The post linked (IIS Virtual Directory Windows Authentication) seems to have the same issue as me, but it was never resolved.
I have the following machines sitting on an active directory domain in my test lab:
- WEB1, an IIS web server on Windows. It has an alias, ConfigMgt
- CONTENT1, a content windows server that also happens to be an IIS web server. It has an alias, ServiceMgt
- CLIENT1, a windows 10
There is also a custom domain account SERVICE-ACCT that I use as the identity for the application pool.
CONTENT1 is configured to use SERVICE-ACCT for the identity of the application pool. The attribute useAppPoolCredentials is enabled at the website level for Windows Authentication and Windows Authentication is enabled.
WEB1 is also configured the same way as CONTENT1 in terms of the web server.
There are the following SPNs set for the service account SERVICE-ACCT:
HTTP/content1.domain
HTTP/content1
HTTP/web1.domain
HTTP/web1
These SPNs are set because WEB1 also acts as a proxy server for CONTENT1 for our python web applications through the Application Request Routing (ARR) module. As a result, it uses Negotiate for authenticating the python web applications.
With the context explained above, I created the virtual directory on WEB1 and called it "Example". The physical path is \\CONTENT1\Example and it is using pass-through authentication.
To access it, I go to https://ConfigMgt.domain/Example and I end up getting 401.3 errors when using CLIENT1 logged in as a user that has access to \\CONTENT1\Example. If I set the physical path to \\WEB1\Example (after creating it) and move the contents of \\CONTENT1\Example to there, the authentication issues disappear.
I've verified that the identity of the application pool (SERVICE-ACCT) has access to the file share, \\CONTENT1\Example.
401.3 seems to refer to ACL type errors. I tried adding the Everyone group to the \\CONTENT1\Example share at both the share and NTFS permissions level but I had no success when I tried accessing the virtual directory again.
I am at a loss here. My goal is to host any remote network shares (ie. not local to WEB1) in virtual directories on WEB1; I also want to leverage the existing share/NTFS permissions that are set on those said shares. Is this possible?