Microsoft KB Archive/269009

= Red stop sign appears in MMC on UNC-mapped content directory =

Article ID: 269009

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q269009



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When you map a home folder or virtual folder to a share that is located on another computer, a red stop sign icon may be displayed in the Internet Service Manager (ISM) next to the resource that is mapped to the universal naming convention (UNC) path.



CAUSE
When you map content to a UNC, Internet Information Server (IIS) requires connect as credentials that are used to impersonate all users that connect to the UNC resource from the Web or FTP site. Although the connect as credentials are used to establish a connection to the UNC path, IIS uses the credentials of the logged on user to enumerate, or list, the files in a given folder. When you reference resources that are not located on the IIS server, permissions problems can occur because the security resources (that is, groups and accounts) on the IIS server may not have a security context on the remote (UNC) server.



WORKAROUND
Although Microsoft does not recommended using UNC-mapped content on high-capacity Web sites, the following workarounds are available:  Create an account on the UNC server that has the same username and password as the user account that is being used to access Web pages on the IIS server. Both the connect as user and the authenticated user (the user that is connecting from the Web browser) need to have the appropriate new technology file system (NTFS) permissions on the UNC share to access the content. For more information on NTFS permissions, click the following article number to view the article in the Microsoft Knowledge Base:

187506 Required NTFS permissions and user rights for IIS 4.0

Note that the files on the UNC server should be treated as content.

NOTE: If you are using anonymous authentication, by default this is the IUSR_ServerName on the IIS server. However, if you are using Basic authentication, any user account that browses UNC-mapped content must have a security context on the remote computer (that is, either a domain account or each corresponding username and password must be created on the UNC server). Note that the files on the UNC server should be treated as content.Promote both the IIS and UNC servers to be domain controllers in the same Microsoft Windows NT 4.0 or Microsoft Windows 2000 domains. This works because domain controllers share the same security accounts database.NOTE: Microsoft does not recommend installing IIS on a domain controller, due to the performance degradation that is caused by authentication and other domain functionality that is provided by a domain controller.



STATUS
This behavior is by design.



MORE INFORMATION
In addition to decreasing performance of Web applications by pulling content from the network rather than from a local disk, using UNC-mapped content makes managing security more difficult. Windows NT and Windows 2000 treat each server as its own security entity. Based on this implementation, each computer manages its own resources and controls access to the files for which it is responsible. Because each server is responsible for managing resources on itself, it is not possible to manage and control access to resources on another computer; the remote computer is responsible for these resources.

NOTE: One exception to this implementation is domain controllers that are in the same domain, which all share the same security database and can manage resources on other domain controllers that are in the same domain.

