tl;dr: critical bits are in bold.
We have a website page that, when executed, is supposed to read in a series of files, zip them up, and return them to the user.
Unfortunately, we are running into an error:
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
My line attempting to access the file currently looks like this:
using (FileStream x = File.Open(#"\\thedirectory\filename.pdf", FileMode.Open, FileAccess.Read)) { }
(This line doesn't do anything useful other than try to open the file, since right now I'm just trying to see if I have access at all.)
This code works, and opens the file without a problem if I copy the file to a directory on my machine and have the path go there. But if I go to the remote machine where the original file is, no dice.
I went down a rabbit hole for a while trying to make sure that whoever the ASP.NET process was running as, that process had permissions to the directory. However, since that wasn't working and I was getting desperate, I have given "everyone" all access rights to the remote directory as a test. Still getting the same error.
I'm guessing this is a permissions issue (since that's what it's claiming) combined with the fact that the code works when pointing at a local file. However, since I've already given "everyone" all permissions, I'm lost as to what could be going wrong.
Ideas?
I'm guessing that the other files are on a different machine, here is one possiblity: https://serverfault.com/questions/41130/network-service-account-accessing-a-folder-share
Another possiblity is to impersonate a domain account that has access to the target folder- http://support.microsoft.com/kb/306158
Or change the service account to a domain account that has access to the target folder.
Related
I have two servers: server A which is a web server running an ASP.NET application on IIS, and server B which is an SSIS server with a network share that contains a configuration file.
I need server A to be able to write to the configuration file on server B. This seems fairly straight-forward, however I keep getting the error: "Access to the path \\ServerB\files\config.xml is denied." What I have done for testing, to make this perfectly clear:
I have set "Everyone" to have full control of the folder.
I have set "Everyone" to have read/write access on the share.
I have set "Everyone" to have full control of the file.
I have verified that the file is not read-only.
I realize this isn't a good solution, I am just doing this for debugging so please don't comment to tell me not to do this.
Anyhow, even with these things set, I still get "Access is denied." I have also explicitly given access to a number of users, including Network Service, IUSR, Anonymous Logon, and IUSRS group, and it has not fixed the problem.
The application pool on Server A is using ApplictionPoolIdentity. I have Googled and Overflowed and found suggestions to give permissions to things like IIS AppPool\{Application Pool} or {MACHINE}\ASPNET, but I cannot access these resources from Server B so I do not understand how this would be possible.
Finally, the perplexing thing is that developers running solutions on their local machines are able to access the file. So it is something to do with how something is configured with Server A, however I cannot figure out what.
Edit: Truly wacky stuff going on here. I have figured out how to enable auditing and get the requests logged in the event viewer on Server B. When the developer runs the process from his local, I can see all the requests logged on Server B. Eg: "A network share object was checked to see whether client can be granted desired access."
However! When attempting to connect from server A, nothing gets logged. Nothing is there at all. Server A throws an "access to the path is denied" error, but I don't even see the request from Server B. :(
It has been long time ago but maybe it could be useful for someone.
Try and use the class NetworkConnection to access to the shared folder. You'll need to specify the path and credentials.
More reference about the class here:
https://gist.github.com/AlanBarber/92db36339a129b94b7dd#file-networkconnection-cs-L15
You seem to be using all Local Identities and I think that will not work on a network share despite what permissions you give. You need to make a domain user and run the app pool with that user and you should be good to go.
Also please do verify if the path is reachable or its access denied. Sometimes we go get the access denied message even though the path was not reachable.
You may need to edit settings in the Group Policy Editor on the machine where the share is hosted.
Open the Group Policy Editor via Start → Run → gpedit.msc. Set the following under Local Computer Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:
Network access: Shares that can be accessed anonymously - Enter the name of the network share folder (files in your question above) in the text field. (Don't include the hostname.)
Network access: Let Everyone permissions apply to anonymous users - Set to Enabled. (For me, this was necessary for write access to be granted.)
When done making changes in gpedit.msc, from an admin-elevated command prompt, run gpupdate /force to apply the Group Policy changes.
Obviously, you should consider the security implications in your specific situation before making these changes.
You have to modify ApplicationPoolIdentity according to this article http://blogs.msdn.com/b/vijaysk/archive/2009/02/13/goodbye-network-service.aspx as it works with the NetworkService identity
Under system.web, on identity tag, set impersonate=true also set username and password of the production server
Assuming the website is stored at c:\websites\testing.com\
Currently, the web application writes files to:
/uploads/
/robots.txt
/sitemap.xml
Rather than having to give permissions to each file, is it a security implication to just give read/write access to the whole c:\websites\testing.com\ folder for the application pool user (e.g IIS AppPool\testing)?
What is the 'worst-case' that could happen?
It depends on how secure your application is. I'd pay particular attention to any Path Traversal vulnerabilities. e.g. if it is possible for a user to upload a file passing the filename as "../foo.aspx"? You'd have to test this using an intercepting proxy. If so it may be possible for them to write a file into your root folder.
This is one example of path traversal, it doesn't necessarily have to start with the double dots. If you are confident your application is secure there is minimal risk, but since there are only 3 files & folders in your case it may be better to apply the permissions individually.
In the event viewer, around every 5 minutes I am getting the event described here: http://technet.microsoft.com/en-us/library/cc735145(WS.10).aspx
"FailedRequestTracing module failed to create directory '%3'. No logs
will be generated until this condition is corrected. The problem
happened at least %1 times in the last %2 minutes. The data is the
error."
The fix is supposed to be allowing IIS_IUSRS write access to that directory.
Not only did IIS_IUSRS have write access, but I have also allowed IUSR, NETWORK SERVICE and the plesk panel IUSR accounts for all 3 of my domains, and I am still getting the error.
I can't help but think this is something really stupid with Plesk Panel. Fairly sure that every weird problem I've had has stemmed from Plesk, unfortunately my server was pre-configured with it. Is there a way to find out what user IIS is trying to access the log files with so I simply grant it permission?
The issue is not that you don't have correct permissions, it's about having multiple application pools and hence, instances of the native FailedRequestsTracingModule running.
The failed request tracing directory is created per-site and not
per-app-pool - so if you have multiple apps running under multiple
app-pools, they will each try to use the next filename in sequence and
hence fail - we could probably add some retry logic to try other
numbers in case of such collision.
http://forums.iis.net/t/1158660.aspx?Failed+Request+Tracing+Event+2284
I am using asp.net 3.5. And i am serializing an object in server, I rent a hosting and i want to modify something in a dinamic way with XML,
This is my code :
Stream writer = new FileStream(Environment.CurrentDirectory + #"\public_html\" + nombrearchivo.Text, FileMode.Create);
serializer.Serialize(writer, p);
this is my error message:
Exception Details:
System.UnauthorizedAccessException:
Access to the path
'C:\Windows\SysWOW64\inetsrv\dasd.xml'
is denied.
Thanks!!
The answer is in the error message: "access denied"
You do not have write permissions to that folder, which makes perfect sense; you shouldn't have write permission to that folder, at least you likely shouldn't.
If you need to cache something for later use, either use session for temporary storage, or talk to your hosting company about getting write permission for longer-term storage.
Environment.CurrentDirectory is a per process property that most likely is not the directory you want; in this case, it is the directory in which the IIS worker process is launched.
In any case, for typical ASP.Net hosting (as opposed to physical or virtual server hosting), you will be restricted by Code Access Security policy as well as the rights of the IUSR account that the IIS worker process runs as; typically this means very minimal privileges so as to attempt to limit the damage of a compromised or malicious web page script, usually significantly less than the privileges of your application-uploading login.
In short, you will need to arrange for an application-writable directory (and likely greater than medium ASP.Net trust as well) if you want to save files.
I discover that the problem was the path...
"\hmfsw\web\DTCWIN107\MYSITE.com\public_html\"
Worked fine! after asked the hosting provider 8 times they could tell me the right one
Thanks you very Much!!
I've got an ASP.NET application that is trying to delete a file on a network share. The ASP.NET application's worker process is running under a domain account (confirmed this by looking in TaskManager and by using ShowContexts2.aspx¹).
I've been assured by the network admins that the process account is a member of a group that has modify permissions to the directory that contains the file I'm trying to delete.
However, it is unable to do so, and instead I get an exception (changed the file path to all x's):
System.Web.HttpUnhandledException: Exception of type
'System.Web.HttpUnhandledException' was thrown. --->
System.UnauthorizedAccessException: Access to the path
'\xxxxxxx\xxxxxxx\xxxxxxx\xxxxxx.xxx' is denied.
Any ideas on how to diagnose/fix this issue?
http://www.leastprivilege.com/ShowContextsNET20Version.aspx
Ensure your ASP.NET worker process has access to the specified file path.
You can try giving "full control" access to "everyone" and then paring back access until it works with the permissions you want.
It sure sounds like you are not running under the proper context.
A suggestion to deal with this a different way (a way that is much more secure) is to run under the default account and map to the network drive using the WNetAddConnection2 windows API. Using this API you do not change the context that ASP.net runs under, you simple map a drive connection. You can specify either a domain account or a local account. You can have it actually map a drive letter or you can just authenticate to a drive share without mapping a letter.
I have used this API from asp.net more than once and it works beautifully. Because you do not give ASP.net increased privileges this is much more secure.
More information on the WNetAddConnection2 API:
http://msdn.microsoft.com/en-us/library/aa385413(VS.85).aspx