I have an ASP.NET application that's trying to copy a file to a remote share that's on a server on another domain ("REMOTEDOMAIN"):
File.Copy(#"c:\Test.txt", #"\\REMOTEMACHINE\Share");
When we get to the File.Copy method, I'm getting "Login failure: Unknown user name or password" when trying to connect to the share through the local IIS install. This is despite the share itself having "Everyone" read/write permissions (temporarily, at least). The Security log on the remote server logs the same error, so I know the process is at least trying to get to the right place.
I sort of understand why, as the website's application pool is attempting to authenticate with an account on LOCALDOMAIN and not REMOTEDOMAIN.
However, the weird thing is, the entire process works fine when I test through the ASP.NET Development Server instead of IIS, despite the fact that both the Development Server and the IIS Application Pool are using the same credentials.
Any thoughts on how to further diagnose this? Unfortunately the test site has to remain on LOCALDOMAIN and the files still have to be copied to REMOTEDOMAIN; I can't move one site to the other or vice versa.
Everyone does not include Anonymous, so the user still needs to be in the domain of the REMOTEDOMAIN (http://support.microsoft.com/kb/278259). You could get this working by allowing "Guest", but it would be a security nightmare of course so it is not much of a help.
The solution would be to impersonate Asp.Net user: http://support.microsoft.com/kb/306158
One hack that you should know is that if the IIS is not in the remote domain, you can go around this problem, by setting up local (non-domain) users on both machines and setting the same password for both of them.
despite the fact that both the Development Server and the IIS Application Pool
are using the same credentials.
Are you absolutely sure about this? If you are talking about the Visual Studio dev server, it runs on your account. And typically Asp.Net runs as "Network Service"
Related
Is it good /Fine to connect website on iis as administrator user and not as regular user given by host company?
I need this to download pdf(rotative) for example..
and i notice that it is obligatory(for default application pool in basic setting to connect as administrator) even to enable the website lunch and work..
so i need to know if connecting as administrator - (in advance setting->identity) or in basic setting - is a problem or not fine for websites and is it true that if:
The web application runs as admin, then anyone who wants to run a known exploit (either in IIS, ASP.NET, Rotativa or your application code), will be able to do so and have access to the entire machine
This question:
IIS application pool access to remote directory on network ask how to allow iis to have the ability to access a file on a network drive. The answer is to set up a user with the appropriate rights and set the application pool identity to that user. We've done that and when we restart the app pool we get a 503 error on our web app.
It appears that the app isn't actually starting.
Here are more details which may help you analyze the problem:
This is Windows Server 2008 R2, iis 7
Our username is abc123\_svc_OSAT (Domain name isn't actually abd123 but I need to obscure it rather than risk publishing internal company information)
As abc123\_svc_OSAT I can map a drive to \\FPIAPPS01\Logs which is a directory on a network server so we know that this user has network access.
In iis we click on our app pool, select Advanced Settings, select Identity, Select the .. button, select "Custom Account" and set it to the user abc123\_svc_OSAT and use the proper password. We then stop and start that application pool.
When looking at the app in a browser we get a 503 error. Checking the logs at C:\inetpub\logs\LogFiles\W3SVC1 we don't see any error. However, the application appears not to have actually started.
Does abc123_svc_OSAT need a specific permission which we may be
missing?
Is there any other place with a log file which we should
look to get a better idea of what is causing the problem?
Thank you.
Does abc123_svc_OSAT have access to directory that hosts your ASPX files? The log files you are looking at are only for logging access to your website. You will want to check the event viewer to see the actual IIS error.
We ended up making the user an administrator and that worked. That's probably too broad for sufficient security rights. We'll keep looking. But it does show that the issue was somehow related to user roles rather than a password issue.
I am trying to deploy an asp.net 4 app to a new microsoft server 2008 R2
I have set up the application as I have done dozens of times before and set the folder permissions appropriately.
I have tried setting the application pool name directly to have write permissions
I have tried setting IUSR, IIS_IUSRS, NETWORK SERVICE and Users.
I have confirmed that windows authentication is disabled and anonymous is enabled as well as forms authentication is enabled. Logging in works fine i can access all pages normally except if i try to write to the folder. Then a password is required box pops up which looks like windows authentication (even though its disabled)
Every post here states and in my past experience says if I set the folder permissions for the defaultidentity application pool it should work, but for some reason this server wont let me do it!
Any help would be most appreciated.
Welp this turns out to be a really weird one. For some reason when SQL reporting services is installed it reserves the folder name "Reports" in any IIS Web application folder regardless of whether your actually using Reporting services. Its not created by default or anything, but if you happen to create folder titled "Reports" dont expect to access anything from it. After many hours of frustration it turns out it's a random reservation which doesn't throw any error just somehow overrides your authentication protocol to use windows authentication for their reserved folder.
Thanks Microsoft!
Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.
I have code running in an ascx within PageLayout within SharePoint 2007 that accesses files on a remote server i.e. File.Create("\servername\sharename\folder\file.txt"). The code runs within a SharePoint web application that has CAS trust set to Full in the web.config. The File.Create throws the following exception:-
System.UnauthorizedAccessException
Access to the path '\\servername\sharename\folder\file.txt' is denied.
The share is shared to Everyone with Full Control and the NTFS permissions are set to Everyone with Full Control. The web application app pool is running under a domain account also with explicit permissions to access that resource (not that this should be needed).
I ran Process Monitor on the remote machine and no hits were being recorded on the server. This leads me to believe that it is an issue with the SharePoint Code Access Security settings. Like I've said above, the trust in the web.config is set to Full.
Is it possible that CAS is still blocking the remote access? Can anyone think of any other area to review?
Update
A bit more information...
I've tried making the app pool acct domain admin and the problem still occurs. When using the same method to access a drive on the local machine it works fine. Running the same code in SnippetCompiler outside of sharepoint using the app pool account works fine.
Hope this helps, let me know if you can think of any more avenues of investigation or tests I can try.
Update
Im not sure if this would affect the issue but the local server is running Windows Server 2003 and the remote server is running Windows 2000.
Update
I've just tried running the code through a web part and it works fine. The file structure I use in the project that is failing is as follows:-
wss
- VirtualDirectories
- SharePointWebApp
- ...sp web app files
- .
- .
- PageLayoutControls
- control.ascx
- .
- .
Then in IIS I have the following structure:-
IIS
- Websites
- SharePointWebApp (pointing to \wss\VirtualDirectories\SharePointWebApp)
- PageLayoutControls (virtual directory pointing to \wss\VirtualDirectories\PageLayoutControls)
Then within the PageLayouts I reference the controls using the following:-
<%# Register TagPrefix="TEST" TagName="MyControl" Src="~/PageLayoutControls/control.ascx" %>
<asp:Content ContentPlaceholderID="PlaceHolderMain" runat="server">
<TEST:MyControl id="myControl" runat="server"/>
</asp:Content>Let me know if you need more info.
Update
The mystery deepens...
When I access the sharepoint site from Internet Explorer (6 or 7) on the SharePoint web front end server I do NOT get the exception.
When I access the sharepoint site from Mozilla Firefox from the SP web front end server I DO get the exception.
When I access the sharepoint site remotely from ANY browser I get the exception.
Also, it makes no difference what user I use to log on to the site, as long as they have permissions to access the sharepoint site.
Any thoughts?
Update
Hmm, I've now found that if I access the sharepoint site remotely and the sharepoint site tries to do a File.Create() locally (i.e. File.Create("C:\temp\abc.txt")) then it works. If I access the sharepoint site from the sharepoint box and do a File.Create() remotely (i.e. File.Create("\ServerName\ShareName\FolderName\file.txt")) then it works.
It only fails when I access the sharepoint site remotely and have the sharepoint site try to do a File.Create() remotely as well. Kind of a double hop problem. This makes me think it may be an NTLM / Kerberos issue.
Currently, we are running using NTLM authentication.
Has anyone else experienced this sort of issue?
Update
Yep, I'm pretty sure this is an NTLM issue not allowing a double hop. I just changed the authentication on the sharepoint site to use Basic Authentication and its worked. Changed it back to Integrated Authentication and it failed.
Now to decide whether to move the farm to use Kerberos or find another way around the issue. :-/
Update
Just giving SPSecurity.RunWithElevatedPrivileges a shot now. One thing though, is RunWithElevatedPrivileges meant to be used in this context? Previously, I've only used it to get access to lists and libraries within SharePoint rather than accessing a file access the network.
Any thoughts?
Update
Yep, SPSecurity.RunWithElevatedPrivileges resolves the issue. :-)
I wonder if this is the double-hop issue and that your code is trying to access the resource as the impersonated user, but that fails because NTLM will not impersonate to another server (Kerberos would).
Have you tried SPSecurity.RunWithElevatedPrivileges? That would remove the impersonation (RevertToSelf) and then maybe the application pool owner can just act as himself (herself?) whereas maybe it couldn't before.
Just a thought and should be pretty easy to try out.