I have an issue with our ASP.net application not being able to read files from a remote directory. Our users log into our application using Forms Authentication, so no AD accounts are used in logging them in.
I have added the machine accounts the machines to the share, as I have a local service on the machine that can write to it and a SQL server able to read/write to the share with a machine account.
However, our asp.net app, running on the same server as the service above, is is not able to do this. I have tried impersonation set to true, but this does not work unless I provide an AD account. Once provided, the share works fine.
I can't move the share to the IIS server due to size constraints.
Is there anyway to allow easy access or do I need to take the interop approach?
The account the application pool runs under needs access on the remote folder. Add that account to the security tab(not only share tab) of the remote folder.
Or, try running the apppool as the AD account you used for impersonation.
Related
Hope you can help.
We have a web application (.NET 2.0) that has some custom code that is used to poke a windows service when a file is uploaded. We issue a command using the following code:
Dim serviceName As String = "Processor Service 1.0"
sc = New ServiceController(serviceName)
sc.ExecuteCommand(200)
Running this code in a standalone app works fine but when running through website throws an access denied error. Code works fine in IIS 6.
We are using an application pool with a user and is in Admin group. I figure it's something to do with IIS but now sure what.
Hoping you guys can help.
Thanks
The permissions that are needed to interact with local services are pretty high. Your asp.net app is likely running as anonymous (local account IUSR), or the "application pool identity". You would have setup your app in IIS (app pool) to use a different account with greater permissions.
In IIS Admin, under the section "IIS", "Authentication", you need to enable a stronger authentication method. If "Anonymous Authentication" is the only one enabled, then check the settings "Edit" to see if it is running as IUSR or "Application pool identity". This is where you determine, or set, the account (and permission set) that your ASP.NET app is using.
I feel that I should strongly warn against elevating the permissions for IIS and anonymous users. This would create a very dangerous back-door into your system. The suggestion from bgs264 is a very good one: make a separate service (or scheduled process) that watches for file uploads, or modify the existing service to use the file-watcher to monitor for uploaded files. It could run under a higher permission set and would be much more isolated from your IIS. Granting admin permissions to IIS or its app pools, is just like begging for trouble.
I'm trying to track down why when the web app accesses a network drive, I see Network path not found (error 53). When I log into the server I can open up a file on that drive with no problem. But the application (asp.net) cannot. I was wondering if this was a permissions error and that lead me to try to find out what the usename of the app is and where I would find that out.
It depends on your OS version and your security settings. Your web-site should have an app pool assigned to it (which may be shared with other applications). By default in windows server 2008R2 the pseudo account ApplicationPoolIdentity is used, which is not really an account.
IIS Accounts
You can check under advanced settings for the app pool and see what it is using. I believe if you have impersonation set up in your web.config, the app pool will access resources using the credentials of whomever is using the application--you can use Kieran's snippet to get that information.
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
I am in the process of deploying a web application on IIS5 on my server which runs windows XP.So when i run my application in visual studio its perfect.But when i deployed it into IIS it throws me an error saying that the access denied to a particular file.
My app reads a xml file based on the input(which is nothing but the other system in the network).As i browsed to the properties of that file manually and unchecked the read only attribute,still it dint work out.Can any one guide me to the proper solution ?
you might have to give read/write (if needed) to following users:
iis_wpg
network service
aspnet
In IIS, your site runs under the credentials of the application pool assigned to it. You can either change the credentials of your application pool to an account that has permission to access that file, or else grant access to the default account that the application pool is currently using.
You mention that you are using basic auth...
Generally, the web application will then impersonate the user logged in.
So, if your file isn't accessible by the user that logged in, then it won't be accessible to the web application impersonating them on the system either. You will need to check the permissions of those files and set them accordingly.
I have an ASP.NET web application that runs on a windows server 2003 server.
there is a form that reads and writes data to an xml file inside the application's directory.
I always grant the NETWORK SERVICE user full control on my application folder so that it can read and write to the xml file.
I put the application on another windows server 2003 server and did the same steps above but i was getting an Access denied exception on the form that reads and writes to the xml.
I did some search and found that if you grant the user ASPNET full control to the directory it would work, I did that and it worked fine.
my question is: what is the difference between granting full control permissions to NETWORK SERVICE and ASPNET users ?
and what can be the difference between the two servers that caused this issue ?
thanks
In all cases, you need to grant the application pool's user account the appropriate access. Application pools were introduced with IIS6. Before IIS6, the .NET application ran under the user account configured in the machine.config file so you would look there to determine the user that needs access.
Network Service is assigned to application pools by default. It sounds like someone set it up differently on one of the servers.
Ideally, you should not be using either account.
You should create a low privilege account that only has access to the resources you need for each web application you have. Add the new account to the IIS_WPG user group. Then create an application pool for each application and set it to run as the user you created specifically for it.
See this article (TechNet) for directions on changing the identity of the app pool.
The configuration I described is now the default in Server 2008 R2/Win 7 (source).
Unfortunately, because someone changed the default configuration on your second server, there is no way for us to tell you what the differences between the two accounts are.
What you will need to do (or have your IT department do) is compare the permissions each account has on the local machine. This will be tedious. However, if you can run powershell, you can use this article to write a script to list out the permissions for each account and compare them.
Good luck finding the differences.