IIS6 & ASP: accessing network files with FSO fails

Discussion in 'ASP General' started by Thomas, Mar 21, 2005.

  1. Thomas

    Thomas Guest

    after spending countless hours trying, i give up and hope to get some help
    in here.

    on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
    trying to read a file from an UNC path with a FSO:
    Set myFile =
    Server.CreateObject("Scripting.FileSystemObject").GetFile("\\server2\myshare\myfile.txt")
    this fails with an Permission Denied.

    here's the deal:
    - server1 & server2 are members of a domain
    - iis6 is used with asp (not .net)
    - myweb.com runs in the context of a domain user (my admin account even, for
    testing purposes)
    - the unc share has full rights to Everyone
    - the file permissions on server2 are set to full rights to Everyone
    - i can successfully read the file *with the same code* in a test.vbs
    - if i set up a virtual folder to the unc path using "connect as" within the
    iis6, i can browse the remote files with my webbrowser - but the asp code
    still fails.

    this is driving me crazy. all howtos, posts and pages i found tell me to run
    the web as a domain user with sufficient rights -- this is what i'm doing,
    but it just won't work!

    any help is greatly appreciated!
    - thomas
    Thomas, Mar 21, 2005
    #1
    1. Advertising

  2. Thomas

    Jeff Cochran Guest

    On Mon, 21 Mar 2005 04:18:23 +0100, "Thomas" <> wrote:

    >after spending countless hours trying, i give up and hope to get some help
    >in here.
    >
    >on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
    >trying to read a file from an UNC path with a FSO:
    >Set myFile =
    >Server.CreateObject("Scripting.FileSystemObject").GetFile("\\server2\myshare\myfile.txt")
    >this fails with an Permission Denied.
    >
    >here's the deal:
    >- server1 & server2 are members of a domain
    >- iis6 is used with asp (not .net)
    >- myweb.com runs in the context of a domain user (my admin account even, for
    >testing purposes)
    >- the unc share has full rights to Everyone
    >- the file permissions on server2 are set to full rights to Everyone
    >- i can successfully read the file *with the same code* in a test.vbs
    >- if i set up a virtual folder to the unc path using "connect as" within the
    >iis6, i can browse the remote files with my webbrowser - but the asp code
    >still fails.
    >
    >this is driving me crazy. all howtos, posts and pages i found tell me to run
    >the web as a domain user with sufficient rights -- this is what i'm doing,
    >but it just won't work!


    You post lots of details, but you left out the most important one --
    Just exactly what does "fails" and "won't work" mean?

    Jeff
    Jeff Cochran, Mar 21, 2005
    #2
    1. Advertising

  3. Thomas

    thomas h Guest

    basically, everything in ASP that incorporates FSO accessing remote UNC
    paths fails - reading folders, files and writing to them fails. even a
    FileExists check fails:

    oFSO.FileExists("\\server2\myshare\myfile.txt") returns always false -
    eventhough i can access the file directly (i.e. not using oFSO).

    i dont think its a problem with my code, as it works perfeclty for local
    files - even when i access them through their local UNC path (i.e.
    "\\server1\d$\justatest.txt")

    so: any function trying to read/write/access remote files through an unc
    path within ASP results in a "permission denied" or "file not found"
    runtime error.

    - thomas

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
    thomas h, Mar 21, 2005
    #3
  4. Thomas

    thomas h Guest

    interesting point:

    the web does not allow anonymous access.

    when i enable anonymous access and put in the domain account as user, my
    script works. so obviously asp is not running in the web application
    pool, but under a different user context (which one??) when anonymous
    access is disabled.

    the users logging in are domain users with full rights to the network -
    so iis/asp does not seem to impersonate them either.

    so the question comes down to: what user is my asp script running in
    (obviously not the one from my app pool) when i disable anonymous
    access? the web's w3wp.exe is running as the app pool user (my domain
    account).

    as a workaround i could just enable anonymous access and then check on
    script basis if the user is logged in. but i somehow feel that this is
    not how it should work. ;-)

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
    thomas h, Mar 21, 2005
    #4
  5. Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
    considered trying a mapped drive letter instead of the direct UNC share?


    On 3/21/05 6:55 AM, in article ,
    "thomas h" <> wrote:

    > interesting point:
    >
    > the web does not allow anonymous access.
    >
    > when i enable anonymous access and put in the domain account as user, my
    > script works. so obviously asp is not running in the web application
    > pool, but under a different user context (which one??) when anonymous
    > access is disabled.
    >
    > the users logging in are domain users with full rights to the network -
    > so iis/asp does not seem to impersonate them either.
    >
    > so the question comes down to: what user is my asp script running in
    > (obviously not the one from my app pool) when i disable anonymous
    > access? the web's w3wp.exe is running as the app pool user (my domain
    > account).
    >
    > as a workaround i could just enable anonymous access and then check on
    > script basis if the user is logged in. but i somehow feel that this is
    > not how it should work. ;-)
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
    Aaron [SQL Server MVP], Mar 21, 2005
    #5
  6. Thomas

    Thomas Guest

    > Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
    > considered trying a mapped drive letter instead of the direct UNC share?


    maped drives are only valid for logged-on users - which is not the case for
    services (i.e. www).
    i don't see why IWAM_... could be involved, as the application pool
    explicitely specifies a (domain user) identity...

    - thomas


    "Aaron [SQL Server MVP]" <> wrote in message
    news:BE643462.4160%...
    > Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
    > considered trying a mapped drive letter instead of the direct UNC share?
    >
    >
    > On 3/21/05 6:55 AM, in article ,
    > "thomas h" <> wrote:
    >
    >> interesting point:
    >>
    >> the web does not allow anonymous access.
    >>
    >> when i enable anonymous access and put in the domain account as user, my
    >> script works. so obviously asp is not running in the web application
    >> pool, but under a different user context (which one??) when anonymous
    >> access is disabled.
    >>
    >> the users logging in are domain users with full rights to the network -
    >> so iis/asp does not seem to impersonate them either.
    >>
    >> so the question comes down to: what user is my asp script running in
    >> (obviously not the one from my app pool) when i disable anonymous
    >> access? the web's w3wp.exe is running as the app pool user (my domain
    >> account).
    >>
    >> as a workaround i could just enable anonymous access and then check on
    >> script basis if the user is logged in. but i somehow feel that this is
    >> not how it should work. ;-)
    >>
    >> *** Sent via Developersdex http://www.developersdex.com ***
    >> Don't just participate in USENET...get rewarded for it!

    >
    Thomas, Mar 21, 2005
    #6
  7. > maped drives are only valid for logged-on users - which is not the case
    for
    > services (i.e. www).
    > i don't see why IWAM_... could be involved, as the application pool
    > explicitely specifies a (domain user) identity...


    Just throwing out ideas. Tough to troubleshoot when we can't see the box.
    <shrug>
    Aaron [SQL Server MVP], Mar 21, 2005
    #7
  8. Thomas

    Jeff Cochran Guest

    On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:

    >interesting point:
    >
    >the web does not allow anonymous access.
    >
    >when i enable anonymous access and put in the domain account as user, my
    >script works. so obviously asp is not running in the web application
    >pool, but under a different user context (which one??) when anonymous
    >access is disabled.
    >
    >the users logging in are domain users with full rights to the network -
    >so iis/asp does not seem to impersonate them either.
    >
    >so the question comes down to: what user is my asp script running in
    >(obviously not the one from my app pool) when i disable anonymous
    >access? the web's w3wp.exe is running as the app pool user (my domain
    >account).


    Normally IUSR/IWAM or the logged in user account. This is ASP and not
    ..NET correct? Have you tried giving the network account access?

    Jeff

    >as a workaround i could just enable anonymous access and then check on
    >script basis if the user is logged in. but i somehow feel that this is
    >not how it should work. ;-)
    >
    >*** Sent via Developersdex http://www.developersdex.com ***
    >Don't just participate in USENET...get rewarded for it!
    Jeff Cochran, Mar 21, 2005
    #8
  9. Thomas

    Thomas Guest

    this is pure asp, yep.

    if you're right, this would imply asp scripts not being executed in-process
    within the web. i somehow can't believe this... especially as it seems to
    work when enabling anonymous access to the web. i KNOW asp.net runs within
    the web application pool process and its identity. not having the same
    possibility for classic asp looks like a bug or design failure to me... ;-(

    also, asp not using the "connect as" identity when accessing unc virtual
    folders does not make any sense. i just can not (well, i can, but i don't
    want to) give iusr or iwam access to the network shares. this would other
    webs allow to read & write there as well - intolerable.

    thomas





    "Jeff Cochran" <> wrote in message
    news:...
    > On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:
    >
    >>interesting point:
    >>
    >>the web does not allow anonymous access.
    >>
    >>when i enable anonymous access and put in the domain account as user, my
    >>script works. so obviously asp is not running in the web application
    >>pool, but under a different user context (which one??) when anonymous
    >>access is disabled.
    >>
    >>the users logging in are domain users with full rights to the network -
    >>so iis/asp does not seem to impersonate them either.
    >>
    >>so the question comes down to: what user is my asp script running in
    >>(obviously not the one from my app pool) when i disable anonymous
    >>access? the web's w3wp.exe is running as the app pool user (my domain
    >>account).

    >
    > Normally IUSR/IWAM or the logged in user account. This is ASP and not
    > .NET correct? Have you tried giving the network account access?
    >
    > Jeff
    >
    >>as a workaround i could just enable anonymous access and then check on
    >>script basis if the user is logged in. but i somehow feel that this is
    >>not how it should work. ;-)
    >>
    >>*** Sent via Developersdex http://www.developersdex.com ***
    >>Don't just participate in USENET...get rewarded for it!

    >
    Thomas, Mar 21, 2005
    #9
  10. Thomas

    Jeff Cochran Guest

    On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <> wrote:

    >this is pure asp, yep.
    >
    >if you're right, this would imply asp scripts not being executed in-process
    >within the web. i somehow can't believe this... especially as it seems to
    >work when enabling anonymous access to the web. i KNOW asp.net runs within
    >the web application pool process and its identity. not having the same
    >possibility for classic asp looks like a bug or design failure to me... ;-(
    >
    >also, asp not using the "connect as" identity when accessing unc virtual
    >folders does not make any sense. i just can not (well, i can, but i don't
    >want to) give iusr or iwam access to the network shares. this would other
    >webs allow to read & write there as well - intolerable.


    With Windows integrated authentication, the connection should be the
    account of the logged in user. Unless your user isn't getting logged
    in correctly.

    Jeff



    >
    >"Jeff Cochran" <> wrote in message
    >news:...
    >> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:
    >>
    >>>interesting point:
    >>>
    >>>the web does not allow anonymous access.
    >>>
    >>>when i enable anonymous access and put in the domain account as user, my
    >>>script works. so obviously asp is not running in the web application
    >>>pool, but under a different user context (which one??) when anonymous
    >>>access is disabled.
    >>>
    >>>the users logging in are domain users with full rights to the network -
    >>>so iis/asp does not seem to impersonate them either.
    >>>
    >>>so the question comes down to: what user is my asp script running in
    >>>(obviously not the one from my app pool) when i disable anonymous
    >>>access? the web's w3wp.exe is running as the app pool user (my domain
    >>>account).

    >>
    >> Normally IUSR/IWAM or the logged in user account. This is ASP and not
    >> .NET correct? Have you tried giving the network account access?
    >>
    >> Jeff
    >>
    >>>as a workaround i could just enable anonymous access and then check on
    >>>script basis if the user is logged in. but i somehow feel that this is
    >>>not how it should work. ;-)
    >>>
    >>>*** Sent via Developersdex http://www.developersdex.com ***
    >>>Don't just participate in USENET...get rewarded for it!

    >>

    >
    Jeff Cochran, Mar 21, 2005
    #10
  11. Thomas

    Thomas Guest

    > With Windows integrated authentication, the connection should be the
    > account of the logged in user. Unless your user isn't getting logged
    > in correctly.


    i can assure you i'm logged in correctly. and as domain admin i also have
    enough rights to access any share or file within the network.

    when anonymous access on the web is disabled, i get the following eventlog
    entries on server2 (where the asp tries to access the files):

    ID 538:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0xF44FFC)
    Logon Type: 3

    this only happens when anonymous access is turned off. once i turn it on and
    supply the user information in the iis management console, i get these
    entries in the eventlog:

    ID 540:
    Successful Network Logon:
    User Name: iistest
    Domain: DOM
    Logon ID: (0x0,0xF640E0)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: TATOOINE

    when having anon disabled, i only get logoff event log entries (ID 538),
    whereas with anon enabled i get the successfull logons (ID 540). in the
    web's directory security tab, i have [x] windows authentication enabled.
    this is doing my head in ;-(

    - thomas


    "Jeff Cochran" <> wrote in message
    news:...
    > On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <> wrote:
    >
    >>this is pure asp, yep.
    >>
    >>if you're right, this would imply asp scripts not being executed
    >>in-process
    >>within the web. i somehow can't believe this... especially as it seems to
    >>work when enabling anonymous access to the web. i KNOW asp.net runs within
    >>the web application pool process and its identity. not having the same
    >>possibility for classic asp looks like a bug or design failure to me...
    >>;-(
    >>
    >>also, asp not using the "connect as" identity when accessing unc virtual
    >>folders does not make any sense. i just can not (well, i can, but i don't
    >>want to) give iusr or iwam access to the network shares. this would other
    >>webs allow to read & write there as well - intolerable.

    >
    > With Windows integrated authentication, the connection should be the
    > account of the logged in user. Unless your user isn't getting logged
    > in correctly.
    >
    > Jeff
    >
    >
    >
    >>
    >>"Jeff Cochran" <> wrote in message
    >>news:...
    >>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:
    >>>
    >>>>interesting point:
    >>>>
    >>>>the web does not allow anonymous access.
    >>>>
    >>>>when i enable anonymous access and put in the domain account as user, my
    >>>>script works. so obviously asp is not running in the web application
    >>>>pool, but under a different user context (which one??) when anonymous
    >>>>access is disabled.
    >>>>
    >>>>the users logging in are domain users with full rights to the network -
    >>>>so iis/asp does not seem to impersonate them either.
    >>>>
    >>>>so the question comes down to: what user is my asp script running in
    >>>>(obviously not the one from my app pool) when i disable anonymous
    >>>>access? the web's w3wp.exe is running as the app pool user (my domain
    >>>>account).
    >>>
    >>> Normally IUSR/IWAM or the logged in user account. This is ASP and not
    >>> .NET correct? Have you tried giving the network account access?
    >>>
    >>> Jeff
    >>>
    >>>>as a workaround i could just enable anonymous access and then check on
    >>>>script basis if the user is logged in. but i somehow feel that this is
    >>>>not how it should work. ;-)
    >>>>
    >>>>*** Sent via Developersdex http://www.developersdex.com ***
    >>>>Don't just participate in USENET...get rewarded for it!
    >>>

    >>

    >
    Thomas, Mar 21, 2005
    #11
  12. Thomas

    Jeff Cochran Guest

    On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <> wrote:

    >> With Windows integrated authentication, the connection should be the
    >> account of the logged in user. Unless your user isn't getting logged
    >> in correctly.

    >
    >i can assure you i'm logged in correctly. and as domain admin i also have
    >enough rights to access any share or file within the network.
    >
    >when anonymous access on the web is disabled, i get the following eventlog
    >entries on server2 (where the asp tries to access the files):
    >
    >ID 538:
    >User Logoff:
    > User Name: ANONYMOUS LOGON
    > Domain: NT AUTHORITY
    > Logon ID: (0x0,0xF44FFC)
    > Logon Type: 3
    >
    >this only happens when anonymous access is turned off.


    This seems to indicate you're not passing credentials and logging in
    as the account you say you're logged in as.

    Try creating a simple HTML file on the web server. Using NTFS
    permissions, only allow access to a single user account. Log onto a
    workstation with this account and see if you can access the HTML file.
    No second server connection involved here. As long as IE is passing
    credentials for the server/domain (the domain is in the intranet
    security zone) then you should have access. If not, you're not using
    the account you think you are.

    Also, try using filemon on server 2 to see what account is trying to
    access the file. From systernals.com.

    Jeff


    once i turn it on and
    >supply the user information in the iis management console, i get these
    >entries in the eventlog:
    >
    >ID 540:
    >Successful Network Logon:
    > User Name: iistest
    > Domain: DOM
    > Logon ID: (0x0,0xF640E0)
    > Logon Type: 3
    > Logon Process: NtLmSsp
    > Authentication Package: NTLM
    > Workstation Name: TATOOINE
    >
    >when having anon disabled, i only get logoff event log entries (ID 538),
    >whereas with anon enabled i get the successfull logons (ID 540). in the
    >web's directory security tab, i have [x] windows authentication enabled.
    >this is doing my head in ;-(
    >
    >- thomas
    >
    >
    >"Jeff Cochran" <> wrote in message
    >news:...
    >> On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <> wrote:
    >>
    >>>this is pure asp, yep.
    >>>
    >>>if you're right, this would imply asp scripts not being executed
    >>>in-process
    >>>within the web. i somehow can't believe this... especially as it seems to
    >>>work when enabling anonymous access to the web. i KNOW asp.net runs within
    >>>the web application pool process and its identity. not having the same
    >>>possibility for classic asp looks like a bug or design failure to me...
    >>>;-(
    >>>
    >>>also, asp not using the "connect as" identity when accessing unc virtual
    >>>folders does not make any sense. i just can not (well, i can, but i don't
    >>>want to) give iusr or iwam access to the network shares. this would other
    >>>webs allow to read & write there as well - intolerable.

    >>
    >> With Windows integrated authentication, the connection should be the
    >> account of the logged in user. Unless your user isn't getting logged
    >> in correctly.
    >>
    >> Jeff
    >>
    >>
    >>
    >>>
    >>>"Jeff Cochran" <> wrote in message
    >>>news:...
    >>>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:
    >>>>
    >>>>>interesting point:
    >>>>>
    >>>>>the web does not allow anonymous access.
    >>>>>
    >>>>>when i enable anonymous access and put in the domain account as user, my
    >>>>>script works. so obviously asp is not running in the web application
    >>>>>pool, but under a different user context (which one??) when anonymous
    >>>>>access is disabled.
    >>>>>
    >>>>>the users logging in are domain users with full rights to the network -
    >>>>>so iis/asp does not seem to impersonate them either.
    >>>>>
    >>>>>so the question comes down to: what user is my asp script running in
    >>>>>(obviously not the one from my app pool) when i disable anonymous
    >>>>>access? the web's w3wp.exe is running as the app pool user (my domain
    >>>>>account).
    >>>>
    >>>> Normally IUSR/IWAM or the logged in user account. This is ASP and not
    >>>> .NET correct? Have you tried giving the network account access?
    >>>>
    >>>> Jeff
    >>>>
    >>>>>as a workaround i could just enable anonymous access and then check on
    >>>>>script basis if the user is logged in. but i somehow feel that this is
    >>>>>not how it should work. ;-)
    >>>>>
    >>>>>*** Sent via Developersdex http://www.developersdex.com ***
    >>>>>Don't just participate in USENET...get rewarded for it!
    >>>>
    >>>

    >>

    >
    Jeff Cochran, Mar 21, 2005
    #12
  13. Thomas

    Thomas Guest

    > security zone) then you should have access. If not, you're not using
    > the account you think you are.


    i did this test and it works just fine - i can login with the domain account
    and browse the website. but i cannot access the remote files - the eventlog
    still shows the same results. :-(

    > Also, try using filemon on server 2 to see what account is trying to
    > access the file. From systernals.com.


    already tried this. there is no activity on the files in question. i guess
    asp therefore can not even access the share (which is configured to give
    Everyone full access).

    - thomas


    "Jeff Cochran" <> wrote in message
    news:...
    > On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <> wrote:
    >
    >>> With Windows integrated authentication, the connection should be the
    >>> account of the logged in user. Unless your user isn't getting logged
    >>> in correctly.

    >>
    >>i can assure you i'm logged in correctly. and as domain admin i also have
    >>enough rights to access any share or file within the network.
    >>
    >>when anonymous access on the web is disabled, i get the following eventlog
    >>entries on server2 (where the asp tries to access the files):
    >>
    >>ID 538:
    >>User Logoff:
    >> User Name: ANONYMOUS LOGON
    >> Domain: NT AUTHORITY
    >> Logon ID: (0x0,0xF44FFC)
    >> Logon Type: 3
    >>
    >>this only happens when anonymous access is turned off.

    >
    > This seems to indicate you're not passing credentials and logging in
    > as the account you say you're logged in as.
    >
    > Try creating a simple HTML file on the web server. Using NTFS
    > permissions, only allow access to a single user account. Log onto a
    > workstation with this account and see if you can access the HTML file.
    > No second server connection involved here. As long as IE is passing
    > credentials for the server/domain (the domain is in the intranet
    > security zone) then you should have access. If not, you're not using
    > the account you think you are.
    >
    > Also, try using filemon on server 2 to see what account is trying to
    > access the file. From systernals.com.
    >
    > Jeff
    >
    >
    > once i turn it on and
    >>supply the user information in the iis management console, i get these
    >>entries in the eventlog:
    >>
    >>ID 540:
    >>Successful Network Logon:
    >> User Name: iistest
    >> Domain: DOM
    >> Logon ID: (0x0,0xF640E0)
    >> Logon Type: 3
    >> Logon Process: NtLmSsp
    >> Authentication Package: NTLM
    >> Workstation Name: TATOOINE
    >>
    >>when having anon disabled, i only get logoff event log entries (ID 538),
    >>whereas with anon enabled i get the successfull logons (ID 540). in the
    >>web's directory security tab, i have [x] windows authentication enabled.
    >>this is doing my head in ;-(
    >>
    >>- thomas
    >>
    >>
    >>"Jeff Cochran" <> wrote in message
    >>news:...
    >>> On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <> wrote:
    >>>
    >>>>this is pure asp, yep.
    >>>>
    >>>>if you're right, this would imply asp scripts not being executed
    >>>>in-process
    >>>>within the web. i somehow can't believe this... especially as it seems
    >>>>to
    >>>>work when enabling anonymous access to the web. i KNOW asp.net runs
    >>>>within
    >>>>the web application pool process and its identity. not having the same
    >>>>possibility for classic asp looks like a bug or design failure to me...
    >>>>;-(
    >>>>
    >>>>also, asp not using the "connect as" identity when accessing unc virtual
    >>>>folders does not make any sense. i just can not (well, i can, but i
    >>>>don't
    >>>>want to) give iusr or iwam access to the network shares. this would
    >>>>other
    >>>>webs allow to read & write there as well - intolerable.
    >>>
    >>> With Windows integrated authentication, the connection should be the
    >>> account of the logged in user. Unless your user isn't getting logged
    >>> in correctly.
    >>>
    >>> Jeff
    >>>
    >>>
    >>>
    >>>>
    >>>>"Jeff Cochran" <> wrote in message
    >>>>news:...
    >>>>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:
    >>>>>
    >>>>>>interesting point:
    >>>>>>
    >>>>>>the web does not allow anonymous access.
    >>>>>>
    >>>>>>when i enable anonymous access and put in the domain account as user,
    >>>>>>my
    >>>>>>script works. so obviously asp is not running in the web application
    >>>>>>pool, but under a different user context (which one??) when anonymous
    >>>>>>access is disabled.
    >>>>>>
    >>>>>>the users logging in are domain users with full rights to the
    >>>>>>network -
    >>>>>>so iis/asp does not seem to impersonate them either.
    >>>>>>
    >>>>>>so the question comes down to: what user is my asp script running in
    >>>>>>(obviously not the one from my app pool) when i disable anonymous
    >>>>>>access? the web's w3wp.exe is running as the app pool user (my domain
    >>>>>>account).
    >>>>>
    >>>>> Normally IUSR/IWAM or the logged in user account. This is ASP and not
    >>>>> .NET correct? Have you tried giving the network account access?
    >>>>>
    >>>>> Jeff
    >>>>>
    >>>>>>as a workaround i could just enable anonymous access and then check on
    >>>>>>script basis if the user is logged in. but i somehow feel that this is
    >>>>>>not how it should work. ;-)
    >>>>>>
    >>>>>>*** Sent via Developersdex http://www.developersdex.com ***
    >>>>>>Don't just participate in USENET...get rewarded for it!
    >>>>>
    >>>>
    >>>

    >>

    >
    Thomas, Mar 21, 2005
    #13
  14. Aaron Bertrand
    99 Kingstown Rd
    Richmond, RI
    02898

    Thanks again!

    A
    Aaron [SQL Server MVP], Mar 21, 2005
    #14
  15. Umm, whoops, hit reply in the wrong place. Everyone please disregard that
    address, and go about your business. :)

    Anyway, I'm still not convinced that you are authenticating the way you
    think you are when IIS tries to access the other machine. Are you abslutely
    positive that anonymous access is disabled? Are you prompted to enter
    network credentials, or does this happen transparently (in other words, you
    assume you are authenticating correctly)?

    You say that you gave "Everyone" full access on Server2. Well, this only
    includes accounts that Server2 knows about. Humor us and add an explicit
    local username IUSR_Server1 and synchronize the password with the IUSR
    account on Server1.

    A



    "Thomas" <> wrote in message
    news:...
    > > security zone) then you should have access. If not, you're not using
    > > the account you think you are.

    >
    > i did this test and it works just fine - i can login with the domain

    account
    > and browse the website. but i cannot access the remote files - the

    eventlog
    > still shows the same results. :-(
    >
    > > Also, try using filemon on server 2 to see what account is trying to
    > > access the file. From systernals.com.

    >
    > already tried this. there is no activity on the files in question. i guess
    > asp therefore can not even access the share (which is configured to give
    > Everyone full access).
    >
    > - thomas
    >
    >
    > "Jeff Cochran" <> wrote in message
    > news:...
    > > On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <> wrote:
    > >
    > >>> With Windows integrated authentication, the connection should be the
    > >>> account of the logged in user. Unless your user isn't getting logged
    > >>> in correctly.
    > >>
    > >>i can assure you i'm logged in correctly. and as domain admin i also

    have
    > >>enough rights to access any share or file within the network.
    > >>
    > >>when anonymous access on the web is disabled, i get the following

    eventlog
    > >>entries on server2 (where the asp tries to access the files):
    > >>
    > >>ID 538:
    > >>User Logoff:
    > >> User Name: ANONYMOUS LOGON
    > >> Domain: NT AUTHORITY
    > >> Logon ID: (0x0,0xF44FFC)
    > >> Logon Type: 3
    > >>
    > >>this only happens when anonymous access is turned off.

    > >
    > > This seems to indicate you're not passing credentials and logging in
    > > as the account you say you're logged in as.
    > >
    > > Try creating a simple HTML file on the web server. Using NTFS
    > > permissions, only allow access to a single user account. Log onto a
    > > workstation with this account and see if you can access the HTML file.
    > > No second server connection involved here. As long as IE is passing
    > > credentials for the server/domain (the domain is in the intranet
    > > security zone) then you should have access. If not, you're not using
    > > the account you think you are.
    > >
    > > Also, try using filemon on server 2 to see what account is trying to
    > > access the file. From systernals.com.
    > >
    > > Jeff
    > >
    > >
    > > once i turn it on and
    > >>supply the user information in the iis management console, i get these
    > >>entries in the eventlog:
    > >>
    > >>ID 540:
    > >>Successful Network Logon:
    > >> User Name: iistest
    > >> Domain: DOM
    > >> Logon ID: (0x0,0xF640E0)
    > >> Logon Type: 3
    > >> Logon Process: NtLmSsp
    > >> Authentication Package: NTLM
    > >> Workstation Name: TATOOINE
    > >>
    > >>when having anon disabled, i only get logoff event log entries (ID 538),
    > >>whereas with anon enabled i get the successfull logons (ID 540). in the
    > >>web's directory security tab, i have [x] windows authentication enabled.
    > >>this is doing my head in ;-(
    > >>
    > >>- thomas
    > >>
    > >>
    > >>"Jeff Cochran" <> wrote in message
    > >>news:...
    > >>> On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <> wrote:
    > >>>
    > >>>>this is pure asp, yep.
    > >>>>
    > >>>>if you're right, this would imply asp scripts not being executed
    > >>>>in-process
    > >>>>within the web. i somehow can't believe this... especially as it seems
    > >>>>to
    > >>>>work when enabling anonymous access to the web. i KNOW asp.net runs
    > >>>>within
    > >>>>the web application pool process and its identity. not having the same
    > >>>>possibility for classic asp looks like a bug or design failure to

    me...
    > >>>>;-(
    > >>>>
    > >>>>also, asp not using the "connect as" identity when accessing unc

    virtual
    > >>>>folders does not make any sense. i just can not (well, i can, but i
    > >>>>don't
    > >>>>want to) give iusr or iwam access to the network shares. this would
    > >>>>other
    > >>>>webs allow to read & write there as well - intolerable.
    > >>>
    > >>> With Windows integrated authentication, the connection should be the
    > >>> account of the logged in user. Unless your user isn't getting logged
    > >>> in correctly.
    > >>>
    > >>> Jeff
    > >>>
    > >>>
    > >>>
    > >>>>
    > >>>>"Jeff Cochran" <> wrote in message
    > >>>>news:...
    > >>>>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <>

    wrote:
    > >>>>>
    > >>>>>>interesting point:
    > >>>>>>
    > >>>>>>the web does not allow anonymous access.
    > >>>>>>
    > >>>>>>when i enable anonymous access and put in the domain account as

    user,
    > >>>>>>my
    > >>>>>>script works. so obviously asp is not running in the web application
    > >>>>>>pool, but under a different user context (which one??) when

    anonymous
    > >>>>>>access is disabled.
    > >>>>>>
    > >>>>>>the users logging in are domain users with full rights to the
    > >>>>>>network -
    > >>>>>>so iis/asp does not seem to impersonate them either.
    > >>>>>>
    > >>>>>>so the question comes down to: what user is my asp script running in
    > >>>>>>(obviously not the one from my app pool) when i disable anonymous
    > >>>>>>access? the web's w3wp.exe is running as the app pool user (my

    domain
    > >>>>>>account).
    > >>>>>
    > >>>>> Normally IUSR/IWAM or the logged in user account. This is ASP and

    not
    > >>>>> .NET correct? Have you tried giving the network account access?
    > >>>>>
    > >>>>> Jeff
    > >>>>>
    > >>>>>>as a workaround i could just enable anonymous access and then check

    on
    > >>>>>>script basis if the user is logged in. but i somehow feel that this

    is
    > >>>>>>not how it should work. ;-)
    > >>>>>>
    > >>>>>>*** Sent via Developersdex http://www.developersdex.com ***
    > >>>>>>Don't just participate in USENET...get rewarded for it!
    > >>>>>
    > >>>>
    > >>>
    > >>

    > >

    >
    >
    Aaron [SQL Server MVP], Mar 21, 2005
    #15
  16. (Where's the damned recall feature.)




    "Aaron [SQL Server MVP]" <> wrote in message
    news:...
    > Aaron Bertrand
    Aaron [SQL Server MVP], Mar 21, 2005
    #16
  17. Thomas

    Thomas Guest

    > Anyway, I'm still not convinced that you are authenticating the way you
    > think you are when IIS tries to access the other machine. Are you
    > abslutely
    > positive that anonymous access is disabled?


    well. "[ ] enable anonmyous access" is unchecked. and i'm prompted for login
    credentials when browsing the website.

    > Are you prompted to enter
    > network credentials, or does this happen transparently (in other words,
    > you
    > assume you are authenticating correctly)?


    100% - i am prompted for password and stuff ;-)
    also i can see on the domain server my login events.

    > You say that you gave "Everyone" full access on Server2. Well, this only
    > includes accounts that Server2 knows about. Humor us and add an explicit
    > local username IUSR_Server1 and synchronize the password with the IUSR
    > account on Server1.


    created user IUSR_TATOOINE on server2. no luck:

    Microsoft VBScript runtime error '800a0046'
    Permission denied

    eventlog on server2 still shows:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x10FB1B4)
    Logon Type: 3

    - thomas



    "Aaron [SQL Server MVP]" <> wrote in message
    news:%...
    > Umm, whoops, hit reply in the wrong place. Everyone please disregard that
    > address, and go about your business. :)
    >
    > Anyway, I'm still not convinced that you are authenticating the way you
    > think you are when IIS tries to access the other machine. Are you
    > abslutely
    > positive that anonymous access is disabled? Are you prompted to enter
    > network credentials, or does this happen transparently (in other words,
    > you
    > assume you are authenticating correctly)?
    >
    > You say that you gave "Everyone" full access on Server2. Well, this only
    > includes accounts that Server2 knows about. Humor us and add an explicit
    > local username IUSR_Server1 and synchronize the password with the IUSR
    > account on Server1.
    >
    > A
    >
    >
    >
    > "Thomas" <> wrote in message
    > news:...
    >> > security zone) then you should have access. If not, you're not using
    >> > the account you think you are.

    >>
    >> i did this test and it works just fine - i can login with the domain

    > account
    >> and browse the website. but i cannot access the remote files - the

    > eventlog
    >> still shows the same results. :-(
    >>
    >> > Also, try using filemon on server 2 to see what account is trying to
    >> > access the file. From systernals.com.

    >>
    >> already tried this. there is no activity on the files in question. i
    >> guess
    >> asp therefore can not even access the share (which is configured to give
    >> Everyone full access).
    >>
    >> - thomas
    >>
    >>
    >> "Jeff Cochran" <> wrote in message
    >> news:...
    >> > On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <> wrote:
    >> >
    >> >>> With Windows integrated authentication, the connection should be the
    >> >>> account of the logged in user. Unless your user isn't getting logged
    >> >>> in correctly.
    >> >>
    >> >>i can assure you i'm logged in correctly. and as domain admin i also

    > have
    >> >>enough rights to access any share or file within the network.
    >> >>
    >> >>when anonymous access on the web is disabled, i get the following

    > eventlog
    >> >>entries on server2 (where the asp tries to access the files):
    >> >>
    >> >>ID 538:
    >> >>User Logoff:
    >> >> User Name: ANONYMOUS LOGON
    >> >> Domain: NT AUTHORITY
    >> >> Logon ID: (0x0,0xF44FFC)
    >> >> Logon Type: 3
    >> >>
    >> >>this only happens when anonymous access is turned off.
    >> >
    >> > This seems to indicate you're not passing credentials and logging in
    >> > as the account you say you're logged in as.
    >> >
    >> > Try creating a simple HTML file on the web server. Using NTFS
    >> > permissions, only allow access to a single user account. Log onto a
    >> > workstation with this account and see if you can access the HTML file.
    >> > No second server connection involved here. As long as IE is passing
    >> > credentials for the server/domain (the domain is in the intranet
    >> > security zone) then you should have access. If not, you're not using
    >> > the account you think you are.
    >> >
    >> > Also, try using filemon on server 2 to see what account is trying to
    >> > access the file. From systernals.com.
    >> >
    >> > Jeff
    >> >
    >> >
    >> > once i turn it on and
    >> >>supply the user information in the iis management console, i get these
    >> >>entries in the eventlog:
    >> >>
    >> >>ID 540:
    >> >>Successful Network Logon:
    >> >> User Name: iistest
    >> >> Domain: DOM
    >> >> Logon ID: (0x0,0xF640E0)
    >> >> Logon Type: 3
    >> >> Logon Process: NtLmSsp
    >> >> Authentication Package: NTLM
    >> >> Workstation Name: TATOOINE
    >> >>
    >> >>when having anon disabled, i only get logoff event log entries (ID
    >> >>538),
    >> >>whereas with anon enabled i get the successfull logons (ID 540). in the
    >> >>web's directory security tab, i have [x] windows authentication
    >> >>enabled.
    >> >>this is doing my head in ;-(
    >> >>
    >> >>- thomas
    >> >>
    >> >>
    >> >>"Jeff Cochran" <> wrote in message
    >> >>news:...
    >> >>> On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <>
    >> >>> wrote:
    >> >>>
    >> >>>>this is pure asp, yep.
    >> >>>>
    >> >>>>if you're right, this would imply asp scripts not being executed
    >> >>>>in-process
    >> >>>>within the web. i somehow can't believe this... especially as it
    >> >>>>seems
    >> >>>>to
    >> >>>>work when enabling anonymous access to the web. i KNOW asp.net runs
    >> >>>>within
    >> >>>>the web application pool process and its identity. not having the
    >> >>>>same
    >> >>>>possibility for classic asp looks like a bug or design failure to

    > me...
    >> >>>>;-(
    >> >>>>
    >> >>>>also, asp not using the "connect as" identity when accessing unc

    > virtual
    >> >>>>folders does not make any sense. i just can not (well, i can, but i
    >> >>>>don't
    >> >>>>want to) give iusr or iwam access to the network shares. this would
    >> >>>>other
    >> >>>>webs allow to read & write there as well - intolerable.
    >> >>>
    >> >>> With Windows integrated authentication, the connection should be the
    >> >>> account of the logged in user. Unless your user isn't getting logged
    >> >>> in correctly.
    >> >>>
    >> >>> Jeff
    >> >>>
    >> >>>
    >> >>>
    >> >>>>
    >> >>>>"Jeff Cochran" <> wrote in message
    >> >>>>news:...
    >> >>>>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <>

    > wrote:
    >> >>>>>
    >> >>>>>>interesting point:
    >> >>>>>>
    >> >>>>>>the web does not allow anonymous access.
    >> >>>>>>
    >> >>>>>>when i enable anonymous access and put in the domain account as

    > user,
    >> >>>>>>my
    >> >>>>>>script works. so obviously asp is not running in the web
    >> >>>>>>application
    >> >>>>>>pool, but under a different user context (which one??) when

    > anonymous
    >> >>>>>>access is disabled.
    >> >>>>>>
    >> >>>>>>the users logging in are domain users with full rights to the
    >> >>>>>>network -
    >> >>>>>>so iis/asp does not seem to impersonate them either.
    >> >>>>>>
    >> >>>>>>so the question comes down to: what user is my asp script running
    >> >>>>>>in
    >> >>>>>>(obviously not the one from my app pool) when i disable anonymous
    >> >>>>>>access? the web's w3wp.exe is running as the app pool user (my

    > domain
    >> >>>>>>account).
    >> >>>>>
    >> >>>>> Normally IUSR/IWAM or the logged in user account. This is ASP and

    > not
    >> >>>>> .NET correct? Have you tried giving the network account access?
    >> >>>>>
    >> >>>>> Jeff
    >> >>>>>
    >> >>>>>>as a workaround i could just enable anonymous access and then check

    > on
    >> >>>>>>script basis if the user is logged in. but i somehow feel that this

    > is
    >> >>>>>>not how it should work. ;-)
    >> >>>>>>
    >> >>>>>>*** Sent via Developersdex http://www.developersdex.com ***
    >> >>>>>>Don't just participate in USENET...get rewarded for it!
    >> >>>>>
    >> >>>>
    >> >>>
    >> >>
    >> >

    >>
    >>

    >
    >
    Thomas, Mar 21, 2005
    #17
  18. > created user IUSR_TATOOINE on server2. no luck:

    Does it have the same password as IUSR on the machine tatooine?

    > User Name: ANONYMOUS LOGON


    AHA! See, your credentials are not being passed. This means that this page
    is really not authenticating as you. What does this yield:

    Response.Write Request.ServerVariables("LOGON_USER")

    A
    Aaron [SQL Server MVP], Mar 21, 2005
    #18
  19. Thomas

    Thomas Guest

    > Does it have the same password as IUSR on the machine tatooine?

    yep

    > AHA! See, your credentials are not being passed. This means that this
    > page
    > is really not authenticating as you. What does this yield:
    >
    > Response.Write Request.ServerVariables("LOGON_USER")


    DOM\iistest

    my test account with admin rights. the credentials are passed. but that does
    unfortunately not proof asp is actually running in this context. if it
    would, it could access the files as the account is a domain admin (and yes,
    it does have the group policy set "allow logon as service")...

    - thomas
    Thomas, Mar 21, 2005
    #19
  20. > my test account with admin rights. the credentials are passed.

    Sorry, but you're going to have to hire a consultant to help you figure this
    out, or change your approach. (You mentioned before that it was a cardinal
    sin to allow anonymous access to these shares for all your webs, but that is
    still limited to the code you place in the folders of your web
    applications - in other words, you are in control over what your ASP code
    does using Scripting.FileSystemObject... unless you are afraid of what
    people can do when they have access to the file system directly, in which
    case this is the least of your worries, and if they don't have direct access
    to the web server, e.g. with term server, they would have to guess your
    share name exists AND that IUSR can access it. Anyway, a file share that is
    accessible to one web site on a machine inside your network shouldn't really
    have anything on it that is too sensitive for other web apps on the same
    machine to have access to it.)

    We keep telling you your credentials aren't passed, and you keep insisting
    that they are, even though you admit that the ASP page isn't using them.

    I give up. <shrug>

    A
    Aaron [SQL Server MVP], Mar 21, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian

    ADO fails FSO works on a share

    Brian, Feb 4, 2004, in forum: ASP General
    Replies:
    1
    Views:
    126
    Aaron Bertrand - MVP
    Feb 4, 2004
  2. Eric
    Replies:
    7
    Views:
    484
    mrbester
    Mar 3, 2005
  3. Jonas
    Replies:
    0
    Views:
    187
    Jonas
    May 17, 2004
  4. Guest

    IIS6 & FSO remote server access

    Guest, Apr 8, 2005, in forum: ASP General
    Replies:
    0
    Views:
    175
    Guest
    Apr 8, 2005
  5. Paul
    Replies:
    6
    Views:
    269
Loading...

Share This Page