access denied in an asp.net 2.0 application when accessing a direc

[Guest]

on a different server.

I am currently getting an access denied when I attempt to do the following
in my asp.net page:

strFilePath = ConfigurationManager.AppSettings["imagesavedir"];

strFileName = strImageName + ".*";

DirectoryInfo di = new DirectoryInfo(Server.MapPath(strFilePath));

FileInfo[] fls = di.GetFiles(strFileName);

This is the error:

Access to the path '\\192.168.2.26\images\ProdSite\CENET' is denied.

What permissions do I need to set for this to work. The ip address is on
another windows 2003 server.

Thanks

Eric

 

[Michael Hamrah]

I think you want to grant read permission and directory browsing on the
ntfs level (properties -> security) to the IUSR_<servername> account,
then grant the same thing on the iis level via IIS Manager. There's
two levels of security- IIS and NTFS.

 

[Steven Cheng[MSFT]]

Thanks for Michael's input,

Hi Eric,

As for such security issue, we should first confirm what's the ASP.NET
application's running security context, if you're not using impersonate, it
should be the ASP.NET worker process's process account(this setting should
differ from IIS5 to IIS6). For IIS, it is the Machine\ASPNET account ,
while IIS6 by default use Network Service as the application pool idenitity.

And as for the remote UNC share, there're two permission settings, the NTFS
and the file share permission settings. Therefore, I suggest you check both
of them on the remote server machine and grant the proper use the
sufficient permission.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Hi Steven,

I am running IIS 6.0.

How would I find out what security context I am running under?

On the share, I set the NetworkService account from webserver read only
access and on the NTFS security, I gave NetworkService account from webserver
ready only access also.

Basically, I want the remote users to only read/browse the files but not
change the files.

Is this the correct approach?

Thanks

Eric

 

[Steven Cheng[MSFT]]

Thanks for the response Eric,

I think it should be OK. Since you're using IIS6, if the ASP.NET
application virtual dir is configured to use the Default Application Pool
and your ASP.NET dosn't use impersonate, it should be the NT
AUTHORITY\NETWORK SERVICE account. Anyway, you can use the below code to
printout the security identity of the current running thread:

Response.Write("<br/>" +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);

BTW, as for the "Network Service" account you mentioned when configure the
UNC share's permission, are you sure you are refering to the ASP.NET
server's Network Service account( rather than the UNC share machine's
Network Service account)? Network Service just represent machine's account
so it differs from machine to machine.

In addition, you can turn on the File access Audit for that UNC folder on
that machine, this can help capture the Access failture log.

3How To Audit User Access of Files, Folders, and Printers in Windows XP
http://support.microsoft.com/kb/310399/en-us

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Guest]

Thanks for the information.

Thanks

Eric

 

[Steven Cheng[MSFT]]

Thanks for the quick response.

Glad that they're of assistance. Please feel free to let me know if you
need any further help.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)