The Goal
I would like only a certain group of users (who are in an Active Directory group composed of users from two domains) to be able to execute a web script, in http://www.site.org/protected, after being challenged for authentication.
The Setup
Windows 2008, IIS 7. User Account Access has been disabled, as it is a pain and sometimes causes perfectly reasonable things to fail. The server is part of a domain I will called LITTLEDOMAIN. We have a trust with BIGDOMAIN.
I have a group, called "LITTLEDOMAIN\can-use-this." In that group are the members LITTLEDOMAIN\me and BIGDOMAIN\me. I did the bit in Active Directory where the server now allows that group to authenticate against another domain (BIGDOMAIN).
The application pool for www.site.org runs as "NetworkService."
The dirctory has the user SYSTEM, the user NETWORK SERVICE, the group Enterprise Admins, and the group LITTLEDOMAIN\can-use-this with at least Read and Execute permissions.
In IIS 7, I have disabled all forms of authentication for that directory but Windows Authentication. As to Authorization Rules, All Users are Allowed.
The Error
When I use, say, FireFox, visit the URL http://www.site.org/protected, and am presented with a challenge, I can enter the username LITTLEDOMAIN\me and my password, then see the minimal HTML generated by my very simple Python script, which is basically a "Hello, World" with a timestamp thrown in so I can make sure caching of the page does not occur. If I use BIGDOMAIN\me, I receive an HTTP 500 error.
Diagnostics Performed
The passwords for LITTLEDOMAIN\me and BIGDOMAIN\me are the same; this has been checked.
I look in the HTTP logs and see the "500 0 267" for "sc-status sc-substatus sc-win32-status" in the HTTP logs. A "net helpmsg 267" from the command line gives me "The directory name is invalid."
I added Failed Request Tracing Rules and see the same unhelpful message in the XML: "The directory name is invalid. (0x8007010b)"
I have turned on file object auditing in the policy for that server, then set the auditing for the directory and the files within it to have all failures for "Everyone," but nothing shows up in the Security section of Event Viewer. I was able to cause other failures, so I know that failure auditing is working. This suggests that the system is not even getting to the point where the file is being accessed.
I gave, temporarily, the group LITTLEDOMAIN\can-use-this full control over the C:\TEMP directory, on the off chance this was in use. I recycled the application pool. The same error occurs. I tried this in C:\Windows\Temp as well, to no avail.
The Question
How can I find out "well, WHICH directory name is invalid?" It's pretty obvious that something, somewhere along the line, wants permissions for BIGDOMAIN, but I cannot figure out where.
The missing component, in addition to an audit policy and Failed Request Tracing, is Process Monitor. Not Process Explorer, but Process Monitor.
Run Process Monitor for three or so seconds, just long enough to get your request in, and have it fail. Use Failed Request Tracing to get the process ID that failed. Use Process Monitor's filter to show only events where the process ID appears -- you can then see where it fails.
Then set auditing on that directory to see what account is being used.
It appears that IIS 7 is returning to the root of the webserver when looking at a protected subdirectory. Odd.
User contributions licensed under CC BY-SA 3.0