IIS 6.0 on Windows Server 2003 setup for Integrated Windows Authentication but no direct access for users to the shared folders

Question

I am attempting to set up an IIS 6.0 application running on Windows Server 2003 to use impersonation in order to avoid having to give users direct read/write access to the shared folders where the DB and web pages are stored. Can anyone provide me with details of how this can be set up to work in conjunction with Windows Integrated Authentication?

So far, I can tell that the web.config file (not sure whether it's the correct one) has the two lines mentioned on this thread (Impersonation in IIS 7.0) to allow impersonation and use the Windows logon method. However, users are still prompted for a logon and then told they are not authorized to view web pages. They can view pages if we turn anonymous logon "on", but then their user credentials aren't passed on to the site and therefore they can't access most of it.

I'm fairly inexperienced, so I'm a bit lost here. Thank you very much in advance for the help!

Answer 1

Thanks to intervention from Microsoft (definitely worth the flat fee they charge per incident), we were able to identify the problem. Instead of using the network path to identify the website location on the "Home Directory" tab of the IIS properties, we were using the local drive path. That was all that needed to be changed.

Once we switched to the network path and added a dedicated service account to "Connect As...", impersonation started working right away. Users pass their logged on credentials via integrated authentication (no logon required) and the service account takes care of executing their actions on the database file.

Access to the shared folder is limited to a brief list of administrators, and data access on the web application is limited based on user names.

If anyone is stuck with this and needs help, let me know!