How to get the FPSE2002 AllowUNC feature to work with Windows Server 2008
I've had a few questions about getting the FrontPage 2002 Server Extensions (FPSE2002) AllowUNC feature to work with Windows Server 2008, so I thought that I would put together a blog from some of the information that I had been giving out whenever someone was having problems.
As a little bit of background information, Windows 2003 Server shipped with a later version of FPSE2002 than had previously been released, and that version of FPSE2002 was used as the code base for the version of FPSE2002 that was later shipped for Windows Server 2008. One the great features of this release was the ability to host your content on a remote server using a UNC share, which is something that web administrators had been requesting for years. Microsoft wrote a full whitepaper that details all of the possible configurations and steps to configure FPSE2002 with this feature at the following URL:
http://technet.microsoft.com/en-us/library/cc768023.aspx
That being said, that whitepaper is quite large, and not all of it is necessary if you simply want to host FPSE2002-based content on a UNC path. With that in mind, I have come up with an abbreviated set of steps that uses the whitepaper as a base for enabling this feature. To be more specific, I was able to implement this feature by using only the following sections of that whitepaper:
- "Configuring the File Server"
- "To Share the Folder"
- "Creating and Configuring a Virtual Server in IIS"
- "Configuring Security Settings for the Virtual Server"
- "To Configure the Registry for the Web server"
- "To Enable FrontPage Server Extensions 2002"
The body of this blog post is an excerpt from the whitepaper, and contains only the steps that I used to get my test scenario up and running. For my test, I set up a domain controller, a file server, and a web server; all running Windows Server 2008 or Windows Server 2003. I include notes when necessary to highlight issues that I ran into.
Additional Notes:
- I cannot stress enough that setting up this configuration is not an easy task to perform, if you skip any steps that I have listed - the functionality will not work.
- Some of the AllowUNC functionality is not implemented through the UI; you have to make changes to your registry to enable it.
- All servers must be Windows 2008 Servers or Windows 2003 Servers in an Active Directory domain.
- In the "To Share the Folder" steps I added the domain-level IUSR account to the permissions on the shared folder so that anonymous would work.
- In the "Configuring Security Settings for the Virtual Server" steps I used Basic Authentication as this is the most common Internet-based method.
- I only tested this with a UNC share on a Windows-based server, I did not test with SAN or NAS devices so I am not sure if they would work.
CONFIGURING THE FILE SERVER
You must configure a shared folder on the file server and grant the Web server access to the contents of that folder. Note that you must set the permissions for the folder itself, not a parent folder. It is recommended that you also implement IP Security on the file server, so that only the Web server, the domain controller, and other administrator computers can access the file server over TCP/IP. For more information about configuring IP Security, see Setting Up IPsec Domain and Server Isolation in a Test Lab.
To create a folder and set the folder ACLs
- In My Computer, create or locate the folder that will contain the Web site content.
- Right-click the folder, and click Properties.
- In the Properties dialog box, click the Security tab.
- Click Advanced. If you are using Windows Server 2008, click Edit.
- Click Add.
- Type Administrators, and then click OK.
- Select Full Control, and then click OK.
- Click Add.
- Click Object Types, and then in the Object Types box, select the Computers check box, and then click OK.
- In the Enter the object names to select box, type the Web server computer name, followed by a dollar sign ($) and then click OK.
- Select Full Control, and then click OK.
- Clear the check box for allowing inheritable permissions to propagate to the folder.
- On Windows Server 2008 this check box is labeled "Include inheritable permissions from this object's parent".
- On Windows Server 2003 this check box is labeled "Allow inheritable permissions from the parent object to propagate to this object and all child objects".
- Click Remove to clear the inherited permissions for the folder.
- Click OK, and then click OK again to close the Properties dialog box.
- The folder now only allows file access to the Administrators group and the Web server computer you specified. When you extend the virtual server on the Web server computer, the access control list (ACL) will be automatically updated with any additional required users or security principals.
To share the folder
- On Windows Server 2008:
- Right-click the folder, and click Properties.
- On the Sharing tab, click Advanced Sharing.
- Check the Share this folder check box.
- In the Share name box, type the name to use for the share. Be sure to use the format sharename$ for the share name to make the folder hidden when users browse the machine.
- Click Permissions.
- Select Everyone, and then click Full Control.
- Click OK, and then click OK again, and then click Close to close the Properties dialog box.
- On Windows Server 2003:
- Right-click the folder, and click Properties.
- On the Sharing tab, select Share this folder.
- In the Share name box, type the name to use for the share. Be sure to use the format sharename$ for the share name to make the folder hidden when users browse the machine.
- Click Permissions.
- Select Everyone, and then click Full Control.
- Click OK, and then click OK again to close the Properties dialog box.
About File System Security
Giving Everyone full control to your server share is necessary so that all users of your Web site can view the Web site information and run the ASP pages required to use FrontPage 2002 Server Extensions. However, you do not want to allow other computers or other servers access to the file share and those ASP pages. It is recommended that you implement Internet Protocol (IP) Security to help prevent users and computers from circumventing the FrontPage 2002 Server Extensions and Internet Information Services security for the file share and ASP pages.
Note - The separate user management feature for FrontPage 2002 Server Extensions also helps secure the process for accessing ASP pages through the file system. It is recommended that you implement this feature if you are connecting Web sites to UNC shares. For more information about managing users separately, see Authenticating Users Separately For Each Virtual Server.
CREATING AND CONFIGURING A VIRTUAL SERVER IN IIS
You use Internet Information Services (IIS) to create your new virtual server. You must also decide how to configure the security settings for your virtual server.
To create a virtual server on Windows Server 2008
- Click Start, point to Administration Tools, and then click Internet Information Services (IIS) Manager.
- Click the plus sign (+) next to the server name in the Connections pane that you want to add the virtual server to.
- Right-click Sites, and then click Add Web Site.
- In the Site name box, enter the name of the Web site.
- In the Physical path box, type the path to the network share where the site content will go. Note that if you used the format name$ for the share, you cannot browse to the share. You must type the path exactly.
- In the Type box, choose HTTP or HTTPS.
- In the IP address box, select the IP address you want to use.
- In the Port box, type the port number to assign to the virtual server.
- In the Host name box, type the host name that you want to use (if any).
- Click OK.
- Highlight the Web site you just created in the Connection pane.
- Double-click the Authentication feature in the Web site's Home pane.
- Highlight Anonymous Authentication in the Authentication pane.
- Click Edit... in the Actions pane.
- Click Specific user, and then click Set.
- Enter the domain and user name of your domain-level IUSR account in the User name box.
- Enter the password of your domain-level IUSR account in the Password and Confirm Password boxes.
- Click OK.
- Click OK.
- Verify that the application pool for the new Web site is running as Network Service:
- Highlight the web site that you just created in the Connections pane.
- Click Basic Settings... in the Actions pane.
- Make a note of the application pool name, and then click OK.
- Click Application Pools in the Connections pane.
- Highlight the application pool from the step that you completed previously.
- Click Advanced Settings... in the Actions pane.
- Verify that IIS lists NetworkServicein the Identity field. If it does not, use the following steps:
- Click the ellipsis (...) to the right of the Identity field.
- Click Built-in account, and then select NetworkService from the drop-down menu.
- Click OK to close the Application Pool Identity dialog box.
- Click OK to close the Advanced Settings dialog box.
To create a virtual server on Windows Server 2003
- Click Start, point to Administration Tools, and then click Internet Information Services (IIS) Manager.
- Click the plus sign (+) next to the server name that you want to add the virtual server to.
- Right-click Web Sites, click New, and then click Web site.
- Click Next.
- In the Description box, type the description of your virtual server, and then click Next.
- In the Enter the IP address to use for this Web site box, select the IP address you want to use.
- In the TCP port this web site should use (Default: 80) box, type the port number to assign to the virtual server.
- In the Host Header for this site (Default: None) box, type the host name that you want to use (if any), and then click Next.
- In the Path box, type the path to the network share where the site content will go. Note that if you used the format name$ for the share, you cannot browse to the share. You must type the path exactly.
- If you do not want to allow anonymous access to your virtual server, clear the Allow anonymous access to this Web site check box.
- Click Next.
- On the Web Site Security Credentials panel, verify that the Always use the authenticated users credentials when validating access to the network directory check box is selected, and then click Next.
- On the Permissions panel, select the permissions to use, and then click Next. If your virtual server allows scripts to be run, you must also select the Run scripts (such as ASP) check box. If you want to allow ISAPI applications or CGI scripts to be used on your virtual server, you must also select the Execute (such as ISAPI applications or CGI) check box.
- Click Next, and then click Finish.
Note - If you chose to allow anonymous access for the virtual server, you must specify the domain account to use for anonymous users. When you use a local folder, you can use the default anonymous user (usually IUSR or IUSR_Machinename). To connect to a shared resource on a domain, however, you must specify an account with rights to the domain. Be sure to use an account with limited rights to the computers and resources in your domain. Do not unintentionally give anonymous users the ability to administer your server or print to your network printers.
Note from me:
As stated by me earlier, this entire article does not appear to work unless you specify a domain-level IUSR account in IIS, even if you are going to not allow anonymous access. In my testing, it seems to fail when anonymous is disabled and the anonymous user had been local, whereas it succeeded when the anonymous user is a domain-account with rights to the share, even though anonymous is disabled for the site.
CONFIGURING SECURITY SETTINGS FOR THE VIRTUAL SERVER
After you have created the virtual server, you must configure the security settings. When a Web site user requests a file that actually resides on a network share, there are two methods that FrontPage Server Extensions can use to provide the required authentication information:
- Basic Authentication - Forwards the Web site requestor's username and password to the file server. If the user doesn't have access to the file server, he or she will not have access to the UNC-based files on the Web site. This method is best used for intranet Web sites.
- Another authentication method used with Kerberos delegation If you want to use another authentication method, it is more secure to use it in conjunction with Kerberos delegation. For more information about configuring Kerberos, see the Help systems for Windows Server 2003 and Internet Information Services (IIS) 6.0.
Warning - Basic authentication forwards the requestor's username and password over the network. This means that usernames and passwords can be captured using a network packet analyzer. Only use basic authentication if you are sure that potential hackers don't have access to your network cabling or wireless media.
To configure the new virtual server to use basic authentication on Windows Server 2008
- In Internet Information Services (IIS) Manager, highlight the Web site you just created in the Connection pane.
- Double-click the Authentication feature in the Web site's Home pane.
- Highlight Basic Authentication in the Authentication pane.
- Click Enable in the Actions pane.
To configure the new virtual server to use basic authentication on Windows Server 2003
- In Internet Information Services (IIS) Manager, right-click the Web site you just created, and then click Properties.
- On the Directory Security tab, under Authentication and Access Control, click Edit.
- Check the Enable anonymous access check box.
- In the User name box for the anonymous user, type a domain user account to use for anonymous access. Note that because you are allowing access across computers, the default anonymous account (which is specific to each server) will not work. You must use a domain account for anonymous access.
- In the Password box, type the password that corresponds to the user account.
- In the Authenticated Access section, clear the Integrated Windows authentication check box, and check the Basic authentication (password is sent in clear text) check box.
- Click Yes to verify that you want to enable Basic authentication, and then click OK.
- Type the password again to confirm it, and then click OK.
- Click OK again to close the Properties dialog box.
Note from me:
As stated by me earlier, I only tested with Basic Authentication; I did not try Kerberos. Since we are making a single hop to another server, I would expect simple NTLM to fail. See KB 315673 for a description of single versus double hop setups when working with IIS configurations. But that being said, Windows Authentication in an Internet environment is impractical, so in most scenarios this point is moot.
After you create the virtual server, and before you can extend it with FrontPage 2002 Server Extensions, you must set the following registry entries to enable your Web server to work with a shared UNC folder:
- NoMachineGroups: determines whether or not FrontPage 2002 Server Extensions can create local machine accounts for new users. Because local machine accounts on one server have no rights on another server, you must disable local machine accounts and use only domain accounts to work with a shared UNC folder. Set NoMachineGroups to "1" to disable local machine accounts. Note that because this is a global setting, you should only change it before you have extended your virtual servers. If you change this setting after a virtual server has been extended, the administration pages may not work.
- AllowUNC: specifies whether or not to allow shared UNC folders. You must set this entry to "1" to enable UNC folder sharing.
Both subkeys are under the following path in the registry depending on your version of Windows:
- On a 32-bit server:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports
- On a 64-bit server:
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Shared Tools\Web Server Extensions\All Ports
If these subkeys do not exist yet, you can add them as new string values, and then set them to 1.
To configure the registry for the Web server
- Open the Registry Editor on your Web server computer. To do so, click Start, click Run, and then type regedit.
- Open the correct subkey for your version of Windows:
- On a 32-bit server:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports
- On a 64-bit server:
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Shared Tools\Web Server Extensions\All Ports
- If you see the NoMachineGroups and AllowUNCkeys, skip to step 4. If not, you must create these keys as described in the next step.
- Right-click in the right pane of the Registry Editor Window, click New, and then click String value.
- Type the name for the new entry: NoMachineGroups
- Right-click in the right pane of the Registry Editor Window, click New, and then click String value.
- Type the name for the new entry: AllowUNC
- In the right pane, right-click NoMachineGroups, and then click Modify.
- In the Value data box, type 1, and then click OK.
- In the right pane, right-click AllowUNC, and then click Modify.
- In the Value data box, type 1, and then click OK.
EXTENDING THE VIRTUAL SERVER
After the virtual server has been created and configured, you are ready to extend it with FrontPage 2002 Server Extensions. You must extend the virtual server before you can publish Web site content to it.
To enable the FrontPage Server Extensions 2002 Web Server Extension on Windows Server 2003
- Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).
- In the console tree, click the name of the computer where you will create the virtual server, and then click Web Server Extensions.
- In Web Server Extensions, click FrontPage Server Extensions 2002, and then click Allow.
To extend the new virtual server and create a Web site
- Click Start, point to Administrative Tools, and then click Microsoft SharePoint Administrator.
- Click Extend next to the virtual server you just created in IIS.
- In the Administrator user name box, type the user name, and then click Submit.
After you extend the site, it is recommended that you run server health to make sure the permissions are set correctly and do not allow unauthorized access. To run server health, use the following command-line operations:
cd /d "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\50\bin"
owsadm.exe -o check -p 80 -w /
As I mentioned in the beginning of this post, there are a lot of steps to get this working, but it's possible to do so.
I hope this helps. ;-]