Comprehensive Permissions Rules for ASP.NET 2.0/IIS 6

[Guest]

Hi.

I am really confused about the NTFS permissions that I must set for my
ASP.NET 2.0 IIS application to work properly. I have looked at KB:815153 and
that helps a *little* bit, but I need more. The following are my specific
questions. If someone could answer them for me, I'd REALLY appreciate it!

1. I do not necessarily pre-compile my site to DLLs. I want it to build
automatically if it needs to. In KB:815153, it talks about the permissions I
have to provide to 2 users ("IUSR_<Machine name>" and "NetworkService"). So
that's fine, but what permissions to I have to provice to what users or
groups for what directories if I want the site to auto-compile, etc.?

2. If I want an ASPX file to be able to write to a given directory, what
permissions do I have to give to which users or groups so that ASPX files
will be able to perform writes?

Thanks.

Alex

 

[Juan T. Llibre]

re:

what permissions to I have to provide to what users

Here's the complete list of ACLs needed for ASP.NET 2.0 :

http://msdn2.microsoft.com/en-us/library/kwzs111e.aspx

Make sure you apply them all.

Re which user should you give the permissions to, run this script
and give whichever account is returned by it NTFS permissions
to the directories listed in the above link :

identity.aspx:
-------------
<%@ Page Language="VB" %>
<%@ Import NameSpace = System.Security.Principal %>
<script runat="server">
Sub Page_Load()
Dim tmp As String = WindowsIdentity.GetCurrent.Name()
Label1.Text = tmp
End Sub
</script>
<html>
<head>
<title>Who is ASP.NET running as ?</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
</div>
</form>
</body>
</html>
--------

If you still have doubts after doing that, please post again.
Let us know how you do.

re:

2. If I want an ASPX file to be able to write to a given directory, what
permissions do I have to give to which users or groups so that ASPX files
will be able to perform writes?

Read/Write for the directories in which you want to write data.
Again, give those permissions to the account returned by the script above.

 

[Guest]

Juan -

Thanks for your help. This was a very helpful article. I *do* have a
question though:

The Windows Identity that comes up for me is "NT AUTHORITY\NETWORK SERVICE".
Is this what it should be? I guess I'm just confused about what user this
*should* be. I don't know who "Network Service" is and I didn't ebven know
that a username could have a space in it.

Thanks!

Alex

 

[Walter Wang [MSFT]]

Hi Alex,

On a Web server running Windows Server 2003 and IIS 6.0, the ASP.NET
process runs in the application pool for the Web application. The
application pool defines the identity that ASP.NET runs under (by default,
the NETWORK SERVICE account). On earlier versions of IIS, (in Windows 2000
and Windows XP Professional), ASP.NET runs in the ASP.NET worker process
(Aspnet_wp.exe). The identity that ASP.NET runs under is defined by the
identity of the Aspnet_wp.exe process (by default, the ASPNET account).

#Configuring ASP.NET Process Identity
http://msdn2.microsoft.com/en-US/library/dwc1xthy.aspx

For user name policies, user names can contain special characters,
including spaces, periods, dashes, and underscores.

#Microsoft Windows NT Server: Creating User and Group Accounts
http://www.microsoft.com/technet/archive/winntas/deploy/confeat/05wntpca.msp
x?mfr=true

Hope this helps. Please feel free to post here if anything is unclear.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.