{"id":20,"date":"2006-08-04T11:02:01","date_gmt":"2006-08-04T16:02:01","guid":{"rendered":"http:\/\/www.nynaeve.net\/?p=20"},"modified":"2019-12-13T17:41:40","modified_gmt":"2019-12-13T22:41:40","slug":"using-the-symbol-proxy-in-cross-domain-scenarios-with-uncaccessfilter","status":"publish","type":"post","link":"http:\/\/www.nynaeve.net\/?p=20","title":{"rendered":"Using the symbol proxy in cross-domain scenarios with UncAccessFilter"},"content":{"rendered":"

If you have a symbol proxy setup and you need to have it talk to a symbol server path that references a UNC share on a server that isn’t on the same domain as the IIS webserver hosting symproxy, then you may need to do some hackery to get the symbol proxy to work properly without prompting for credentials to use on the network.<\/p>\n

\u00c2\u00a0Specifically, the problem here is that there is no way to tell IIS to try and map a UNC share with a particular username and\/or password before processing\u00c2\u00a0a request unless the request itself points to a network share.<\/p>\n

One way to work around this is to use a simple ISAPI filter that I wrote (UncAccessFilter) to make sure any required UNC paths are mapped before the symproxy ISAPI filter is called.\u00c2\u00a0 After installing the ISAPI filter in the usual way, make sure that it is prioritized above the symproxy filter.\u00c2\u00a0 To configure it, you will need to manually set up some values in the registry.<\/p>\n

\u00c2\u00a0Create the key “HKEY_LOCAL_MACHINE\\Software\\Valhalla’s Legends\\Skywing\\UncAccessFilter” and ensure that the user web requests will be running in has read access to it.\u00c2\u00a0 You will probably want to ensure that only the web access user, administrators, and the system account have read access to this key because it will have passwords stored in it (be aware of this as a potential security risk if someone gets access to the registry key, as the passwords are not obfuscated in any way).\u00c2\u00a0 Then, for each share, create a REG_SZ value whose name is the share path you want to map (e.g. \\\\fileserver\\fileshare) and whose contents are of the format “username;password”, for instance, “fileserver\\symbolproxyuser;mypassword”.<\/p>\n

To debug the filter, you can create a REG_DWORD value in that key named “DebugEnabled” and set it to 1, in which case the IIS worker process under which the ISAPI filter is running in will do some diagnostic\u00c2\u00a0OutputDebugString calls about what operations it is performing\u00c2\u00a0if you have a debugger attached\u00c2\u00a0to the process.\u00c2\u00a0 Assuming you configured the filter properly, on startup, you should see a series of messages listing the configured UNC shares (you may need to attach to the svchost process that creates the w3wp worker processes and use `.childdbg 1′ to catch this message for the new worker processes on startup).<\/p>\n

If you are using the prebuilt binaries then make sure to install the VC++ 8 runtimes<\/a>\u00c2\u00a0on the IIS server first.\u00c2\u00a0 Note that the prebuilt binaries are 32-bit only at this time, you’ll need to rebuild the ISAPI filter from source if you want to use the filter in 64-bit mode.<\/p>\n

Be aware that the ISAPI filter is fairly simple and is not extraordinarily robust (and may be a bit slow if you have high traffic volumes, since it enumerates mapped network shares on every incoming request).\u00c2\u00a0 Additionally, be aware that if one of the servers referenced in the registry is down, it can make web requests that you have configured to be filtered by UncAccessFilter take a long time as the filter tries unsuccessfully to reconnect to the configured share on that server.\u00c2\u00a0 However, when properly configured, it should get the job done well enough in most circumstances.<\/p>\n

Note that if you can get away with using the same account for all of your shares, a better solution is to simply change the account the web application associated with the symbol proxy is running under.\u00c2\u00a0 If you need to use multiple accounts, however, this doesn’t really do what you need.<\/p>\n

Update: It would help if I had posted the download url<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you have a symbol proxy setup and you need to have it talk to a symbol server path that references a UNC share on a server that isn’t on the same domain as the IIS webserver hosting symproxy, then you may need to do some hackery to get the symbol proxy to work properly […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,5],"tags":[],"_links":{"self":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/20"}],"collection":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=20"}],"version-history":[{"count":1,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/20\/revisions"}],"predecessor-version":[{"id":659,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/20\/revisions\/659"}],"wp:attachment":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}