System.UnauthorizedAccessException: Access to the path is denied - asp.net

No matter what I do such as give Network Service and the ASP.NET account full rights to the folder that contains the image, I am still getting this error for a System.IO.File.Move. Anyone know what other accounts I may be missing here? Network Service is the account running the app pool under which this site runs on and I gave Network Service full rights to the entire folder.
I've tried everything. I gave Network Service and the machinename\aspnet full permissions to the folder that contains this .jpg. I'm testing this code and this move on localhost...my developer machine.

Have you tried using SysInternals FileMon now part of Process Monitor. You can use it to watch for the file access events or the access denied event.

It might be because you write into some other folder that is not under the ASP.NET application (eg %TEMP% folder or something). In this case the account used is IUSR_MACHINENAME which represents anonymous user.
You either need to impersonate, use another folder or give write privileges to IUSR_XXX (which I don't think is a good idea) to deal with that.

On the machine hosting the shared drive, make sure to set things up under both these tabs:
Sharing -> Permissions
Security
Most of us deal with the Security tab for getting IIS stuff working, but it was the former that was giving me the same issue with the .MoveTo() method. (It could read, just not move).
To further complicate matters, I also had the directory shared as multiple names - make sure to check the permissions for each shared name.

Related

System.IO.DirectoryNotFoundException: Could not find a part of the path

I have 1 service app(asp.net) that will upload txt file.
I would like to upload the file to network share drive.
example of network mapped drive: Z:\HR\hr\t\clock.
If i run the web page throught visual web developer, it can successfully save the file.
but if i run the web page directly via IE, it cannot save.
I already set the network folder for everyone is full control right.
it throw an exception System.IO.DirectoryNotFoundException: Could not find a part of the path 'Z:\HR\t\clock102528122011113418.txt'.
Thanks
That will be because of Security Contexts I would think.
Running it from VWD runs under your security context, running "directly from IE" will run under a different context (Traditionally, IUSR_MachineName)
One scenario you have an account that has permissions, the other you do not.
I would recommend creating a service account to do the work and give that the least permissions possible and go from there.

Write permission for a specific folder in web.config

My question is preaty simple. Is there any way to give current user (IIS User, in this case, ASP NET USER) permission to write to a specific folder location (folder inside our web application) using web.config? Because, it's getting boring to ask to the web hoster to gain access to a specific folder each time we want to do a file uploader on a website.
I know it's maybe preaty simple to find an answer using google, but it keeps returning me how to write INTO web.config instead of permission to write into web.config FOR a specific folder. In addition, I'm french so my english is not at the top.
No. If that was possible, you could write an application which, when deployed on a server, would allow you to write to any directory on the disk despite write access being denied by the administrator.
You can easily grant permissions for a local user (e.g. the user that the IIS worker process/app pool is running as) to a folder anywhere on your filesystem actually through rights permissions in Windows itself but this does not allow for doing this through the web.config file itself. Please give us a description of what you're trying to do specifically and there may be a better solution. The solution I mentioned above could be a bit of a security risk but it depends on the needs and situation.
So, from what I understand .NET (and web.config) don't really control write permissions.
You'll need to either expose the folder from a filesystem and/or webserver level to allow people access (though this may be somewhat of a security issue depending on your scenario). Or another possibility would be to create a simple web-page that allows uploading files to the directory.

asp.net log files permissions

Our asp.net app writes errors to a text log file in the web sites root folder. This has lead to all sorts of permission problems, different flavors of IIS and windows allow different things by default.
So what I am wondering is there a location somewhere in Windows where all types of users can write a file without any extra permissions that will also work for all IIS and flavors of windows?
I am thinking of the ApplicationData folder, but did this exist in Server 2003 ?
Thanks,
AJ
The easiest solution would be to use the App_Data subfolder of your web application for this. By default it's not viewable from the web, so Internet clients won't be able to read the logs.
Depending on your deployment method, you might have to change the permission to allow write access to this folder (to the user under which your web application is running).
Alternatively, there is a place where every user can write to: It's that user's temporary folder, which you can access through Path.GetTempPath. This, however, does not sound like a suitable location for log files.
You should always first think about wwwroot folder (%systemdrive%\inetpub\wwwroot) because it has the required permission.
The permission you need is to set a full control for IIS_IUSRS
Edit: you can simply give Everyone Full Control (not recommended at all) but this solves most of ntfs permissions issues with IIS

No access to files in iis7 mvc app - server 2008 r2

I've just installed windows server 2008 r2 along with visual studio and dropbox. I'm using it as a VM for development and dropbox helps me keep my files in sync with other machines.
I've got my site set up in IIS but I'm getting an access denied error when trying to view the site. I've had this before and to get around it in the past I've gone through and added the IIS_User account to the list of permissions to read/modify the files. I assume because the file's have been copied down with drop box the files don't have the necessary permissions. Here's the bugger, I can't batch update the files by modifying permissions on a folder, I'm having to do it right to the file level and even worse, one at a time! I can't have this.
I'm relatively new to 2008 r2 and IIS 7 so I have no idea what's happening here. Can someone explain what is going on and if there's an IIS/file permission setting I can update to resolve it at the top level folder?
I've tried adding anonymous permssions on the website in IIS and I've added permissions on the folder for IIS_User (even Everyone). I have an Administrator account and that's already set to allow me to read/write/modify the files.
This is typically the message I'm getting 'An error occurred loading a configuration file: Access to the path X is denied'.
This is happening on ascx & aspx files as well as config files.
Edits:
The site is visible when debugging from Visual Studio.
The site is operating in Full Trust (internal)
Please help, this is stopping me from working and driving me insane!
By default in IIS 7, websites run as the local system's network account (NetworkService), not as IIS_User.
To verify, in IIS Manager, select the Site in question, click Basic Settings... and check the Application Pool it is assigned to. Then go into Application Pools and check the Identity for that Application Pool. Make sure that user listed is in the ACL.
Adding Everyone to the ACL should work instead, but just in case I would suggest you check the above. Also of course make sure when you set the ACL to check the box for resetting inheritance on all subfolders, if that is appropriate for your application.
You could also try setting the identity of the application pool to a local (or domain) user you have created which has access to your application directory.
Hope that helps.
Regarding whether other identities would work for your app pool, that depends entirely on whether those identities have permissions to all the files and/or databases and other resources you application needs to access. Right now you have the application running under your user account, which is generally not recommended. IIS has your password cached, and if you change it, your application will stop working until you update the application pool configuration.
As far as setting NTFS permissions, it can get tricky. Once you have disabled permissions inheritance, that file or folder will need to be updated individually every time you need a permission change. The flip side of this is that you cannot remove inherited entries on an ACL, you can only add to them. However you can design a strategy that offers a baseline level of permission at the root of a file structure, and then add permissions to subfolders/files.
In order to check & reset inheritance on a folder, go into its properties, security tab, click advanced, then click Edit. You can see whether this folder inherits permissions from its parent, and optionally wipe out all subfolder/file permissions and enable inheritance on all child folders & files.
Hope this helps.

Determine what account IIS 7 is using to access folders (and other resources)

Often, out of sheer desperation I will end up enabling "Everyone" access on a folder that a web app is accessing (perhaps for file creation, reading, etc) because I can't figure which user account to enable access on.
Obviously, this is a very bad thing to do.
Is there a way to determine what account IIS is using at that exact moment to access folders (and perhaps other resources like SQL Server, etc)?
Are there logs I can look at that will tell me? Or perhaps some other way?
I usually use Windows Auth without impersonation. Not sure if that information is relevant.
Another more general approach would be to use a tool like Process Monitor and add a path filter for anything that starts with the root of the website (ie c:\inetpub\wwwroot). You then have to add the Username as a column by right clicking on the column headers, but once you do that the w3wp.exe process should show up in whenever you try to access the website and it will show which user account is being used. This technique should work with all file access permission issues.
If you don't use Impersonation, application pool identity is used in most cases, but accessing SQL Server and UNC files are slightly different.
This MSDN article has all information in one place, but you really need to spare a lot of time on it in order to digest every details,
http://msdn.microsoft.com/en-us/library/ms998351.aspx
Use Sysinternals Process Monitor to see what is actually happening.
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Resources