Quick Edit - NTFS and Anonymous access in IIS

Host - IIS6
PHP - 5.1.6
MySQL 4
ModX 0.9.2.1 (rev 1005)

I am running into a small issue when hosting this on my test server.
With IIS configured to allow anonymous access, the quick edit will not work.
Specifically when the NTFS folder structure is set to allow IUSR_* to have modify access to the directories (Without this - despite the anon access provision it will prompt the user for a password if Integrated Authentication Fails).

By applying IUSR_* to the NTFS folder structure it breaks the functionality of the Quickedit and generates an error in the log.

When viewing the code it returns a permission error.

Removing IUSR_* will then allow the QuickEdit to work again.

My NTFS Security permissions on wwwroot and downwards are:

Administrators (Full Control)
IIS_WPG (Modify, RX, L, R, W)
Network Service (Modify, RX, L, R, W)
IUSER_SERVERNAME (Modify, RX, L, R, W) - Internet Guest Account
SYSTEM - (Full control)

In IIS Directory security I have Enabled Anon access ticked and the username / password is the IUSER_SERVERNAME account.

All the othe boxes on that screen are unticked.

Hope that helps.

Current Permissions
Anon Access Disabled
Integrated Autentication works with my username and provides quickedit.
Log in with modx from another machine - Quickedit is not functional

Administrators - Full
Username - Full
System - Full
modx - Modify

Tried these settings
Anon Access enabled - to modx and IUSR_* on differerent occasions

IUSR_* - Modify
IWPG - Modify

I have verified that permissions are propgrating downstream

I think you need to untick integrated authentication i’m not sure why you want it to display a popup for logging details for quickedit.

With mine I log into modx manager and then just use quickedit straight away.

Ive taken some screen shots which might help.

Thankls

Disabling Integrate Auth has no effect as to whether the Quick Edit is functional or not.

I don’t expect it to pop up any password form for someone to view.
I did however allow integrated auth so I could prevent access to the site while i was trialling it - and then just tick anon to allow access.

If it was just that - than when I log into the site and enter the password - than the quick edit should have worked.

The site was installed with Integrated Auth and anon access disabled in IIS until I had it up and running.

It may have been the fact that it was installed via username with integrated as I just gave modx full access to the entire site - which is what I pointed anon to and it has the same issue.

I even added it to the Administrators group - same issue.

Could you post screen shots of your permissions and auth access.

I think your 2nd pc is auto sending the login details to the iis server using integrated auth. Also do you only get a problem with quickedit on both PC’s or the whole site on both pcs?

I have played with the settings a fair bit since.
It will be easier to explain the settings I have tried as an image only captures one of the possible settings

only when I access the site using either Integrate Authentication or set the Anonymous account to username which has administrative privilates and full access to the site will the QuickEdit work.

NTFS Permissions.
Inherited from root of W:\
Administrators - Full
System - Full
username - Full
Applied at modx root and propogated down the directories
Also forceable applied to all subdirectories and folders.
iusr_* - Modify
iwpg_* - Modify
modx - Full

[i]I have experimented with setting iusr to Full as well to no avail. These permissions are propogated down the folder structure and I have validated that at the QuickEdit module folder.

Owner of all the files is the Administrators group. Seeing that I put modx into the administrators group as well no avail.

Within IIS - Integrated Authentication has been disabled forcing anonymous access.
No other authentication exists, apart from anon and the ntfs permissions.

If Anon is the default IUSR_* it will show the site but fail to load the quick launch
If Anon is ModX with NTFS Modify privilages it will show the site but fail to load the quick launch
If Anon is ModX with NTFS Full privilages it will show the site but fail to load the quick launch
If Anon is ModX belonging to Administrators with NTFS Full privilages it will work correctly.
If Anon is username which belongs to Administrators with NTFS Full Privilages it will work correctly.
If Anon is Administrator it will work correctly.

As soon as I activate Integrated on the new site - username kicks in and the quick edit box pops up.

I just recreated a new site and deleted the old.
iusr_* has ntfs modify access - IIS configured for Anonymous access with script access and read/write.
Same issue.

So basically if the account that is being used for anon access is a member of the administrators group - than the quickedit will work - hardly a solution.


The issue occurs regarldess of whether Integrated access is enabled/disabled - it comes down to which account IIS uses - if integrated is used - than it works because my account has is a member of the admin’s group.

This occurs on the whole site as i tested this on a pc where the account wasn’t on the server so integrated would fail and anon kick in and the same issue occurs.

Basically I know what the issue is, and how to work around it but thats not an adviseable option.

To me it sounds like your ntfs / iss security permissions and truly messed up do you host single web site or multiple?

Also you keep saying that quickedit does not work but when you add the account into X group or user it does work this says to me that your NTFS permissions are not propogating all the way down properly

If you follow my setup it should work make sure you take ownership of all the folders and sub folders before re applying.

You might find this doc helpful on how to secure iis properly.

http://www.servertastic.com/blog/2005/12/helm-folder-permissions/

IIS Site Configuration
WSUS - configured to respond to http://windowsupdate/wsusadmin > Points to U:\WSUS
Moodle - configured to respond to http://moodle.mydomain.com > Points to W:\Moodle
ModX - configured to respond to http://modx.mydomain.com > Points to W:\ModX
Forum - configured to respond to http://forum.mydomain.com [Stopped] > Points to W:\Forum
SMF - configured to respond to http://smf.mydomain.com [Stopped] > Points to W:\SMF
Static - configured to respond to http://static.mydomain.com > Points to W:\Static
Root - configured to respond to anything else. > Points to W:\Root

NTFS Permission Resets
I took ownership with of all the files within the directory ModX with the Account ModX and included Subdirectories and files.
I then reset the permissions for the entire W:\Drive to set some defaults.
I then ensured IUSR_* was given Modify for the directory - and Anonymous access was configured to use this.
This seems to have fixed the problem - as there must have been some files related to QuickEdit that were not recieving the correct permissions - even after I viewed them on most of the quickedit files.

Now with IUSR_* having anon access, and integrated authentication working from home should I wish to disable anon briefly it is working under both. [From what I can tell - I will need to do further testing from outside the network tomorrow at work.]

Thats great news