Permissions Problem

[Brian Cooper]

I am trying to determine a permission problem trying to write a text file
from one web server to another.

Here is the situation:

We have two domains in place one is Active Directory and the other is an old
NT4 domain. These two domains have a trust between them.

On a 2003 server I am using the file system object to write a text file to a
NT4 web server. The folder on the NT 4 server currently is shared with open
security with control for everyone on Domain1 and Domain2. The 2003 server's
worker process is running under a domain account that has full access to the
folder.

I am able to map a drive to the share from the 2003 box to the NT4 box while
logged in with an admin account of the 2003 box. I am also able to run a
..vbs script on the 2003 box that is able to place a text file on the NT4
box. Of course, I do believe that script runs and creates the file system
object as the logged in user of the 2003 box.

Now to the non-working part. On my asp.net and classic asp page I am unable
to write a text file from the 2003 box to the NT4 box at all. The virtual
server(s) that are serving the pages have anon security turned on and use
the IUSR_MachineName account. Since I have every permission imaginable added
to the folder on the NT4 box for both domains at full control. My theory is
that possibly the IUSR account is the account that is actually creating the
object and trying to place the text file. I only theorize this because I can
not place the text file and that account seems to be the only one w/o
permissions to that folder since it is a local machine account and not a
domain account.

So my real question here is if my theory is right and/or what exactly is
going on here. After spending much too long on this problem and feeling like
a noob I am at a loss as to what to try next. Any suggestion would be
greatly appreciated.

Thank you)

 

[John Timney \(Microsoft MVP\)]

The crux of this is that the user under which you try to access the remote
dir must be the same user that your script is running as. This become a
real pain when you tie this in with permissions across domains. So, on your
win3k box you need to impersonate in asp.net the user with permissions and
allow asp.net to run on behlaf of that trusted user. I've not tried it
between trusted domains, but it will be a pain I expect.

Why dont you cut your losses and pass the text as a post request to your NT4
web server and have asp create the file for you on the NT 4 box.

--
Regards

John Timney
Microsoft Regional Director
Microsoft MVP

 

[Guest]

Hi,

ASP.NET by default does not impersonate the logged on user, but rather runs under the local ASPNET account, which is a least privliedged account. In order to have the ASP.NET application impersonate the original caller you must set imperonsation to true, and authorization mode to Windows in your Web.Config. You also have to set Windows Integrated Security in IIS. After this is done, if the logged on use has access to the shared folder, there should be no problem accessing it.

Another thing also, is that you mentioned you are using the File System Object in Classic asp to access the share. If this is the case, then this object does not understand UNC paths within a web application, this may be your problem. Try using another object if possible.

hope this helps,

sivilian