The "Integrated Windows Authentication" is great for working with file permissions on the web server's local drives, but it can't be used for accessing remote shares. To access remote shares, you'll need to enable basic authentication. My (somewhat sketchy) understanding of why this is the case is as follows:
If the browser authenticates transparently with the server using NTLM (aka Integrated Windows Authentication) then the CGI script has a security token of type 'network'.
If basic authentication is used, the security token is the same as if the user logged on to the console of the server (in fact at least until IIS4.0, IUSR_machine_name required "Log on locally" rights).
Under the NT domain security model, a 'local' security token can be used to access networked resources but a 'network' security token can only be used to access local resources. Or to put it another way, a process running with a local token can delegate that authority across the network. Network tokens cannot be delegated.
For more info, see this article on MSDN.
Note: This is the same reason why integrated database security can only be used to propogate users' credentials from IIS to SQLServer if the database is running on the same server as IIS.
Update: Here's another article on the subject. Apparently the correct terminology for the types of token is "Primary Token" (can be delegated) and "Impersonation Token" (cannot be delegated).
In reply to Re: Re: W32: How can cgi scripts access shares on other w32 servers
by grantm
in thread W32: How can cgi scripts access shares on other w32 servers
by Sten
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |