How to give NT AUTHORITY\IUSR access to shared folder content? - asp.net

I find something related, but not same thing.
The error "Login failed for user 'NT AUTHORITY\IUSR'" in ASP.NET and SQL Server 2008
My issue is that the files are shared on the network, and I would like to debug from local IIS, I find that all static files seems to be access denied (401.3)
I have used the trace system, and find that the IIS is accessing the source using "NT AUTHORITY\IUSR"
Url http://localhost:8451/umbraco_client/panel/images/panel_boxhead_h2_bg.gif
App Pool Debug451
Authentication anonymous
User from token NT AUTHORITY\IUSR
Activity ID
I have set the shared folder to be accessible to everyone, and changed the application pool's identity to domain administrator.
I have also tried to use 'Network Service' as identity and assign Domain\MachineName$ full access to the shared folder...
It looks to me that iis always using "NT AUTHORITY\IUSR" to access static resouce? If so, how can I give access on a shared folder to a local account? Or how can I force IIS to use some other identity?
update:
as there are some new answer to this old question which I gave up at that time. I accentually have encounter this similar issue again recently on a server running windows 2008 R2, which I resolved, and I would like to give some update.
I resolve the issue this time by add read permission to $ComputerName/Users. This seems only an issue with server environment, and not sure if related to any group policy or similar kind. Hope this might help someone in future.

Once you have configured the user of the application pool to have access permission to the shared folder ( create a new user in windows and add it to the IUSER group, and add specifique access rights to the shared folder for that user), YOU HAVE TO change in IIS the Authentification settings: IIS->site that need access->Authentification settings -> anonymous authentification->edit->select aplication pool identity (instead of IUSER).

Make sure you have enabled IIS to serve static content. I had this issue, too, and it drove me nuts until I figured that out.
In "Turn Windows Features on or off", go to "Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content" (for Windows 7; you'll have to find the similar option in XP).
I don't know how much this will help, but also see Microsoft's documentation.

this worked for me, thanks.
Go to the Shared Folder –> right click –> properties -> security –>edit –> add (so far as usual ) -> choose object types –> check on computers –> now enter the computer name where your application is working from , where you published your application

You can try $[computername]\IUSR > you'll want to use advanced search to look this one up in windows permissions.
Or... you can set up your shared folder as drive on IIS's local and access it that way. So [serverb]\share becomes mapped to a letter on server A and IIS accesses it that way.

Set the identity of the application pool by going to advanced settings:
Remember to edit the Anonymous Authentication and either use the application pool identity or else specify a user account that has access to the resource you are wanting to access

Related

What are the IIS 8 required NTFS Permissions?

This questions has been asked, A LOT, but I've yet to figure out a proper solution. I've got a Windows Server 2012 server with of course IIS 8. I'm setting up a very, very, simple website on it with an HTML file that has Hello World in it. On the folder for the website I have the following permissions set up:
SYSTEM (local account, Full Access)
Administrators (local group, Full Access)
FTP (domain account, Full Access)
NAME_OF_APPPOOL (virtual account, Full Access)
So, with all of these permissions I still get a 401.3 - Unauthorized error from IIS. What am I missing in all of this?
The only thing that's made the website accessible so far was a desperate attempt by putting Everyone with read-only permissions. I think we can all agree that's just dumb as far as security goes...
Update
This is what the Application Pool Identity is set to at the moment.
Check #5 to make sure the AppPool the site is using is actually set to use the Identity you are adding NTFS permissions for.
Specify an Identity for an Application Pool (IIS 7)
Open IIS Manager.
In the Connections pane, expand the server node and click Application Pools.
On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
For the Identity property, click the ... button to open the Application Pool Identity dialog box.
If you want to use a built-in account, select the Built-in account option and select an account from the list.
So, since I was trying to access an HTML page (static content) it appears that IIS doesn't use the AppPool identity for static content... (double-U, T, and F?) So, to make it work you have to add IUSR as referenced here: IIS 8 401.3 with ACL and static content. Anyway, it works now, I'm just sooooo looking forward to the day when I put MVC on that site and it starts failing, again...

IIS7 IUSR account permissions not working with forms authentication and file upload

I am trying to deploy an asp.net 4 app to a new microsoft server 2008 R2
I have set up the application as I have done dozens of times before and set the folder permissions appropriately.
I have tried setting the application pool name directly to have write permissions
I have tried setting IUSR, IIS_IUSRS, NETWORK SERVICE and Users.
I have confirmed that windows authentication is disabled and anonymous is enabled as well as forms authentication is enabled. Logging in works fine i can access all pages normally except if i try to write to the folder. Then a password is required box pops up which looks like windows authentication (even though its disabled)
Every post here states and in my past experience says if I set the folder permissions for the defaultidentity application pool it should work, but for some reason this server wont let me do it!
Any help would be most appreciated.
Welp this turns out to be a really weird one. For some reason when SQL reporting services is installed it reserves the folder name "Reports" in any IIS Web application folder regardless of whether your actually using Reporting services. Its not created by default or anything, but if you happen to create folder titled "Reports" dont expect to access anything from it. After many hours of frustration it turns out it's a random reservation which doesn't throw any error just somehow overrides your authentication protocol to use windows authentication for their reserved folder.
Thanks Microsoft!

IIS7 Accessing Network Share

I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...

IIS - Required permissions cannot be acquired. Enabled "Full Trust" and Load User Profile on App Pool is "True"

Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.

IIS 6.0 Access Permissions to Remote Share

When setting up a virtual directory under IIS using a UNC path to a remote share, what user identity should I be expecting to see the read request to the share come under?
I've setup the above scenario and configured the user under 'Connect As' as a known user who has permissions on the remote share, which I checked with Windows Explorer.
However, when trying to access a file from within a web browser on the share using http://localhost/myfiles/atestfile.txt, I am getting an HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application error returned. 'myfiles' is mapped to the remote share and atestfile.txt resides in the shared folder.
If I use sysinternals filemon application to see what process and user the read request to the share is being carried out under, then I get the details that the request is through the w3wp.exe process and the user is shown as "NT AUTHORITY\NETWORK".
I was expecting the user to be shown as the user I confugured under the 'Connect As' option.
Any guidance appreciated.
If i recall correctly (used iis about 4 years ago) it was IUSR_. I'm not sure that it's still so, but give it a try.
Edit: try to give a look at this post, maybe you will find some clues ;)
Did you try it also with other file extensions than "txt", maybe "test.html"? What DLL is used for txt in the ISAPI extensions configuration (web -> Home Directory -> Configuration...)?
The section "To configure security and authentication for a virtual directory" in the MSDN article "How to: Create and Configure Virtual Directories in IIS 5.0 and 6.0" should contain the information you'll need for finding the right configuration.
I guess the account used in the security settings should be able to access the network share. This could be accomplished inserting the account in the right group or changing that account.

Resources