Enabling IIS WebDav functionality by using IIS Manager Users
Setting up IIS WebDav functionality is pretty trivial if one to rely on Windows user accounts for authentication but this architecture causing massive issues, namely:
- Accounts have to be precreated in Windows and are in fact real Windows accounts with permissions through system. I frequently see people while troubleshooting WebDav authentication issues adding those users to various group (in addition to default Users group) including Administrators account.
- It’s difficult to maintain since those users accounts are specific to machine where they live and hence not trivial to extend setup to several servers without keeping all accounts in sync.
Instead we can rely on IIS Manager to store and maintain users which was designed to allow hosting providers to provide remote IIS management functionality to customers. This setup remove all the drawbacks of using Windows users as authentication provider. It’s easily scalable (since IIS shared configuration can be used) and do not provide any sort of access to underlying operating system.
Solution consists of 2 DSC scripts below. Instead of using UI to set this up DSC was chosen since it’s easily replicated at scale and provide reproducible and consistent behavior.
Prerequisites.ps1 which performs following:
- Install basic IIS features
- Enabled remote management to enable IIS Manager User features
- Install Nuget and chocolatey providers to pull required DSC resources to create website and manipulate NTFS permissions
Startup.ps1 which performs following:
- Enables WebDav and neccessary features
- Configured IIS Manager to accept both Windows and IIS Manager credentials
- Modifies permissions to allow IIS_IUSRS users to read configuration file
- Creates website and bindings it to default ports
- Create IIS manager users with the password
- Modifies IIS configuration to allow WebDav publishing based off IIS Manager credentials provider
- Assigns WebDav permissions to newly created users to access website