HowTo: Using CIFS to Serve Web Pages from NSS Volume via Windows 2003 Server

Novell Cool Solutions: Feature
By Bas Penris

Digg This - Slashdot This

Posted: 22 Feb 2007

Within our organization, there is a need to run small web applications written in ASP and ASP.NET. Our normal webserver has a lot of overcapacity and it would be a waste of money to purchase new hardware and software. This also makes it possible for a support desk to easily assign and revoke rights, use map and the entire spectrum of NSS features, while system management just 'manages' the server and it's OS. We also moved our WEB volume from a single server to a cluster volume (Apache and Tomcat have some annoying NetWare clustering issues and after going to IIS for some of our sites, this problem was solved as well), although this is absolutely not required. I'll write this as if it was a normal server and not a cluster resource. The NetWare server is named EHL-NW11. The choice for Windows was made because of the available knowledge within the organization.

After installing a basic Windows 2003 server and assigning it the so called "Application Server" role, we were ready to kick off.

Part 1: CIFS

If you hadn't done so before, enable CIFS for the specified volume via either ConsoleOne or iManager;

This is the default configuration for any CIFS enabled server. A "-W" is added to the servername. You can of course, change this to something like 'WEB-CIFS'. You also have to check the Shares page if the volume you want to serve web pages from is CIFS enabled;

CIFS exports all volumes as shares by default, so if there is nothing in the list you're good. If you just want to export just the WEB volume, you'll have to add it here.

Now we have to tell CIFS where to find the proxy user that we're going to create in the next section. Use a text editor to edit \\EHL-NW11\SYS\ETC\cifsctxs.cfg and add the context where your proxy user will reside:

Our proxy users all reside in Proxy.NonP.EHL

Bring down CIFS on the serverconsole using the command CIFSSTOP and start it again with CIFSSTRT:

Part 2: Proxy User

You all know how to create a user object in eDirectory so this will be a short section ;). Create the proxy user in the container added in cifsctxs.cfg. Give the user read rights to the directories needed to be accessed by IIS. In our case, the root of the volume. Remember; It's good to use naming conventions and a lot of organizations have multiple proxy users (an LDAP user, rsync, we also use Scurry with FTP to backup config files from *NIX machines, so we have an FTP proxy user etc.). All our proxy users are named <purpose>_proxy and reside in Proxy.NonP.EHL. In this case our proxy user is called iis_proxy.
Remember to assign the user a password, write it down and put it in a vault somewhere ;). Set the password to never expire and don't require changes. Our policy is to randomly generate passwords for accounts like this. You should never use this account to log in from a workstation that's why we're going to add an Address Restrcition to only allow it to log in from the windows server and add the IP address of the Netware file server as well. As we have a test webserver(EHL-WI75) and a production webserver(EHL-WI76), I need to add two IP's:

If you've got Universal Password enabled, you can skip to the next step, if you haven't you need to set the Simple Password on the Login Methods tab for the user:

Enter the same password you've used for the Netware password when creating the account. Don't forget to select Force Password Change and click OK to close the screen.

Now we're done with the Netware side.

Part 3: Windows user

To be able to connect from the windows server to the netware server, there needs to be a user account on the windows server with exactly the same username and password as in your eDirectory. Create this user(iis_proxy) on the local machine or the AD in which the Windows server resides. (simplest way is to right click My Computer, choose Manage and go to Local Users and Groups. Make the user only a member of the Users group(I got some weird errors when I only made it a member of the Guests group).

Part 4: IIS Configuration - Create a new Web Site

Open the Internet Service Manager and expand Web Sites in the MMC. We usually stop the Default and Administration websites before we create new websites. Right click Web Sites and choose New Website. You'll get a dialog with the description of the website. This is the name you'll see in the MMC. We use the complete URL for our website to describe it, so there can be no misunderstandings with for example, third party suppliers or supporters. Our organization name is Etty Hillesum Lyceum and or domain name is ettyhillesumlyceum.nl (I would've liked to go for ehl.nl but hey, I'm not management ;). Let's go and enter www.ettyhillesumlyceum.nl, bacause this is our default site and it must listen to all, non-specified Host Headers (the MS/IIS term for CNAME's):

Click Next to continue to the next step of the wizard. It will ask you to specify on what IP and port it should listen and to host-header. As this is our new default website, I leave all of these unchanged. Click Next to continue. Now we get to an interresting step. The location of the files. We can't enter a share here. Point it to anywhere (C:\ D:\ E:\ C:\TEMP or wherever. It doesn't matter, but I prefer to create an empty folder on a drive with a short name, and point it to there because of security reasons). See the screenshot:

Click Next to get to the screen where you can select features. Our main website doesn't need server side scripting, so I only select Read and click Next. Click Finish in the summary screen to close the wizard.

Part 5: IIS Configuration - Modify Web Site configuration

Okay, now we modify the configuration of the newly created website. Right click the website and choose Properties from the drop down menu. Go to the Home Directory tab. The content for this resource is now being server from "A directory located on this computer". Directly underneath that option is "A share located on another computer". Select this:

Replace the selected text with the CIFS server- and share name. In our case \\{server}\{share} would become: \\EHL-NW11-W\WEB\www\ and click the "Connect As..." button. The following dialog will pop up:

Deselect the checkbox so you can enter custom credentials. After you've filled them in it should look something like this:

Click OK to dismiss the dialog box and save the changes, and click OK on the web site property screen. After a second or so, you should see the directory listing of the files served from your NSS volume through CIFS: