I have code running in an ascx within PageLayout within SharePoint 2007 that accesses files on a remote server i.e. File.Create("\servername\sharename\folder\file.txt"). The code runs within a SharePoint web application that has CAS trust set to Full in the web.config. The File.Create throws the following exception:-
System.UnauthorizedAccessException
Access to the path '\\servername\sharename\folder\file.txt' is denied.
The share is shared to Everyone with Full Control and the NTFS permissions are set to Everyone with Full Control. The web application app pool is running under a domain account also with explicit permissions to access that resource (not that this should be needed).
I ran Process Monitor on the remote machine and no hits were being recorded on the server. This leads me to believe that it is an issue with the SharePoint Code Access Security settings. Like I've said above, the trust in the web.config is set to Full.
Is it possible that CAS is still blocking the remote access? Can anyone think of any other area to review?
Update
A bit more information...
I've tried making the app pool acct domain admin and the problem still occurs. When using the same method to access a drive on the local machine it works fine. Running the same code in SnippetCompiler outside of sharepoint using the app pool account works fine.
Hope this helps, let me know if you can think of any more avenues of investigation or tests I can try.
Update
Im not sure if this would affect the issue but the local server is running Windows Server 2003 and the remote server is running Windows 2000.
Update
I've just tried running the code through a web part and it works fine. The file structure I use in the project that is failing is as follows:-
wss
- VirtualDirectories
- SharePointWebApp
- ...sp web app files
- .
- .
- PageLayoutControls
- control.ascx
- .
- .
Then in IIS I have the following structure:-
IIS
- Websites
- SharePointWebApp (pointing to \wss\VirtualDirectories\SharePointWebApp)
- PageLayoutControls (virtual directory pointing to \wss\VirtualDirectories\PageLayoutControls)
Then within the PageLayouts I reference the controls using the following:-
<%# Register TagPrefix="TEST" TagName="MyControl" Src="~/PageLayoutControls/control.ascx" %>
<asp:Content ContentPlaceholderID="PlaceHolderMain" runat="server">
<TEST:MyControl id="myControl" runat="server"/>
</asp:Content>Let me know if you need more info.
Update
The mystery deepens...
When I access the sharepoint site from Internet Explorer (6 or 7) on the SharePoint web front end server I do NOT get the exception.
When I access the sharepoint site from Mozilla Firefox from the SP web front end server I DO get the exception.
When I access the sharepoint site remotely from ANY browser I get the exception.
Also, it makes no difference what user I use to log on to the site, as long as they have permissions to access the sharepoint site.
Any thoughts?
Update
Hmm, I've now found that if I access the sharepoint site remotely and the sharepoint site tries to do a File.Create() locally (i.e. File.Create("C:\temp\abc.txt")) then it works. If I access the sharepoint site from the sharepoint box and do a File.Create() remotely (i.e. File.Create("\ServerName\ShareName\FolderName\file.txt")) then it works.
It only fails when I access the sharepoint site remotely and have the sharepoint site try to do a File.Create() remotely as well. Kind of a double hop problem. This makes me think it may be an NTLM / Kerberos issue.
Currently, we are running using NTLM authentication.
Has anyone else experienced this sort of issue?
Update
Yep, I'm pretty sure this is an NTLM issue not allowing a double hop. I just changed the authentication on the sharepoint site to use Basic Authentication and its worked. Changed it back to Integrated Authentication and it failed.
Now to decide whether to move the farm to use Kerberos or find another way around the issue. :-/
Update
Just giving SPSecurity.RunWithElevatedPrivileges a shot now. One thing though, is RunWithElevatedPrivileges meant to be used in this context? Previously, I've only used it to get access to lists and libraries within SharePoint rather than accessing a file access the network.
Any thoughts?
Update
Yep, SPSecurity.RunWithElevatedPrivileges resolves the issue. :-)
I wonder if this is the double-hop issue and that your code is trying to access the resource as the impersonated user, but that fails because NTLM will not impersonate to another server (Kerberos would).
Have you tried SPSecurity.RunWithElevatedPrivileges? That would remove the impersonation (RevertToSelf) and then maybe the application pool owner can just act as himself (herself?) whereas maybe it couldn't before.
Just a thought and should be pretty easy to try out.
Related
I am trying to deploy an asp.net 4 app to a new microsoft server 2008 R2
I have set up the application as I have done dozens of times before and set the folder permissions appropriately.
I have tried setting the application pool name directly to have write permissions
I have tried setting IUSR, IIS_IUSRS, NETWORK SERVICE and Users.
I have confirmed that windows authentication is disabled and anonymous is enabled as well as forms authentication is enabled. Logging in works fine i can access all pages normally except if i try to write to the folder. Then a password is required box pops up which looks like windows authentication (even though its disabled)
Every post here states and in my past experience says if I set the folder permissions for the defaultidentity application pool it should work, but for some reason this server wont let me do it!
Any help would be most appreciated.
Welp this turns out to be a really weird one. For some reason when SQL reporting services is installed it reserves the folder name "Reports" in any IIS Web application folder regardless of whether your actually using Reporting services. Its not created by default or anything, but if you happen to create folder titled "Reports" dont expect to access anything from it. After many hours of frustration it turns out it's a random reservation which doesn't throw any error just somehow overrides your authentication protocol to use windows authentication for their reserved folder.
Thanks Microsoft!
A group of us wrote a .NET web application for our University class and in order to let our prof test with it I am setting it up on my webserver at home. Here is what I have done so far:
I created a new account on my domain, I then granted that account Read, write access to the folder where the app is stored. I have setup an application pool that uses this new account as its identity and created a new site that uses the new application pool.
I initially was receiving the Service unavailable error message, so I realized I had to add my account to the IIS_WPG account. So now I am stuck at the "page cannot be found". The website is pointing to the correct folder (I can see the aspx page list from within the IIS browser) but when browsing the site either in IIS, on a browser on the server or on a browser within my network I keep getting Page cannot be found. The home directory is pointing to default.aspx which is what our app uses.
The app of course works just fine when running from within the IDE, but now that I am trying to get it to work it doesn't want to.
Any thoughts?
Thanks.
you should give error details first.
for now, I suggest you check the 'network service' account's permission.this is the ASP.NET's account.
then publish your site to *.aspx file and *.dll file. to see if there is any errors.
So I found the issue. What I didn't know is that by default, IIS 6 does not turn on support of active server pages and .NET pages in Web Service Extensions. Once I had turned this on the site began to work just fine.
We have an old ASP.NET application hosted in IIS6/Win2k3. It's a document generation application that uploads the documents to SharePoint 2003. The application uses an application pool under the user sharepointservice, which is the administrator of the SharePoint site. The web application, which has been recently migrated to .net 2.0 from 1.1, uses NTLM authentication to identify our intranet users.
As the IT administrators are on holidays, I, the developer, has been given local admin rights to the Win2k3 box. The issue is, whenever I deploy the website, though the documents are uploaded appropriately to the SharePoint site via the application, the users are not able to download them. The error is
HTTP Error 403 - Forbidden: Access is denied
I know the IT guys use a service account, not their domain user accounts.
I have already tried to modify the permissions in IIS for that website. I even put Everyone and <Domain>\Users to have read access to all of those folders, to no avail. I've scoured the net, there are no definitive answers. Am I missing something else?
I hate answering my own question, but this did it for me:
The application pools for the SharePoint site were modified from the default. So I reset them, including the AppPools for _layouts, _vti_bin, and _wpresources. Their AppPools are now the default, and are the same.
This link gave me the lead.
You are probably being prompted by permissions for the file system. Check the directories where IO is happening and make sure the user sharepointservice is using in the app pool has read/write permissions.
I just had this problem and solved it after following these instructions:
http://support.microsoft.com/kb/2543306
It seems the webapplication took so long that it hadn't created everything correctly when the IIS timed out. So I was receiving strange errors like yours.
I have an ASP.NET application that's trying to copy a file to a remote share that's on a server on another domain ("REMOTEDOMAIN"):
File.Copy(#"c:\Test.txt", #"\\REMOTEMACHINE\Share");
When we get to the File.Copy method, I'm getting "Login failure: Unknown user name or password" when trying to connect to the share through the local IIS install. This is despite the share itself having "Everyone" read/write permissions (temporarily, at least). The Security log on the remote server logs the same error, so I know the process is at least trying to get to the right place.
I sort of understand why, as the website's application pool is attempting to authenticate with an account on LOCALDOMAIN and not REMOTEDOMAIN.
However, the weird thing is, the entire process works fine when I test through the ASP.NET Development Server instead of IIS, despite the fact that both the Development Server and the IIS Application Pool are using the same credentials.
Any thoughts on how to further diagnose this? Unfortunately the test site has to remain on LOCALDOMAIN and the files still have to be copied to REMOTEDOMAIN; I can't move one site to the other or vice versa.
Everyone does not include Anonymous, so the user still needs to be in the domain of the REMOTEDOMAIN (http://support.microsoft.com/kb/278259). You could get this working by allowing "Guest", but it would be a security nightmare of course so it is not much of a help.
The solution would be to impersonate Asp.Net user: http://support.microsoft.com/kb/306158
One hack that you should know is that if the IIS is not in the remote domain, you can go around this problem, by setting up local (non-domain) users on both machines and setting the same password for both of them.
despite the fact that both the Development Server and the IIS Application Pool
are using the same credentials.
Are you absolutely sure about this? If you are talking about the Visual Studio dev server, it runs on your account. And typically Asp.Net runs as "Network Service"
I have an asp page that saves a file to disk.
Currently it works locally, but I need to save the file to a share and I get permission denied.
I had assumed I could just set the app pool to the user that has access to the folder, but it doesn't seem to work.
How do you make classic asp run as a specific user?
I believe that by default classic asp will run under the iis user which is IUSR_MachineName. This can be changed in the IIS Manager.
Good references:
http://kb2.adobe.com/cps/153/tn_15378.html
http://imar.spaanjaars.com/QuickDocId.aspx?quickdoc=287
IIS Admin - Website Properties - Directory Security - Edit...
By default it's IUSR_MACHINENAME
Look at who is running the following:
"inetinfo.exe" process
"World Wide Web Publishing service"
It should be one of those I believe.
Is the program attempting to go to a share on another computer (or this computer), or a folder on the web server which happens to also be a share? When you access it through the \\server\share notation, you are going to have different issues than through the local drive driveletter:\folder\ notation.
If it is a share on another computer, the account will need to have rights to the share as well as rights to the underlying files and must be a domain account.
It depends on what you are actually doing but you would probably want to avoid giving the whole application a user identity that has network access just to service the needs of this one file.
You can configure in IIS the user identity for anonymous access on that one ASP file, that would be better than setting it for the whole application.
Another option in the intranet environment is to turn off anonymous access for the ASP file and turn on windows integrated access. The clients user account is used for the security context for running the ASP and any subsequent network access it might make.
I've encountered a similar problem : Unable to Execute Bat EXE or CMD.exe from classic ASP pages on IIS 7.
As I have found a solution, I HOPE it will help the folks to save time !
For a solution look there : (I've Marked the very last post as Answer).
http://forums.iis.net/t/1193937.aspx/1?+BAT+and+vbs+Files+does+not+run+anymore+from+Classic+ASP+was+running+on+Win+2003+Server+
Have a great starting 2013 !