Access Denied to Temporary files

[Chad Crowder]

Hi all,

I hope someone can give me a hand, because I'm out of ideas. I keep getting
this message:

Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\projects_cig\e4e3b3da\3c20ac69" is denied.

The error goes on to say that the ASP.NET is not authorized...

Here are my particulars:
I have a storage array where my asp.net project resides.
I create a Virtual Directory pointing to the share where the project is
stored.
I specify the network user account to use to access the share
I also specify the Anonymous User Account to be the same account as that
accessing share.
I've added the <identity impersonate=true /> tag to the web.config file of
my project.

I've done this with multiple servers, 2000 and 2003 and get the same
results. The projects run fine locally, but I've got to get this working
where my source code is remote.

Anyone know of the step I'm missing?

- Chad

 

[Michael]

Hi all,

I hope someone can give me a hand, because I'm out of ideas. I keep getting
this message:

Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\projects_cig\e4e3b3da\3c20ac69" is denied.

The error goes on to say that the ASP.NET is not authorized...

Here are my particulars:
I have a storage array where my asp.net project resides.
I create a Virtual Directory pointing to the share where the project is
stored.
I specify the network user account to use to access the share
I also specify the Anonymous User Account to be the same account as that
accessing share.
I've added the <identity impersonate=true /> tag to the web.config file of
my project.

I've done this with multiple servers, 2000 and 2003 and get the same
results. The projects run fine locally, but I've got to get this working
where my source code is remote.

Anyone know of the step I'm missing?

- Chad

Did You try to disable the Indexing-Service?


Michael

 

[Anon]

ASP.NET process needs access to the
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\
directory. It stores temporary compiled code there. If you have changed the
account that ASP.NET runs as, you need to give that new account access to
the directory above. Its either
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\" or
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\", I can't remember...

 

[Chad Crowder]

Yeah, well actually the index service was already disabled.

- Chad

 

[Chad Crowder]

The local "users" group had read access to the directory, so I bumped that
up to full control, that didn't get around the error. The account I'm
specifying in IIS is member of the Domain Users, and consequently the local
"users" group.

- Chad

 

[Anon]

This would be true if the application does not allow anonymous access and
uses one of the other authentication schemes (basic, windows, digest). But
if the user is coming in as anonymous access, then the account being
impersonated will be whatever specified as the anonymous account which he
specifies as "I also specify the Anonymous User Account to be the same
account as that accessing share."

Try setting a username/password for the process to run under:

<identity impersonate="true" userName="domain\username" password="password"/>

Without the username and password the ASP.NET process will run under

whoever accesses the web app. You are getting this error because those
accounts do not have unrestricted access to the server running the app.

 

[Anon]

Try just the account and make sure it has full control. What directory did
you give access to?

 

[Anon]

Also what do you have for "<authentication mode= " in your web.config file?

 

[Steven Cheng[MSFT]]

Hi Chad,


Thanks for posting in the community! My name is Steven, and I'll be
assisting you on this issue.
From your description, you got the following error message in your ASP.NET
web application:
-----------
Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\projects_cig\e4e3b3da\3c20ac69" is denied.
-----------
And you've tried on both win2k and win2003 server and with the same error.
If there is anything I misunderstood, please feel free to let me know.

Based on my experience, such security concerned issue may caused by some
unexpected errors such as application securty configuration or security
issues within the application's code. My suggestion is that we first focus
on the application's security configuration or setting and I'd like to
confirm some further questions:
1. Since you mentioned the "Access Denied" exception is also followed by
another "UnAuthorized" exception, is the UnAuthorized exception like below?
-----------------------------------------------------------------
Exception Details: System.UnauthorizedAccessException: Access to the path
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET
Files\wetest1\35069e45\3c6cf47" is denied.
-----------------------------------------------------------------

2. What's the authenticaion mode you used for the ASP.NET web application?
"Windows" or any other? If "Windows", as you said that the application is
impersonating via <identity impersonate="true"/> and anonymous allowed in
IIS. the identity will be the anonymous user, and you also mentioned that
you've manually mapped the anonymous's account to a DOMAIN user. So your
application will be run under the certain Domain user account.

Also, in your later reply you mentioned that you've tried giving the local
user group full access control of the certain folder,(is it the ASP.NET
tempory folder?) but with no success. I think you may try giving the
certain Domain user account the full access control of the ASP.NET tempory
folder such as "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\" and then try running the application again.

3. In addtion to step2, you may also try change the anonymous account to
other account(such as machine\ASPNET) and give the full control of ASP.NET
tempory folder or even try set the impersionate as false and then run the
application to see whether the problem remains

Further more, as for the web application's code logic, would you please
provide some more detailed info on it such as the "I've got to get this
working where my source code is remote" or the "a Virtual Directory
pointing to the share where the project is stored"?

Please check out the preceding items. If you have any quesitons or have any
new findings, please feel free to let me know.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Chad Crowder]

1. The Access Denied error you described is the one I was receiving.
2. I used windows authentication for the web application, I've also tried
to make the user account a domain administrator
3. A local machine account won't have access to the source code on a network
storage array.

Also, when I said it worked locally, that was to mean that if I copied the
source code to the local computer (drive C, configure IIS for the app, it
runs fine.

I just can't get it to work when the source code is remote. I also have ran
into the error:
Parser Error Message: Could not load type 'CIG.Global'.

Thanks,
- Chad

 

[Chad Crowder]

Actually, just wanted to clarify. I start getting the "Parser Errror: could
not load type cig.global" after I run the web application locally.

- Chad

 

[Steven Cheng[MSFT]]

Hi Chad,


Thanks for your response. Based on your reply, the application run well
when the code is set on the local machine of the IIS server. Do you mean
that the "Access Denied" error also goes away when running locally? If so,
the problem is likely due to the security issue on accessing the remote
source code when the page code being compiled at runtime. Any way, have you
tried add the certain tempory folder's full control access to the certain
domain account(just to that account) which you set as the anonymous user's
mapping account?
In addtion, you mentioned that you also encountered the a "cig.Global" type
couldn't be loaed error? The "CIG.Global" must be the Global class of your
web application which is defined in the Global.asax and Global.asax.cs
file, so you may check whether these two file have been correctly set or it
there any problem with accessing these files from a remoting site. Also,
since you point the web site's virtual directory to a remote directory via
a "\\{server}\{share}" UNC path, yes? Then have you tried setting a more
high permissed account on the remote machine for the "Connect As" account ?
I still think the problems are all caused by the account's permission.

Please check out the preceding items. If you feel anything unclear or if
you have any new findings, please feel free to post here.



Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Chad Crowder]

Steven, Anon, and others:

I finally called MS today on this, and basically I had to do three steps
which I hadn't done (this is for windows 2003:

1. Add the domain user account that will be access the share to the
ApplicationPool identity
2. Create a new Runtime Security Policy, for the URL of the share, and
give it Full Trust.
3. Lastly I had to add the user account to the local IIS_WPG group

So, it was a permissions/security issue after all.

Thanks again to everyone who provided help with this!
- Chad