How to setup a website to access content on a remote NAS server

One of the more common questions in the newsgroups.  "How can I have my content on a remote server vs. the local web server?".   This article is a step by step how-to serve content from a remote server.  This article assumes there are two machines, 1 web server and 1 content server.  Lets get started.

Assumptions

• Two servers running Windows 2003
• Local user id on each machine with the same user id with same password

Setting up environment.

• Create a user called RemoteContentUser and password PA$$@Word! on both machines
• Create a folder on the server acting as the remote nas server called RemoteContent
• Create a website on your web server, point the website to your remote share.
• Set the User id and Password on the virtual directory as the same as the local user id you created.

Creating the local user id that will be used to authenticate to the remote share.  You could also create using Computer Management MMC.

• Create user on web server.

• Create user on remote machine.

• Create remote directory (This command creates the C:RemoteContent folder)

• Create RemoteContent$ Share (This allows access directly to the content using a UNC Path)

• Using CACLS to grant the RemoteContentUser ‘READ’ permissions on the content folder

• Screen shot from Windows Explorer showing the NTFS permissions.

• Change directory to C:RemoteContent
• Create sample Default.asp that will be displayed from the web server.
• Create sample Default.aspx that will be displayed from web server
• Use the ECHO command to create the Default.asp and Default.aspx adding some sample content

Setup the WebSite

• Open Internet Information Services Manager

• Right Click on Web Sites and Select a New Web Site

• Click Next
• Enter your domain name.
• Click Next

• Type in the UNC (Universal Naming Convention) path \ServerNameRemoteContent$
• Click Next

• Uncheck "Always use the authenticated users credentials when validating access to the network directory"
• Click Next

• Type in local user name, for our article this is RemoteContentUser and  "PA$$@Word!"
• Confirm password

• Click OK
• Click Next
• Select READ, Run Scripts (such as ASP)
• Click Next

• Click Finish

• Notice the Default.asp, Default.aspx page displayed in the right pane.

• Browse the Classic Default.asp webpage

To run ASPX webpages you’ll need to ensure the local user has MODIFY permission to the temporary folder where .NET pages are compiled.  If you do not, you could get this error listed below.

• Grant local RemoteContentUser ‘CHANGE’ permissions on the temporary folder where ASP.NET pages are compiled.  This can be any user, we are just using a local user for an example.  Security should be kept in mind when setting up your environment.
• Here is the command cacls "C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Files" /T /E /G remotecontentuser:C

• Browse the Default.aspx webpages. 

If you continue to have issues executing ASP.NET webpages.   You probably need to grant CASPOL permissions.  The command is listed below.

CASPOL

Here is a sample error when executing ASP.NET content on a remote share.   

System.Security.SecurityException: Security error. Source Error: Line 57:         private static System.Collections.ArrayList __fileDependencies; Line 58: Line 59:         public Default_aspx() { Line 60:             System.Collections.ArrayList dependencies; Line 61:             if ((ASP.Default_aspx.__intialized == false)) { Source File: D:ASPNetTempauthors_gfweis3070428c5b9f07db9nidezwv.0.cs Line: 59 Stack Trace: [SecurityException: Security error.]    GfWeis._Default..ctor() +0    ASP.Default_aspx..ctor() in D:ASPNetTempauthors_gfweis3070428c5b9f07db9nidezwv.0.cs:59

CASPOL to the Rescue

What is CASPOL?  This is a command line utility to adjust the security on the CLR and .NET framework.  There is also two MMC’s under the Administrative Tools to help adjust the CAS settings.   In order to see all the settings CASPOL can do, open a command prompt and type in CASPOL /?     Be very careful before adjusting these settings.  This shouldn’t be done on your production server without first testing on development server.  Here is more information on MSDN about CASPOL as well as many other tools provided by the .NET framework.  Code Access Security Policy Tool (Caspol.exe) (Allows you to examine and modify machine, user, and enterprise-level code access security policies.)

Here is the command that did the trick!

caspol -m -ag 1 -url "file://\ServerNameRemoteContent$*" FullTrust -exclusive on

Here is a couple of troubleshooting command line items used.

• caspol -s off  //This turns off CAS security
• caspol -s on //This turns on CAS Security
• caspol -rs  //Resets CAS security.

In conclusion, this is just one example of how to setup a website to access content on a remote server.   We would suggest setting up a test environment so you understand the settings before implementing into a production environment.   We used a local user on both servers, if you have a Active Directory Domain available you could use a Domain user vs. a local user.

Reference links

Deploying and Configuring Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Servers and NAS Devices

Hope this is helpful,

Steve Schofield
Microsoft MVP – IIS