Today we had an interesting request from a client. Our client has 2 servers, FILES and WEB.
WEB server runs Windows 2008 R2 and IIS 7.5 with PHP installed and configured as per our previous posts.
FILES server is a Windows 2012 R2 file server that stores all the clients documents.
The request was to allow WEB server to access FILES server via the UNC \\FILES\SharedFolder. Seemed simple enough and a task we have completed numerous times in the past on older servers.
Today, however, it was next to impossible to access the files via our PHP script. After some debugging we received the error ‘Access Denied’ from PHP. Having checked and reset the permissions on the share, folder and files it was still denying access to our PHP application.
After some investigation we discovered that the website authentication was at fault and we needed to perform the following actions to resolve it…
- Open IIS Manager
- Select the website to be fixed
- Double click the ‘Authentication’ tile
- Right click on ‘Anonymous Authentication’ and click ‘Edit…’
- Click ‘Specific User’ and press the ‘Set…’ button
- Enter domain credentials in the form of DOMAIN\Username (carefully choosing a limited user account)
- Enter the password twice
- Click OK twice.
- Perform an IISRESET from an elevated command prompt.
Immediately WEB server had access to the shared folder on FILES.
IIS defaults applications to running using the IUSR account which is local to that computer. As it is a local account it has no access to remote computers on the network. By using a domain account credentials instead the user has access to the required share on the FILES server.
WARNING: Unless the user account is carefully locked down a default user account in a domain has access to all shares on the network that are not secured. Therefore when creating the account carefully consider it’s access rights and group memberships.