Connecting Web Sites to UNC Network Shares

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

When running Microsoft FrontPage 2002 Server Extensions on Microsoft Windows Server 2003, you can create FrontPage-extended Web sites that have access to shared folders on your network using the Universal Naming Convention (UNC) standards. This configuration is often advantageous (or even necessary) when setting up a server that hosts many large Web sites and subwebs. You can create Web sites on your main hosting computer, and have the files for the Web sites distributed across multiple file servers on your network. You must be a local administrator of both server computers to perform these steps. This scenario requires that your servers be in a Microsoft Active Directory directory services domain environment, and both server computers must be running Microsoft Windows Server 2003 (Standard, Advanced, Web, or Enterprise Editions).

Configuring the File Server

You must configure a shared folder on the file server and grant the Web server access to the contents of that folder. Note that you must set the permissions for the folder itself, not a parent folder. It is recommended that you also implement IP Security on the file server, so that only the Web server, the domain controller, and other administrator computers can access the file server over TCP/IP. For more information about configuring IP Security, see Setting up an IPSec Test Lab in the Windows Server 2003 family Help system.

To create a folder and set the folder ACLs 

  1. In My Computer, create or locate the folder that will contain the Web site content.

  2. Right-click the folder, and click Properties. 

  3. In the Properties dialog, click the Security tab.

  4. Click Advanced. 

  5. Click Add. 

  6. Type Administrators, and then click OK. 

  7. Select Full Control, and then click OK. 

  8. Click Add. 

  9. Click Object Types, and then in the Object Types box, select the Computers check box, and then click OK. 

  10. In the Enter the object names to select box, type the Web server computer name, followed by a dollar sign ($) and then click OK. 

  11. Select Full Control, and then click OK. 

  12. Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. check box.

  13. Click Remove to clear the inherited permissions for the folder.

  14. Click OK, and then click OK again to close the Properties dialog box.

The folder now only allows file access to the Administrators group and the Web server computer you specified. When you extend the virtual server on the Web server computer, the access control list (ACL) will be automatically updated with any additional required users or security principals.

To share the folder 

  1. Right-click the folder, and click Properties. 

  2. On the Sharing tab, select Share this folder. 

  3. In the Share name box, type the name to use, and in the Comment box, type a description.

    Be sure to use the format name$ for the Share name to make the folder hidden when users browse the machine.

  4. Click Permissions. 

  5. Select Everyone, and then click Full Control. 

  6. Click OK, and then click OK again to close the Properties dialog box.

About File System Security

Giving Everyone full control to your server share is necessary so that all users of your Web site can view the Web site information and run the ASP pages required to use FrontPage 2002 Server Extensions. However, you do not want to allow other computers or other servers access to the file share and those ASP pages. It is recommended that you implement Internet Protocol (IP) Security to help prevent users and computers from circumventing the FrontPage 2002 Server Extensions and Internet Information Services security for the file share and ASP pages. For more information about implementing IP Security, see the Windows Server family Help system and the Internet Information Services (IIS) 6.0 Help system.

Note   The separate user management feature for FrontPage 2002 Server Extensions also helps secure the process for accessing ASP pages through the file system. It is recommended that you implement this feature if you are connecting Web sites to UNC shares. For more information about managing users separately, see Authenticating Users Separately For Each Virtual Server.

Configuring the Web Server

After you have created and configured the shared folder, you are ready to configure your Web server to connect to that folder. Configuring the Web server involves the following steps: 

  1. Create a new virtual server in Internet Information Services to point to the shared folder and configure security settings for the new virtual server.

  2. Set values in the Windows registry to allow content to be stored and accessed from the remote shared folder.

  3. Extend the virtual server with FrontPage 2002 Server Extensions.

You must be a local administrator of the Web server computer to perform these steps, and you must have administrator rights to the shared folder on the file server.

Creating and Configuring a Virtual Server in IIS

You use Internet Information Services (IIS) to create your new virtual server. You must also decide how to configure the security settings for your virtual server.

To create a virtual server on Windows Server 2003, Standard or Enterprise Edition 

  1. Click Start, point to Administration Tools, and then click Internet Information Services (IIS).

  2. Click the plus sign (+) next to the server name that you want to add the virtual server to.

  3. Right-click Web Sites, click New, and then click Web site.

  4. Click Next.

  5. In the Description box, type the description of your virtual server, and then click Next.

  6. In the Enter the IP address to use for this Web site box, select the IP address you want to use.

  7. In the TCP port this web site should use (Default: 80) box, type the port number to assign to the virtual server.

  8. In the Host Header for this site (Default: None) box, type the header you want to use (if any), and then click Next.

  9. In the Path box, type the path to the network share where the site content will go.

    Note that if you used the format name$ for the share, you cannot browse to the share. You must type the path exactly.

  10. If you do not want to allow anonymous access to your virtual server, clear the Allow anonymous access to this Web site check box.

  11. Click Next.

  12. On the Web Site Security Credentials panel, verify that the Always use the authenticated users credentials when validating access to the network directory check box is selected, and then click Next. 

  13. On the Permissions panel, select the permissions to use, and then click Next.

    If other users are allowed to contribute to the site, you must select at least the Read, Write, and Browse check boxes. If your virtual server allows scripts to be run, you must also select the Run scripts (such as ASP) check box. If you want to allow ISAPI applications or CGI scripts to be used on your virtual server, you must also select the Execute (such as ISAPI applications or CGI) check box.

  14. Click Finish.

Note If you chose to allow anonymous access for the virtual server, you must specify the domain account to use for anonymous users. When you use a local folder, you can use the default anonymous user (usually IUSR_Machinename). To connect to a shared resource on a domain, however, you must specify an account with rights to the domain. Be sure to use an account with limited rights to the computers and resources in your domain. Do not unintentionally give anonymous users the ability to administer your server or print to your network printers.

Configuring Security Settings for the Virtual Server

After you have created the virtual server, you must configure the security settings. When a Web site user requests a file that actually resides on a network share, there are two methods that FrontPage Server Extensions can use to provide the required authentication information:

  • Basic Authentication Forwards the Web site requestor's username and password to the file server. If the user doesn't have access to the file server, he or she will not have access to the UNC-based files on the Web site. This method is best used for intranet Web sites.

  • Another authentication method used with Kerberos delegation If you want to use another authentication method, it is more secure to use it in conjunction with Kerberos delegation. For more information about configuring Kerberos, see the Help systems for Windows Server 2003 and Internet Information Services (IIS) 6.0.

Warning Basic authentication forwards the requestors username and password over the network. This means that usernames and passwords can be captured using a network packet analyzer. Basic authentication by nature is not secure. If you use pass through security on your IIS server the credentials may be exposed on your internal network in clear text.

If you want to use Basic authentication, use the following steps. To set up Kerberos delegation and configure another authentication method, see the IIS 6.0 Help system

To configure the new virtual server to use basic authentication 

  1. In Internet Information Services, right-click the Web site you just created, and then click Properties. 

  2. On the Directory Security tab, under Authentication and Access Control**, click** Edit**.** 

  3. Select the Enable anonymous access check box.

  4. In the User name box for the anonymous user, type a domain user account to use for anonymous access.

    Note that because you are allowing access across computers, the default anonymous account (which is specific to each server) will not work. You must use a domain account for anonymous access.

  5. In the Password box, type the password that corresponds to the user account.

  6. In the Authenticated Access section, clear the Integrated Windows authentication check box, and select the Basic authentication (password is sent in clear text) check box. 

  7. Click Yes to verify that you want to enable Basic authentication, and then click OK. 

  8. Type the password again to confirm it, and then click OK. 

  9. Click OK again to close the Properties dialog box.

For a secure environment: Use group accounts to manage users for the virtual server

The version of FrontPage 2002 Server Extensions that ships with Microsoft Windows Server 2003 allows you to manage anonymous users by using group accounts. This is a more secure way to manage user access to your resources. It is recommended that you use this method to secure any Web sites storing content in a UNC share if this method of managing users is appropriate in your environment. For more information about using group accounts to manage users, see Authenticating Users Separately For Each Virtual Server.

To enable group accounts for the Web server, you must note the IIS instance number of the virtual server you just created, and then modify the registry for the Web server computer,

To determine the IIS instance number for a virtual server 

  1. In Internet Information Services, right-click the Web site you just created, and then click Properties. 

  2. On the Web site tab, in the Enable logging section, click Properties. 

    At the bottom of the screen, under the Log file name box, is an example string, such as W3SVC605785804\exyymmdd.log. The numbers between W3SVC and \exyymmdd.log are the instance number. In this example, the instance number is 605785804. Write down this instance number so you can use it when you modify the registry for this virtual server.

To modify the registry to enable group accounts 

  1. Click Start, point to Run, type regedit, and then click OK. 

  2. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports\ 

    Note On x64-based computers, the registry key is HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\All Ports\

  3. On the Edit menu, click New, and then click String value. 

  4. Type anonusergroupprefix as the new value name.

  5. Right-click the new value and then click Modify. 

  6. Type a prefix for the group name in the format DOMAIN\prefix, and then click OK. 

To use group accounts with UNC shares, you must use domain groups, rather than local groups, to manage users. You must set this registry key to a prefix name to enable this feature. If you choose to, you can then use DOMAIN\prefix_IISinstancenumber as the domain group name for the virtual server. You can also specify a different group name to use in the virtual server key.

To modify the registry to specify a different group account for the virtual server 

  1. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\ Ports\ 

    Note On x64-based computers, the registry key is HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\Ports\

  2. On the Edit menu, click New, and then click Key. 

  3. Replace New Key #1 with Port instance number;.

    The instance number is the IIS instance number you looked up previously. This must be in the format Port /LM/W3SVC/1;, so using the example above, it would be: Port /LM/W3SVC/605785804;.

  4. On the Edit menu, click New, and then click String value. 

  5. Type anonusergroup as the new value name.

  6. Right-click the new value and then click Modify. 

  7. Type the domain group name to use (either DOMAIN\prefix_IISinstancenumber or DOMAIN\groupname).

  8. Click OK. 

If you are using group accounts, you should also restrict the access to the shared folder on the file server to just that group, plus administrators and the Web server computer, rather than Everyone.

To change the UNC share permissions on the file server 

  1. Right-click the shared folder, and click Properties. 

    On the Sharing tab, click Permissions. 

  2. Select Everyone, and then click Remove. 

  3. Click Add. 

  4. Type the domain group name you specified in the previous steps, and then click OK. 

  5. Under Permissions for group name , select Full Control, and then click OK. 

  6. Click Add. 

  7. Type Administrators, and then click OK. 

  8. Under Permissions for administrators, select Full Control, and then click OK. 

  9. Click Add. 

  10. Type the user name for the administrator of the Web server computer, and then click OK. 

  11. Under Permissions for <User Name>, select Full Control, and then click OK. 

  12. Click Add. 

  13. Click Object Types, and then in the Object Types box, select the Computers check box, and then click OK. 

  14. In the Enter the object names to select box, type the Web server computer name, followed by a dollar sign ($) and then click OK. 

  15. Select Full Control, and then click OK. 

  16. Click OK again to close the Properties dialog box.

Setting Registry Values for Shared Folders

After you create the virtual server, and before you can extend it with FrontPage 2002 Server Extensions, you must set the following registry entries to enable your Web server to work with a shared UNC folder:

  • NoMachineGroups: determines whether or not FrontPage 2002 Server Extensions can create local machine accounts for new users. Because local machine accounts on one server have no rights on another server, you must disable local machine accounts and use only domain accounts to work with a shared UNC folder. Set NoMachineGroups to "1" to disable local machine accounts. Note that because this is a global setting, you should only change it before you have extended your virtual servers. If you change this setting after a virtual server has been extended, the administration pages may not work.

  • AllowUNC: specifies whether or not to allow shared UNC folders. You must set this entry to "1" to enable UNC folder sharing.

Both subkeys are under the following path in the registry: \\HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports (or HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\All Ports\ on x64-based computers). If these subkeys do not exist yet, you can add them as new string values, and then set them to 1.

To configure the registry for the Web server 

  1. Open the Registry Editor on your Web server computer. Click Start, click Run, and then type regedit. 

  2. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports

    Note On x64-based computers, the registry key is HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\All Ports\

  3. If you see the NoMachineGroups and AllowUNC keys, skip to step 4. If not, you must create these keys as described in the next step.

    • Right-click in the right pane of the Registry Editor Window, click New, and then click String value.

    • Type the name for the new entry:
      NoMachineGroups

    • Right-click in the right pane of the Registry Editor Window, click New, and then click String value.

    • Type the name for the new entry:
      AllowUNC

  4. In the right pane, right-click NoMachineGroups, and then click Modify. 

  5. In the Value data box, type 1, and then click OK. 

  6. In the right pane, right-click AllowUNC, and then click Modify. 

  7. In the Value data box, type 1, and then click OK. 

Extending the Virtual Server

After the virtual server has been created and configured, you are ready to extend it with FrontPage 2002 Server Extensions. You must extend the virtual server before you can publish Web site content to it.

To enable FrontPage Server Extensions 2002 

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).

  2. In the console tree, click the name of the computer where you will create the virtual server, and then click Web Server Extensions.

  3. In Web Server Extensions, click FrontPage Server Extensions 2002, and then click Allow.

To extend the new virtual server and create a Web site 

  1. Click Start, point to Administrative Tools, and then click Microsoft SharePoint Administrator. 

  2. Click Extend next to the virtual server you just created in IIS.

  3. Do one of the following:

    • If you have FrontPage 2002 Server Extensions installed, in the Administrator user name box, type the user name, and then click Submit.

    • If you have SharePoint Team Services installed, in the Administrator user name box, type the user name, and in the Site Type section, select Blank Web site (FPSE only), and then click Submit.

After you extend the site, it is recommended that you run server health to make sure the permissions are set correctly and do not allow unauthorized access. To run server health, use the following operation:

owsadm.exe -o check -p 80 -w /

For more information about running server health, see Monitoring Server Health.

You can now open your Web site in FrontPage 2002 and publish content to the new site.

Note If you are using Kerberos and another authentication method, re-examine the security settings on the shared folder on the file server and make sure they were not changed when you extended the virtual server. To do this, refer to the steps in "Configuring the file server."Cc768023.spacer(en-us,TechNet.10).gif