file permissions

Discussion in 'ASP .Net Security' started by James Martin, Oct 15, 2003.

  1. James Martin

    James Martin Guest

    I have a W2K server, running IIS 6 and Active Directory
    Services. I have an ASP.Net application off the root web
    directory named "Apps". Within the IIS Manager I have the
    Authentication method set to "Anonymous Access" as well
    as "Authenticated Access" using "Integrated Windows
    Authentication" for both the root web and the "Apps" sub-
    directory. All files and directories under the "Apps"
    folder are set in this manner.

    The web config file is set to use "Windows" for
    Authentication and "*" for Authorization.

    Using Explorer I have changed the permissions for one file
    in the "Apps" directory. For this file, let's call
    it "myfile.aspx", I have removed the "Everyone" group. The
    permissions for this file are as follows:

    Creator Owner - Full Control
    System - Full Control
    mydomain\Administrators - Full Control
    mydomain\MyGroup - Read, Read/Execute

    If I attempt to access any file on this web via a web
    browser it works as it should with the exception of this
    single file, "myfile.aspx". When attempting to access this
    file it will ask for a username/password/domain and will
    not accept anyone, including anyone from
    the "Administrators" or "MyGroup" groups.
    The error I get in the browser is:

    Server Error in '/Apps' Application.
    -----------------------------------------------------------
    ---------------------

    Access is denied.
    Description: An error occurred while accessing the
    resources required to serve this request. You might not
    have permission to view the requested resources.

    Error message 401.3: You do not have permission to view
    this directory or page using the credentials you supplied
    (access denied due to ACLs). Ask the Web server's
    administrator to give you access
    to 'c:\inetpub\wwwroot\apps\myfile.aspx'.


    -----------------------------------------------------------
    ---------------------
    Version Information: Microsoft .NET Framework
    Version:1.1.4322.573; ASP.NET Version:1.1.4322.573

    This is the same basic configuration I use on other web
    servers for security and have not had this problem before.
    I have another server within this domain that is
    configured in the same manner that works although it is
    not an ASP.Net application. I have tried this from systems
    logged into the domain and from systems not logged into
    the domain with the same results.
     
    James Martin, Oct 15, 2003
    #1
    1. Advertising

  2. James,

    In the scenario you describe, you will need to give the aspnet_wp.exe
    process account access or make it a member of your group. By default, this
    would be the ASPNET account.

    You can also enable impersonation and deny unauthenticated users so that
    you get the identity of the user actually browsing the site.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >Content-Class: urn:content-classes:message
    >From: "James Martin" <>
    >Sender: "James Martin" <>
    >Subject: file permissions
    >Date: Wed, 15 Oct 2003 09:21:31 -0700
    >Lines: 58
    >Message-ID: <037001c39338$6513bd70$>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="iso-8859-1"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Path: cpmsftngxa06.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7186
    >NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >I have a W2K server, running IIS 6 and Active Directory
    >Services. I have an ASP.Net application off the root web
    >directory named "Apps". Within the IIS Manager I have the
    >Authentication method set to "Anonymous Access" as well
    >as "Authenticated Access" using "Integrated Windows
    >Authentication" for both the root web and the "Apps" sub-
    >directory. All files and directories under the "Apps"
    >folder are set in this manner.
    >
    >The web config file is set to use "Windows" for
    >Authentication and "*" for Authorization.
    >
    >Using Explorer I have changed the permissions for one file
    >in the "Apps" directory. For this file, let's call
    >it "myfile.aspx", I have removed the "Everyone" group. The
    >permissions for this file are as follows:
    >
    >Creator Owner - Full Control
    >System - Full Control
    >mydomain\Administrators - Full Control
    >mydomain\MyGroup - Read, Read/Execute
    >
    >If I attempt to access any file on this web via a web
    >browser it works as it should with the exception of this
    >single file, "myfile.aspx". When attempting to access this
    >file it will ask for a username/password/domain and will
    >not accept anyone, including anyone from
    >the "Administrators" or "MyGroup" groups.
    >The error I get in the browser is:
    >
    >Server Error in '/Apps' Application.
    >-----------------------------------------------------------
    >---------------------
    >
    >Access is denied.
    >Description: An error occurred while accessing the
    >resources required to serve this request. You might not
    >have permission to view the requested resources.
    >
    >Error message 401.3: You do not have permission to view
    >this directory or page using the credentials you supplied
    >(access denied due to ACLs). Ask the Web server's
    >administrator to give you access
    >to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
    >
    >
    >-----------------------------------------------------------
    >---------------------
    >Version Information: Microsoft .NET Framework
    >Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
    >
    >This is the same basic configuration I use on other web
    >servers for security and have not had this problem before.
    >I have another server within this domain that is
    >configured in the same manner that works although it is
    >not an ASP.Net application. I have tried this from systems
    >logged into the domain and from systems not logged into
    >the domain with the same results.
    >
     
    Jim Cheshire [MSFT], Oct 15, 2003
    #2
    1. Advertising

  3. James Martin

    James Martin Guest

    Okay in web.config I have :

    <authentication mode="Windows" />
    <authorization>
    <deny users="?" />
    </authorization>
    <identity impersonate="true" userName="" password=""/>


    I added mydomain\ASPNET to the ACL.

    When I attempt to access the page I am NO LONGER prompted
    for a username/password/domain and the web page returned
    reports the following:

    Server Error in '/Apps' Application.
    -----------------------------------------------------------
    ---------------------

    Access is denied.
    Description: An unhandled exception occurred during the
    execution of the current web request. Please review the
    stack trace for more information about the error and where
    it originated in the code.

    Exception Details: System.ApplicationException: Access is
    denied.

    Source Error:

    An unhandled exception was generated during the execution
    of the current web request. Information regarding the
    origin and location of the exception can be identified
    using the exception stack trace below.

    Stack Trace:


    [ApplicationException: Access is denied.
    ]

    System.Security.Principal.WindowsIdentity._ResolveIdentity
    (IntPtr userToken) +0
    System.Security.Principal.WindowsIdentity.get_Name() +71

    System.Web.Configuration.AuthorizationConfigRule.IsUserAllo
    wed(IPrincipal user, String verb) +100

    System.Web.Configuration.AuthorizationConfig.IsUserAllowed
    (IPrincipal user, String verb) +81
    System.Web.Security.UrlAuthorizationModule.OnEnter
    (Object source, EventArgs eventArgs) +178

    System.Web.SyncEventExecutionStep.System.Web.HttpApplicatio
    n+IExecutionStep.Execute() +60
    System.Web.HttpApplication.ExecuteStep(IExecutionStep
    step, Boolean& completedSynchronously) +87



    >-----Original Message-----
    >James,
    >
    >In the scenario you describe, you will need to give the

    aspnet_wp.exe
    >process account access or make it a member of your

    group. By default, this
    >would be the ASPNET account.
    >
    >You can also enable impersonation and deny

    unauthenticated users so that
    >you get the identity of the user actually browsing the

    site.
    >
    >Jim Cheshire [MSFT]
    >Developer Support
    >ASP.NET
    >
    >
    >This post is provided as-is with no warranties and

    confers no rights.
    >
    >--------------------
    >>Content-Class: urn:content-classes:message
    >>From: "James Martin"

    <>
    >>Sender: "James Martin"

    <>
    >>Subject: file permissions
    >>Date: Wed, 15 Oct 2003 09:21:31 -0700
    >>Lines: 58
    >>Message-ID: <037001c39338$6513bd70$>
    >>MIME-Version: 1.0
    >>Content-Type: text/plain;
    >> charset="iso-8859-1"
    >>Content-Transfer-Encoding: 7bit
    >>X-Newsreader: Microsoft CDO for Windows 2000
    >>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
    >>Newsgroups:

    microsoft.public.dotnet.framework.aspnet.security
    >>Path: cpmsftngxa06.phx.gbl
    >>Xref: cpmsftngxa06.phx.gbl

    >microsoft.public.dotnet.framework.aspnet.security:7186
    >>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
    >>X-Tomcat-NG:

    microsoft.public.dotnet.framework.aspnet.security
    >>
    >>I have a W2K server, running IIS 6 and Active Directory
    >>Services. I have an ASP.Net application off the root web
    >>directory named "Apps". Within the IIS Manager I have

    the
    >>Authentication method set to "Anonymous Access" as well
    >>as "Authenticated Access" using "Integrated Windows
    >>Authentication" for both the root web and the "Apps" sub-
    >>directory. All files and directories under the "Apps"
    >>folder are set in this manner.
    >>
    >>The web config file is set to use "Windows" for
    >>Authentication and "*" for Authorization.
    >>
    >>Using Explorer I have changed the permissions for one

    file
    >>in the "Apps" directory. For this file, let's call
    >>it "myfile.aspx", I have removed the "Everyone" group.

    The
    >>permissions for this file are as follows:
    >>
    >>Creator Owner - Full Control
    >>System - Full Control
    >>mydomain\Administrators - Full Control
    >>mydomain\MyGroup - Read, Read/Execute
    >>
    >>If I attempt to access any file on this web via a web
    >>browser it works as it should with the exception of this
    >>single file, "myfile.aspx". When attempting to access

    this
    >>file it will ask for a username/password/domain and will
    >>not accept anyone, including anyone from
    >>the "Administrators" or "MyGroup" groups.
    >>The error I get in the browser is:
    >>
    >>Server Error in '/Apps' Application.
    >>---------------------------------------------------------

    --
    >>---------------------
    >>
    >>Access is denied.
    >>Description: An error occurred while accessing the
    >>resources required to serve this request. You might not
    >>have permission to view the requested resources.
    >>
    >>Error message 401.3: You do not have permission to view
    >>this directory or page using the credentials you

    supplied
    >>(access denied due to ACLs). Ask the Web server's
    >>administrator to give you access
    >>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
    >>
    >>
    >>---------------------------------------------------------

    --
    >>---------------------
    >>Version Information: Microsoft .NET Framework
    >>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
    >>
    >>This is the same basic configuration I use on other web
    >>servers for security and have not had this problem

    before.
    >>I have another server within this domain that is
    >>configured in the same manner that works although it is
    >>not an ASP.Net application. I have tried this from

    systems
    >>logged into the domain and from systems not logged into
    >>the domain with the same results.
    >>

    >
    >.
    >
     
    James Martin, Oct 16, 2003
    #3
  4. James,

    This is definitely a permissions issue. The easiest way to troubleshoot
    these issues it to use Filemon from www.sysinternals.com. You can get a
    log of the request and look for an ACCDENIED. The new version will tell
    you what the user account is that is being denied access and where they are
    being denied.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >Content-Class: urn:content-classes:message
    >From: "James Martin" <>
    >Sender: "James Martin" <>
    >References: <037001c39338$6513bd70$>

    <>
    >Subject: RE: file permissions
    >Date: Wed, 15 Oct 2003 16:55:18 -0700
    >Lines: 179
    >Message-ID: <0a9601c39377$c94fd730$>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="iso-8859-1"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >Thread-Index: AcOTd8lNFW+h1BH6S7y6nZmtQUdOYg==
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Path: cpmsftngxa06.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7196
    >NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Okay in web.config I have :
    >
    ><authentication mode="Windows" />
    ><authorization>
    > <deny users="?" />
    ></authorization>
    ><identity impersonate="true" userName="" password=""/>
    >
    >
    >I added mydomain\ASPNET to the ACL.
    >
    >When I attempt to access the page I am NO LONGER prompted
    >for a username/password/domain and the web page returned
    >reports the following:
    >
    >Server Error in '/Apps' Application.
    >-----------------------------------------------------------
    >---------------------
    >
    >Access is denied.
    >Description: An unhandled exception occurred during the
    >execution of the current web request. Please review the
    >stack trace for more information about the error and where
    >it originated in the code.
    >
    >Exception Details: System.ApplicationException: Access is
    >denied.
    >
    >Source Error:
    >
    >An unhandled exception was generated during the execution
    >of the current web request. Information regarding the
    >origin and location of the exception can be identified
    >using the exception stack trace below.
    >
    >Stack Trace:
    >
    >
    >[ApplicationException: Access is denied.
    >]
    >
    >System.Security.Principal.WindowsIdentity._ResolveIdentity
    >(IntPtr userToken) +0
    > System.Security.Principal.WindowsIdentity.get_Name() +71
    >
    >System.Web.Configuration.AuthorizationConfigRule.IsUserAllo
    >wed(IPrincipal user, String verb) +100
    >
    >System.Web.Configuration.AuthorizationConfig.IsUserAllowed
    >(IPrincipal user, String verb) +81
    > System.Web.Security.UrlAuthorizationModule.OnEnter
    >(Object source, EventArgs eventArgs) +178
    >
    >System.Web.SyncEventExecutionStep.System.Web.HttpApplicatio
    >n+IExecutionStep.Execute() +60
    > System.Web.HttpApplication.ExecuteStep(IExecutionStep
    >step, Boolean& completedSynchronously) +87
    >
    >
    >
    >>-----Original Message-----
    >>James,
    >>
    >>In the scenario you describe, you will need to give the

    >aspnet_wp.exe
    >>process account access or make it a member of your

    >group. By default, this
    >>would be the ASPNET account.
    >>
    >>You can also enable impersonation and deny

    >unauthenticated users so that
    >>you get the identity of the user actually browsing the

    >site.
    >>
    >>Jim Cheshire [MSFT]
    >>Developer Support
    >>ASP.NET
    >>
    >>
    >>This post is provided as-is with no warranties and

    >confers no rights.
    >>
    >>--------------------
    >>>Content-Class: urn:content-classes:message
    >>>From: "James Martin"

    ><>
    >>>Sender: "James Martin"

    ><>
    >>>Subject: file permissions
    >>>Date: Wed, 15 Oct 2003 09:21:31 -0700
    >>>Lines: 58
    >>>Message-ID: <037001c39338$6513bd70$>
    >>>MIME-Version: 1.0
    >>>Content-Type: text/plain;
    >>> charset="iso-8859-1"
    >>>Content-Transfer-Encoding: 7bit
    >>>X-Newsreader: Microsoft CDO for Windows 2000
    >>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >>>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
    >>>Newsgroups:

    >microsoft.public.dotnet.framework.aspnet.security
    >>>Path: cpmsftngxa06.phx.gbl
    >>>Xref: cpmsftngxa06.phx.gbl

    >>microsoft.public.dotnet.framework.aspnet.security:7186
    >>>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
    >>>X-Tomcat-NG:

    >microsoft.public.dotnet.framework.aspnet.security
    >>>
    >>>I have a W2K server, running IIS 6 and Active Directory
    >>>Services. I have an ASP.Net application off the root web
    >>>directory named "Apps". Within the IIS Manager I have

    >the
    >>>Authentication method set to "Anonymous Access" as well
    >>>as "Authenticated Access" using "Integrated Windows
    >>>Authentication" for both the root web and the "Apps" sub-
    >>>directory. All files and directories under the "Apps"
    >>>folder are set in this manner.
    >>>
    >>>The web config file is set to use "Windows" for
    >>>Authentication and "*" for Authorization.
    >>>
    >>>Using Explorer I have changed the permissions for one

    >file
    >>>in the "Apps" directory. For this file, let's call
    >>>it "myfile.aspx", I have removed the "Everyone" group.

    >The
    >>>permissions for this file are as follows:
    >>>
    >>>Creator Owner - Full Control
    >>>System - Full Control
    >>>mydomain\Administrators - Full Control
    >>>mydomain\MyGroup - Read, Read/Execute
    >>>
    >>>If I attempt to access any file on this web via a web
    >>>browser it works as it should with the exception of this
    >>>single file, "myfile.aspx". When attempting to access

    >this
    >>>file it will ask for a username/password/domain and will
    >>>not accept anyone, including anyone from
    >>>the "Administrators" or "MyGroup" groups.
    >>>The error I get in the browser is:
    >>>
    >>>Server Error in '/Apps' Application.
    >>>---------------------------------------------------------

    >--
    >>>---------------------
    >>>
    >>>Access is denied.
    >>>Description: An error occurred while accessing the
    >>>resources required to serve this request. You might not
    >>>have permission to view the requested resources.
    >>>
    >>>Error message 401.3: You do not have permission to view
    >>>this directory or page using the credentials you

    >supplied
    >>>(access denied due to ACLs). Ask the Web server's
    >>>administrator to give you access
    >>>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
    >>>
    >>>
    >>>---------------------------------------------------------

    >--
    >>>---------------------
    >>>Version Information: Microsoft .NET Framework
    >>>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
    >>>
    >>>This is the same basic configuration I use on other web
    >>>servers for security and have not had this problem

    >before.
    >>>I have another server within this domain that is
    >>>configured in the same manner that works although it is
    >>>not an ASP.Net application. I have tried this from

    >systems
    >>>logged into the domain and from systems not logged into
    >>>the domain with the same results.
    >>>

    >>
    >>.
    >>

    >
     
    Jim Cheshire [MSFT], Oct 16, 2003
    #4
  5. James Martin

    James Martin Guest

    Ok here is what I now know based on some pointers from
    ZRH. These are the steps I had to take to enable selective
    access to files using Windows as the authentication
    format. I chose this format because the management of
    users and files is already in place and it does not
    require yet another username and password combination to
    be remembered.

    Keep in mind my configuration included a W2K server, IIS
    5, and Active Directory services with the web server also
    acting as a Domain Controller. So, having said that, to
    control access to a file or directory with W2K and IIS5
    when accessed via a web browser you must do the following:

    In IIS Management Console set the "Authentication" method
    to whatever level you prefer. This can be done for the
    folder or virtual directory as well as individual files.
    In my case I wish to allow some files to be accessed by
    everyone so I have enabled both "Anonymous Access" for
    this purpose and under "Authenticated Access" I have
    enabled "Integrated Windows authentication". This allows
    further access control using NTFS file permissions. The
    most restrictive permissions will apply.
    Enabling "Anonymous Access" will not allow an
    unauthenticated user or user without proper credentials to
    access a resource for which he has not been given access
    rights through NTFS permissions. As a side note my
    installation used the IUSR_machinename as the Anonymous
    User account and the checkbox was enabled to allow IIS to
    manage the password. Close IIS Management Console.

    In Windows Explorer right-click on the file or folder that
    you wish to change permissions for. Add or remove groups
    and users as needed and change permissions for these
    groups and users. I have found that the following accounts
    must be added regardless of the other settings and have
    found documentation that seems to support this:

    Creator Owner - Full Control
    System - Full Control
    domainname\ASPNET - Read, Read/Execute
    domainname\IWAM_machinename - Read, Read/Execute

    and any other accounts you wish to have access this
    resource. Close Windows Explorer.

    Once this has been accomplished go to Start-->Program
    Files-->Administrative Tools and open the Domain
    Controller Security Policy. Once inside the Domain
    Controller Security Policy Console go to Windows Settings--
    >Security Settings-->Local Policies-->User Rights

    Assignments. In the right hand pane double-click
    on "Impersonate a client after authentication". Enable
    the "Define these policy settings" checkbox and
    click "Add". Click "Browse" then find and select the
    account IWAM_machinename and click OK-->OK-->OK. Close the
    Domain Controller Security Policy Console.

    At a command prompt issue the following command:

    secedit /refreshpolicy machine_policy /enforce

    then at the command prompt issue the following command:

    iisreset

    Close the command prompt window. Now we need to modify the
    web.config file for the ASP.NET application as follows:

    <authentication mode="Windows" />
    <authorization>
    <allow users="*" /> <!-- This allows all users to access
    even if they are outside the domain provided NTFS
    permissions allow it and IIS allows "Anonymous Access" -->
    </authorization>
    <identity impersonate="true"/> <!-- This allows ASP.NET to
    impersonate the user requesting a restricted resource
    after authentication has taken place. It requires that an
    account be specified for the impersonation on the macine
    hosting the ASP.NET application -->

    Save the file and check for proper operation of the web
    site pages you have modified the permissions for. If
    anyone notices inaccuracies in document please feel free
    to make corrections and thanks again to ZRH.

    Here are some external resources I used:

    http://support.microsoft.com/default.aspx?scid=kb;EN-
    US;Q815171#4
    http://4guysfromrolla.411asp.net/
    http://www.jsiinc.com/SUBN/tip6900/rh6981.htm

    >-----Original Message-----
    >Okay in web.config I have :
    >
    ><authentication mode="Windows" />
    ><authorization>
    > <deny users="?" />
    ></authorization>
    ><identity impersonate="true" userName="" password=""/>
    >
    >
    >I added mydomain\ASPNET to the ACL.
    >
    >When I attempt to access the page I am NO LONGER prompted
    >for a username/password/domain and the web page returned
    >reports the following:
    >
    >Server Error in '/Apps' Application.
    >----------------------------------------------------------

    -
    >---------------------
    >
    >Access is denied.
    >Description: An unhandled exception occurred during the
    >execution of the current web request. Please review the
    >stack trace for more information about the error and

    where
    >it originated in the code.
    >
    >Exception Details: System.ApplicationException: Access is
    >denied.
    >
    >Source Error:
    >
    >An unhandled exception was generated during the execution
    >of the current web request. Information regarding the
    >origin and location of the exception can be identified
    >using the exception stack trace below.
    >
    >Stack Trace:
    >
    >
    >[ApplicationException: Access is denied.
    >]
    >
    >System.Security.Principal.WindowsIdentity._ResolveIdentity
    >(IntPtr userToken) +0
    > System.Security.Principal.WindowsIdentity.get_Name()

    +71
    >
    >System.Web.Configuration.AuthorizationConfigRule.IsUserAll

    o
    >wed(IPrincipal user, String verb) +100
    >
    >System.Web.Configuration.AuthorizationConfig.IsUserAllowed
    >(IPrincipal user, String verb) +81
    > System.Web.Security.UrlAuthorizationModule.OnEnter
    >(Object source, EventArgs eventArgs) +178
    >
    >System.Web.SyncEventExecutionStep.System.Web.HttpApplicati

    o
    >n+IExecutionStep.Execute() +60
    > System.Web.HttpApplication.ExecuteStep(IExecutionStep
    >step, Boolean& completedSynchronously) +87
    >
    >
    >
    >>-----Original Message-----
    >>James,
    >>
    >>In the scenario you describe, you will need to give the

    >aspnet_wp.exe
    >>process account access or make it a member of your

    >group. By default, this
    >>would be the ASPNET account.
    >>
    >>You can also enable impersonation and deny

    >unauthenticated users so that
    >>you get the identity of the user actually browsing the

    >site.
    >>
    >>Jim Cheshire [MSFT]
    >>Developer Support
    >>ASP.NET
    >>
    >>
    >>This post is provided as-is with no warranties and

    >confers no rights.
    >>
    >>--------------------
    >>>Content-Class: urn:content-classes:message
    >>>From: "James Martin"

    ><>
    >>>Sender: "James Martin"

    ><>
    >>>Subject: file permissions
    >>>Date: Wed, 15 Oct 2003 09:21:31 -0700
    >>>Lines: 58
    >>>Message-ID: <037001c39338$6513bd70$>
    >>>MIME-Version: 1.0
    >>>Content-Type: text/plain;
    >>> charset="iso-8859-1"
    >>>Content-Transfer-Encoding: 7bit
    >>>X-Newsreader: Microsoft CDO for Windows 2000
    >>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >>>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
    >>>Newsgroups:

    >microsoft.public.dotnet.framework.aspnet.security
    >>>Path: cpmsftngxa06.phx.gbl
    >>>Xref: cpmsftngxa06.phx.gbl

    >>microsoft.public.dotnet.framework.aspnet.security:7186
    >>>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
    >>>X-Tomcat-NG:

    >microsoft.public.dotnet.framework.aspnet.security
    >>>
    >>>I have a W2K server, running IIS 6 and Active Directory
    >>>Services. I have an ASP.Net application off the root

    web
    >>>directory named "Apps". Within the IIS Manager I have

    >the
    >>>Authentication method set to "Anonymous Access" as well
    >>>as "Authenticated Access" using "Integrated Windows
    >>>Authentication" for both the root web and the "Apps"

    sub-
    >>>directory. All files and directories under the "Apps"
    >>>folder are set in this manner.
    >>>
    >>>The web config file is set to use "Windows" for
    >>>Authentication and "*" for Authorization.
    >>>
    >>>Using Explorer I have changed the permissions for one

    >file
    >>>in the "Apps" directory. For this file, let's call
    >>>it "myfile.aspx", I have removed the "Everyone" group.

    >The
    >>>permissions for this file are as follows:
    >>>
    >>>Creator Owner - Full Control
    >>>System - Full Control
    >>>mydomain\Administrators - Full Control
    >>>mydomain\MyGroup - Read, Read/Execute
    >>>
    >>>If I attempt to access any file on this web via a web
    >>>browser it works as it should with the exception of

    this
    >>>single file, "myfile.aspx". When attempting to access

    >this
    >>>file it will ask for a username/password/domain and

    will
    >>>not accept anyone, including anyone from
    >>>the "Administrators" or "MyGroup" groups.
    >>>The error I get in the browser is:
    >>>
    >>>Server Error in '/Apps' Application.
    >>>--------------------------------------------------------

    -
    >--
    >>>---------------------
    >>>
    >>>Access is denied.
    >>>Description: An error occurred while accessing the
    >>>resources required to serve this request. You might not
    >>>have permission to view the requested resources.
    >>>
    >>>Error message 401.3: You do not have permission to view
    >>>this directory or page using the credentials you

    >supplied
    >>>(access denied due to ACLs). Ask the Web server's
    >>>administrator to give you access
    >>>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
    >>>
    >>>
    >>>--------------------------------------------------------

    -
    >--
    >>>---------------------
    >>>Version Information: Microsoft .NET Framework
    >>>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
    >>>
    >>>This is the same basic configuration I use on other web
    >>>servers for security and have not had this problem

    >before.
    >>>I have another server within this domain that is
    >>>configured in the same manner that works although it is
    >>>not an ASP.Net application. I have tried this from

    >systems
    >>>logged into the domain and from systems not logged into
    >>>the domain with the same results.
    >>>

    >>
    >>.
    >>

    >.
    >
     
    James Martin, Oct 16, 2003
    #5
  6. Hi James,

    Thanks very much for posting so much good information after resolving your
    problem. That will help a lot of people! A couple of clarifications.

    1. The "Impersonate a Client After Authentication" is only required if you
    are impersonating on a Windows 2000 box.
    2. Setting impersonation without explicitly declaring a username and
    password with the settings you have configured right now will cause the
    application to run under the IUSR account. This is because you are not
    specifying a username in your <identity> element and you have anonymous
    access enabled. If you want to use the identity of the specific user
    browsing the site, you either need to disable anonymous in IIS, or you need
    to deny unauthenticated users in your web.config with a <deny users="?" />.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >Content-Class: urn:content-classes:message
    >From: "James Martin" <>
    >Sender: "James Martin" <>
    >References: <037001c39338$6513bd70$>

    <>
    <0a9601c39377$c94fd730$>
    >Subject: RE: file permissions
    >Date: Thu, 16 Oct 2003 10:58:46 -0700
    >Lines: 286
    >Message-ID: <086301c3940f$24d895a0$>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="iso-8859-1"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >Thread-Index: AcOUDyTYlIZvxbQ6RYKFOARDgaKPtA==
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Path: cpmsftngxa06.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7208
    >NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Ok here is what I now know based on some pointers from
    >ZRH. These are the steps I had to take to enable selective
    >access to files using Windows as the authentication
    >format. I chose this format because the management of
    >users and files is already in place and it does not
    >require yet another username and password combination to
    >be remembered.
    >
    >Keep in mind my configuration included a W2K server, IIS
    >5, and Active Directory services with the web server also
    >acting as a Domain Controller. So, having said that, to
    >control access to a file or directory with W2K and IIS5
    >when accessed via a web browser you must do the following:
    >
    >In IIS Management Console set the "Authentication" method
    >to whatever level you prefer. This can be done for the
    >folder or virtual directory as well as individual files.
    >In my case I wish to allow some files to be accessed by
    >everyone so I have enabled both "Anonymous Access" for
    >this purpose and under "Authenticated Access" I have
    >enabled "Integrated Windows authentication". This allows
    >further access control using NTFS file permissions. The
    >most restrictive permissions will apply.
    >Enabling "Anonymous Access" will not allow an
    >unauthenticated user or user without proper credentials to
    >access a resource for which he has not been given access
    >rights through NTFS permissions. As a side note my
    >installation used the IUSR_machinename as the Anonymous
    >User account and the checkbox was enabled to allow IIS to
    >manage the password. Close IIS Management Console.
    >
    >In Windows Explorer right-click on the file or folder that
    >you wish to change permissions for. Add or remove groups
    >and users as needed and change permissions for these
    >groups and users. I have found that the following accounts
    >must be added regardless of the other settings and have
    >found documentation that seems to support this:
    >
    >Creator Owner - Full Control
    >System - Full Control
    >domainname\ASPNET - Read, Read/Execute
    >domainname\IWAM_machinename - Read, Read/Execute
    >
    >and any other accounts you wish to have access this
    >resource. Close Windows Explorer.
    >
    >Once this has been accomplished go to Start-->Program
    >Files-->Administrative Tools and open the Domain
    >Controller Security Policy. Once inside the Domain
    >Controller Security Policy Console go to Windows Settings--
    >>Security Settings-->Local Policies-->User Rights

    >Assignments. In the right hand pane double-click
    >on "Impersonate a client after authentication". Enable
    >the "Define these policy settings" checkbox and
    >click "Add". Click "Browse" then find and select the
    >account IWAM_machinename and click OK-->OK-->OK. Close the
    >Domain Controller Security Policy Console.
    >
    >At a command prompt issue the following command:
    >
    >secedit /refreshpolicy machine_policy /enforce
    >
    >then at the command prompt issue the following command:
    >
    >iisreset
    >
    >Close the command prompt window. Now we need to modify the
    >web.config file for the ASP.NET application as follows:
    >
    ><authentication mode="Windows" />
    ><authorization>
    > <allow users="*" /> <!-- This allows all users to access
    >even if they are outside the domain provided NTFS
    >permissions allow it and IIS allows "Anonymous Access" -->
    ></authorization>
    ><identity impersonate="true"/> <!-- This allows ASP.NET to
    >impersonate the user requesting a restricted resource
    >after authentication has taken place. It requires that an
    >account be specified for the impersonation on the macine
    >hosting the ASP.NET application -->
    >
    >Save the file and check for proper operation of the web
    >site pages you have modified the permissions for. If
    >anyone notices inaccuracies in document please feel free
    >to make corrections and thanks again to ZRH.
    >
    >Here are some external resources I used:
    >
    >http://support.microsoft.com/default.aspx?scid=kb;EN-
    >US;Q815171#4
    >http://4guysfromrolla.411asp.net/
    >http://www.jsiinc.com/SUBN/tip6900/rh6981.htm
    >
    >>-----Original Message-----
    >>Okay in web.config I have :
    >>
    >><authentication mode="Windows" />
    >><authorization>
    >> <deny users="?" />
    >></authorization>
    >><identity impersonate="true" userName="" password=""/>
    >>
    >>
    >>I added mydomain\ASPNET to the ACL.
    >>
    >>When I attempt to access the page I am NO LONGER prompted
    >>for a username/password/domain and the web page returned
    >>reports the following:
    >>
    >>Server Error in '/Apps' Application.
    >>----------------------------------------------------------

    >-
    >>---------------------
    >>
    >>Access is denied.
    >>Description: An unhandled exception occurred during the
    >>execution of the current web request. Please review the
    >>stack trace for more information about the error and

    >where
    >>it originated in the code.
    >>
    >>Exception Details: System.ApplicationException: Access is
    >>denied.
    >>
    >>Source Error:
    >>
    >>An unhandled exception was generated during the execution
    >>of the current web request. Information regarding the
    >>origin and location of the exception can be identified
    >>using the exception stack trace below.
    >>
    >>Stack Trace:
    >>
    >>
    >>[ApplicationException: Access is denied.
    >>]
    >>
    >>System.Security.Principal.WindowsIdentity._ResolveIdentity
    >>(IntPtr userToken) +0
    >> System.Security.Principal.WindowsIdentity.get_Name()

    >+71
    >>
    >>System.Web.Configuration.AuthorizationConfigRule.IsUserAll

    >o
    >>wed(IPrincipal user, String verb) +100
    >>
    >>System.Web.Configuration.AuthorizationConfig.IsUserAllowed
    >>(IPrincipal user, String verb) +81
    >> System.Web.Security.UrlAuthorizationModule.OnEnter
    >>(Object source, EventArgs eventArgs) +178
    >>
    >>System.Web.SyncEventExecutionStep.System.Web.HttpApplicati

    >o
    >>n+IExecutionStep.Execute() +60
    >> System.Web.HttpApplication.ExecuteStep(IExecutionStep
    >>step, Boolean& completedSynchronously) +87
    >>
    >>
    >>
    >>>-----Original Message-----
    >>>James,
    >>>
    >>>In the scenario you describe, you will need to give the

    >>aspnet_wp.exe
    >>>process account access or make it a member of your

    >>group. By default, this
    >>>would be the ASPNET account.
    >>>
    >>>You can also enable impersonation and deny

    >>unauthenticated users so that
    >>>you get the identity of the user actually browsing the

    >>site.
    >>>
    >>>Jim Cheshire [MSFT]
    >>>Developer Support
    >>>ASP.NET
    >>>
    >>>
    >>>This post is provided as-is with no warranties and

    >>confers no rights.
    >>>
    >>>--------------------
    >>>>Content-Class: urn:content-classes:message
    >>>>From: "James Martin"

    >><>
    >>>>Sender: "James Martin"

    >><>
    >>>>Subject: file permissions
    >>>>Date: Wed, 15 Oct 2003 09:21:31 -0700
    >>>>Lines: 58
    >>>>Message-ID: <037001c39338$6513bd70$>
    >>>>MIME-Version: 1.0
    >>>>Content-Type: text/plain;
    >>>> charset="iso-8859-1"
    >>>>Content-Transfer-Encoding: 7bit
    >>>>X-Newsreader: Microsoft CDO for Windows 2000
    >>>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >>>>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
    >>>>Newsgroups:

    >>microsoft.public.dotnet.framework.aspnet.security
    >>>>Path: cpmsftngxa06.phx.gbl
    >>>>Xref: cpmsftngxa06.phx.gbl
    >>>microsoft.public.dotnet.framework.aspnet.security:7186
    >>>>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
    >>>>X-Tomcat-NG:

    >>microsoft.public.dotnet.framework.aspnet.security
    >>>>
    >>>>I have a W2K server, running IIS 6 and Active Directory
    >>>>Services. I have an ASP.Net application off the root

    >web
    >>>>directory named "Apps". Within the IIS Manager I have

    >>the
    >>>>Authentication method set to "Anonymous Access" as well
    >>>>as "Authenticated Access" using "Integrated Windows
    >>>>Authentication" for both the root web and the "Apps"

    >sub-
    >>>>directory. All files and directories under the "Apps"
    >>>>folder are set in this manner.
    >>>>
    >>>>The web config file is set to use "Windows" for
    >>>>Authentication and "*" for Authorization.
    >>>>
    >>>>Using Explorer I have changed the permissions for one

    >>file
    >>>>in the "Apps" directory. For this file, let's call
    >>>>it "myfile.aspx", I have removed the "Everyone" group.

    >>The
    >>>>permissions for this file are as follows:
    >>>>
    >>>>Creator Owner - Full Control
    >>>>System - Full Control
    >>>>mydomain\Administrators - Full Control
    >>>>mydomain\MyGroup - Read, Read/Execute
    >>>>
    >>>>If I attempt to access any file on this web via a web
    >>>>browser it works as it should with the exception of

    >this
    >>>>single file, "myfile.aspx". When attempting to access

    >>this
    >>>>file it will ask for a username/password/domain and

    >will
    >>>>not accept anyone, including anyone from
    >>>>the "Administrators" or "MyGroup" groups.
    >>>>The error I get in the browser is:
    >>>>
    >>>>Server Error in '/Apps' Application.
    >>>>--------------------------------------------------------

    >-
    >>--
    >>>>---------------------
    >>>>
    >>>>Access is denied.
    >>>>Description: An error occurred while accessing the
    >>>>resources required to serve this request. You might not
    >>>>have permission to view the requested resources.
    >>>>
    >>>>Error message 401.3: You do not have permission to view
    >>>>this directory or page using the credentials you

    >>supplied
    >>>>(access denied due to ACLs). Ask the Web server's
    >>>>administrator to give you access
    >>>>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
    >>>>
    >>>>
    >>>>--------------------------------------------------------

    >-
    >>--
    >>>>---------------------
    >>>>Version Information: Microsoft .NET Framework
    >>>>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
    >>>>
    >>>>This is the same basic configuration I use on other web
    >>>>servers for security and have not had this problem

    >>before.
    >>>>I have another server within this domain that is
    >>>>configured in the same manner that works although it is
    >>>>not an ASP.Net application. I have tried this from

    >>systems
    >>>>logged into the domain and from systems not logged into
    >>>>the domain with the same results.
    >>>>
    >>>
    >>>.
    >>>

    >>.
    >>

    >
     
    Jim Cheshire [MSFT], Oct 16, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark

    File upload permissions

    Mark, Nov 12, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    549
    Suresh
    Nov 12, 2003
  2. Scott Allen
    Replies:
    0
    Views:
    440
    Scott Allen
    Jul 13, 2004
  3. Curt K
    Replies:
    0
    Views:
    566
    Curt K
    Nov 3, 2006
  4. N. Quisitive
    Replies:
    0
    Views:
    135
    N. Quisitive
    Jan 17, 2006
  5. Vikram Sharma
    Replies:
    2
    Views:
    158
    Vikram Sharma
    Dec 1, 2008
Loading...

Share This Page