Last Reviewed: March 6, 2005
Article: DTS0129
Applies to: dtSearch Web (all versions)
1. dtSearch Web says it cannot display a document because the document is not in a virtual directory folder.
2. Users are prompted for a password when attempting to search with dtSearch Web, or when attempting to view a document in search results.
1. dtSearch Web says it cannot display a document because the document is not in a virtual directory folder.
Documents on an internet site are usually placed in virtual directory folders. These are folders that have been designated as part of your site and that have been given a "virtual directory" or "alias" such as /Docs. By default, dtSearch Web will only display documents that are located in a virtual directory folder, and will display an error message if a user tries to access documents located in other folders. The purpose of this is to provide an additional layer of protection against unauthorized access to documents.
To create a virtual directory,
1. Start Internet Services Manager
2. Open the web site
3. Click Action > New > Virtual Directory
4. Set up the virtual directory to point to the folder with the documents that you want to make accessible
5. Close Internet Services Manager
6. Click Start > Programs > dtSearch > dtSearch Web Setup
7. As soon as the dtSearch Web Setup dialog box appears, close it
You do not need to reindex your documents after creating a new virtual directory. However, you do have to run dtSearch Web Setup again so that dtSearch Web will know about the new virtual directory. (It is not necessary to reinstall dtSearch Web or to create a new search form. All that is needed is to start dtSearch Web Setup and then to close the program. This will refresh the registry tables that dtSearch Web uses to identify virtual directories.)
Allowing access to non-virtual folders. dtSearch Web includes an option to allow documents outside of a virtual directory to be displayed. To enable access to non-virtual folders, check the Allow access to non-virtual folders box in the Options tab in the dtSearch Web Setup dialog box. If this option is checked it is very important that all files accessible from the web server be properly secured against unauthorized access. Please see the "Security" topic in the dtSearch Web help file for more information. Generally, instead of allowing access to non-virtual folders, it is better to create new virtual directory for any additional documents that you want to make available.
2. Users are prompted for a password when attempting to search with dtSearch Web, or when attempting to view a document in search results.
A password prompt means that dtSearch Web tried to access the document or index using the rights of the user currently accessing the site, and access was denied. When dtSearch Web receives an "access denied" error trying to open an index or a document, it returns a code to the web browser that tells the web browser to prompt for a user name and password.
A password prompt that appears when a user clicks the Search button indicates that access was denied to the index. A password prompt that appears when a user clicks on a document in search results indicates that access was denied to the document.
1. If the document or index that cannot be accessed is on a different server, see "Delegation" under "Additional Information," below. The remainder of this troubleshooting section will assume that the resource is on the same server as dtSearch Web.
2. In Internet Service Manager, create a virtual root for the folder containing the document or index with the access problem, if one does not already exist.
3. Put a sample HTML file in the same folder as the document or index with the access problem.
4. Attempt to access the sample HTML file from a client machine. You should see the same password prompt that appeared in dtSearch Web.
5. Adjust the security settings for the folder until the HTML file can be accessed from the client machine. To change the security settings for the folder, right-click it in Explorer, select "Properties," and then click the Web Sharing tab.
Example 1. Problems accessing the file c:\docs\abc.doc.
Create a virtual root making "/docs" an alias for "c:\docs", and put a sample html file, sample.htm, in c:\docs. Then try to access /docs/sample.htm through a browser, and adjust the security settings until the file can be accessed.
Example 2. Problems searching the index c:\docs\index.
Create a virtual root making "/docs" an alias for "c:\docs", and put a sample html file, sample.htm, in c:\docs\index. Then try to access /docs/index/sample.htm through a browser, and just the security settings until the file can be accessed.
Once you are able to access the sample HTML file from a client machine, you should be able to access the dtSearch Web index and documents as well.
Delegation
Delegation problems occur when a user on a client workstation tries to use Web Server A to access a resource on Server B. For example, Web Server A may contain dtSearch Web and Server B may have the documents and indexes to be searched. When the administrator tries a search while sitting at Server A, the administrator is able to access documents and indexes on Server B. However, when sitting at a client workstation, the administrator cannot get access to the Server B indexes and documents through dtSearch Web on Server A. The same problems will occur with any other resource on Server B, such as a web page. The administrator is unable to access the documents or indexes even after logging in with the Administrator user name and password.
The KnowledgeBase articles and the Stabbert article cited below under "Resources" explain delegation problems and provide workarounds for them. The problem is that the Windows NT 4 security model does not allow Web Server A to use a logged-in client's authentication to access secured resources on Server B using Windows NT Challenge/Response authentication. As the article puts it, "Using Windows NT Challenge/Response, there is no way a process relying on impersonation can access so much as a text file on another Windows NT box." (Impersonation is the process that Internet Information Server (IIS) uses to respond to internet requests. When a user requests information from an IIS web site, the IIS process "impersonates" the user when accessing secured resources.)
Security Workarounds
The workarounds all involve stripping away some of the security protection around the resources on the two servers. One workaround is to switch from Challenge/Response authentication to Basic Authentication, which results in passwords being sent through the network without encryption. An alternative is to open up both web Web Server A and Server B to anonymous access, and to ensure that Server B has an anonymous user and password that match the anonymous user and password for anonymous access to Web Server A. The Stabbert article contains details on both workarounds.
Recommended Workarounds
Workarounds that do not involve compromising security are:
(1) Transfer the resources from Server B to Web Server A so that they can be accessed directly,
(2) Put dtSearch Web on Server B and give it its own search page,
(3) Link directly to the documents in search results (so hits will not be highlighted). To do this, change %%HighlightLink%% to %%DirectLink%% in your dtsearch_options.html file.
(4) Build an index that caches documents, so dtSearch Web can highlight hits by using the cached copy of each document instead of accessing the original server. For more information, see:
dtSearch v.7 index format
http://www.dtsearch.com/index7.html
Resources for Windows 2000 and Windows NT Web Site Security
How to Create Virtual
Directories to a Remote Novell NetWare Share
Microsoft KnowledgeBase Article Q285159
http://support.microsoft.com/support/kb/articles/Q285/1/59.asp
HOWTO: Accessing Network
Files from IIS Applications
Microsoft KnowledgeBase Article Q207671
http://support.microsoft.com/support/kb/articles/Q207/6/71.ASP
Security Ramifications
for IIS Applications
Microsoft KnowledgeBase Article Q158229
http://support.microsoft.com/support/kb/articles/Q158/2/29.asp
HOWTO: Impersonate a User from Active Server Pages
Microsoft KnowledgeBase Article Q248187
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248187
P. Enfield, Developer Support Engineer, Microsoft, Implementing a Secure Site with ASP (October 24, 1997), MSDN CD.
S. Stabbert, Microsoft Internet Developer Support, Authentication and Security for Internet Developers (October 10, 1997), MSDN CD.
M. Streebe, C. Perkins, and M. Moncur, NT 4 Network Security (Sybex Network Press 1999) ISBN 0-7821-2425-9.