XIA Configuration Administrator's Guide

Symptoms

When you scan an IIS Server that uses a UNC path for a site or virtual directory you may see the following.

Error determining whether the physical path 'path' exists for the virtual directory. 

Access is denied

Cause

This error is caused by the authentication double hop issue under the following circumstances:

• The IIS Server that uses a UNC path for a site or virtual directory and that UNC path resides on a machine other than the IIS Server machine.
  
  
• The physical path credentials are set to "Application user (pass-through authentication).
  
  
  
  
• The XIA Configuration Client is installed on a separate machine to the machine running IIS Server.

More Information

The authentication double hop issue refers to the fact that a connection is made from the machine (in this case the machine running the XIA Configuration Client) to a second machine running IIS Server. When the PowerShell remoting connection then tries to connect to the machine where the UNC path is hosted the credentials are not permitted for this second hop.

For more information see the following article.

https://learn.microsoft.com/powershell/scripting/security/remoting/ps-remoting-second-hop

Resolution

• Configure the optional components to tolerate this issue.

- or -

• Configure the IIS server to use specific user credentials when accessing the UNC path.
  WARNING: This change affects the security level. 

- or -

• Install the XIA Configuration Client on the machine running the IIS Server.

- or -

• Install the XIA Configuration Local Service on the machine running the IIS Server.

- or -

• User Kerberos authentication for the scan and allow constrained Kerberos delegation.
  https://learn.microsoft.com/powershell/scripting/security/remoting/ps-remoting-second-hop
  
  NOTE: This is not compatible with custom credentials.