affect.)
4. Repeat Step 3, but type adsutil set w3svc/#/root/*vdir*/UNCPassword.
5. Repeat Step 3, but type adsutil set w3svc/#/root/*vdir*/UNCAuthenticationPassThrough TRUE.
6. Type net stop iisadmin /y.
7. Type net stop start w3svc.
© 2000, Brett Hill
All Rights Reserved