Wanted: Help with KB 825738

S

Siegfried Heintze

I refered the engineer at my hosting service to
http://support.microsoft.com/default.aspx?scid=kb;en-us;825738 where he
tried to follow the directions there.

He said there was no such file: Document settings\ServerName\ASPNET\Local
settings\Temp

I said it must be a typo, they meant to say c:\Documents And Settings\Server
Name\ASPNET\Local settings\temp.

He said he still cannot find any such directory. I believe he is running
windows 2000 server.

Oh -- I'm running windows xp 2003 server and I see I have no such directory
either. Where is it?

What is going on here?

Thanks,
Siegfried
 
K

Kevin Spencer

What sort of engineer do you have anyway? A train engineer?

Finding a directory path is an academic exercise, the sort of thing anyone
who knows how to use Windows should be able to do with their eyes closed.
How much are you paying this guy anyway?
He said there was no such file: Document settings\ServerName\ASPNET\Local
settings\Temp

I said it must be a typo, they meant to say c:\Documents And
Settings\Server
Name\ASPNET\Local settings\temp.

Yes, it's a typo. However, based on the entire path (note the reference to
"Local Settings\Temp") the directory reference is most certainly a User
account Temp folder. Now, I can't imagine how many user account folders are
in the "Documents and Settings" folder on the machine in question, but
unless everyone in your office shares the same computer, there couldn't be
more than a dozen or so. Again, the reference to "\Server Name" is obviously
NOT a reference to a folder named "Server Name," but (in the context of user
account folders) must be the folder having the machine's (server's) account
name. Assuming that, for example, the machine name was "AOL_User," the
folder in question would be "\Documents and Settings\AOL_User\ASPNET\Local
Settings\Temp."

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
 
S

Siegfried Heintze

Kevin,
Well maybe I'm just a train engineer because I cannot find this directory on
my machine and I have IIS running serving my private network of three
computers. Inside my c:\Documents and Settings I have "Administrator", "All
Users", "Default User".

I'm running Windows 2003 Adv Server. Why don't I see this directory on my
computer? I did not delete it.
Siegfried
 
K

Kevin Spencer

Hi Siegfried,

The folder belongs to the user account under which ASP.Net is running. Look
for a folder for THAT user. And don't expect to find it on your machine
unless you have an IIS web server set up and ASP.Net running on a web site
on your local machine.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
 
K

Kevin Spencer

BTW, Siegfried,

I didn't say YOU must be a train engineer! However, anyone that calls
himself an "engineer" and can't solve these sorts of issues certainly has
some. I was referring to the hosting service "engineer."

Would his name be "Casey Jones" by any chance?

--
;-),

Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
 
S

Siegfried Heintze

Kevin or anyone else:
Well if I am running windows 2003 Adv Server and I cannot find this
directory, then the hosting service might be having the same problem I am.

Can you help me figure out how to apply
http://support.microsoft.com/default.aspx?scid=kb;en-us;825738 to my
machine? I should have that directory! I know I am running ASP.NET because I
have web application that I use daily. And I wrote it myself in C#!

How do I tell what account the ASP.NET is running? I thought it was the
ASPNET account and I have not made any changes to that effect (affect?). I'm
running pretty much a vanilla installation.

I have an ASPNET account according to the "Computer Management" console,
along with Guest (disabled), siegfried, IUSR_KING-MARK, IWAM_KING-MARK,
SQLDebugger, SUPPORT_388945a0 (disabled).

So what is wrong with my machine?

My machine name is 'KING-MARK' and you are telling me that there should be a
folder there called c:\Documents and Settings\KING-MARK and I am telling you
I have no such folder and I did not delete it.

Hmmm... that is strange. I created an account for myself that I seldom use
called "siegfried" and their is no directory called "\documents and
settings\siegfried" for that account either.

Could it have something to do with the choice of my machine names containing
a "-". Uggghhh I hope not.

Do I have to create this folder?

Thanks for all your help so far!

Siegfried
 
K

Kevin Spencer

Hi Siegfried,

On a Windows 2003 server, the default ASP.Net account is:

[Domain-Or-ServerName]\NETWORK SERVICE

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
 
J

Juan T. Llibre

re:
How do I tell what account the ASP.NET is running?

Save the following as identity.aspx and run it.

identity.aspx
-------------------
<%@ Page Language="VB" %>
<%@ Import NameSpace = System.Security.Principal %>
<script runat="server">
Sub Page_Load()
Dim tmp As String = WindowsIdentity.GetCurrent.Name()
Label1.Text = tmp
End Sub
</script>
<html>
<head>
<title>WindowsIdentity.GetCurrent.Name()</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
</div>
</form>
</body>
</html>
------------------

When you run that file, it will return the current ASP.NET identity,
i.e., the account ASP.NET is running as.

re:
Can you help me figure out how to apply
http://support.microsoft.com/default.aspx?scid=kb;en-us;825738
to my machine? I should have that directory!

If you have set a different TEMP or TMP directory for Windows in your
environment variables you may have any directory as your temp directory
for ASP.NET.
 
S

Siegfried Heintze

OK, when I run that little program (below), I get

NT AUTHORITY\NETWORK SERVICE

Why did this not show up in the list of accounts?

Now should I have a directory called C:\Documents and
Settings\KING-MARK\NETWORK SERVICE? I don't.

How do I apply
http://support.microsoft.com/default.aspx?scid=kb;en-us;825738 to my
computer when I don't have that directory?

Thanks for your *extremely* prompt responses!


Siegfried
 
J

Juan T. Llibre

re:
Why did this not show up in the list of accounts?

It does, but you have to look in the right place.

It doesn't show up in the User Manager, but it does show up when you
attempt to add access permissions for a directory when you right-click it,
and select "Properties" and the "Security" tab, and then add an account
from the list presented.

re:
How do I apply
http://support.microsoft.com/default.aspx?scid=kb;en-us;825738 to my
computer when I don't have that directory?

That KB doesn't apply to your case.

It only applies when you're impersonating, *which you are not*, since ASP.NET
is running as NT AUTHORITY\NETWORK SERVICE, the default account.

From : http://support.microsoft.com/default.aspx?scid=kb;en-us;825738 :

"The ASP.NET Web application that has the impersonation element set to true
in the Web.config file, and that has the authentication element set to Windows
in the Web.config file, runs under the impersonated account."

You don't have those conditions, ergo, that KB doesn't apply to you.

A simple solution to your problem, if the problem is that the
"NT AUTHORITY\NETWORK SERVICE" account doesn't
have access to a particular directory, is to add that account
to the ACLs for that directory, with RCW permissions, if they
are needed, or at minimum, with Read permission.

But, as things stand, you don't need to give access to *any* account to the directory
c:\Documents And Settings\KING-MARK\ASPNET\Local settings\temp because
you are *not* impersonating ASP.NET.

Unless you are having a problem which you
have not stated, you don't have a problem.
 
S

Siegfried Heintze

Thanks for sticking with me Juan.
As soon as I get a chance, I'm going to add a new account to my system and
try impersonating it (I need to do this anyway because presently the
IUSR_MACHINE account is choking when the Administrator account has opened
my MSAccess database and created an LDB file the ISR_MACHINE account cannot
open).

Now how do I want to create this account that is to be used exclusively by
perl batch jobs to populate the MSAccess database and by aspnet_wp.exe to
display the contents of the database? I go to Start->administrative
tools->Computer Management->Local users and groups->users->Member of.
Hmm.... The siegfried account is already a member of the "Adminstrators". I
guess I want to remove "Administrators"? What about enable remote control?
I'll deny access for dial in, (I guess) and disallow terminal services
login. Anything else I should be concerned about?

Now, after I set up my web.config to impersonate the siegfried account and
access the MSAccess database, can I expect the c:\Documents and
Settings\KING-MARK\ASPNET directory (KING-MARK is the name of my computer)
to magically appear? And then I go and grant the siegfried account access to
this directory as per KB 825738?

Oh -- and what about the (virtual?) directory Visual Studio created on
behalf of the Administrator account in c:\Inetpub\wwwroot\keyword-jobsearch
which contains my aspx files? Would you recommend I add the "siegfried"
account read/write access to the directory and the database and the aspx
files? Or should I just change the ownership of all the files from
Administrator to the siegfried account? Do I also have to change
c:\Inetpub\wwwroot and c:\Inetpub?

Thank you very much!
Siegfried
 
J

Juan T. Llibre

I think all your questions are answered in this article :

"How To Create a Custom Account to Run ASP.NET" :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod15.asp

Please review it, implement your new account to impersonate ASP.NET as,
and let us know how you did and if you ran into any problems.

Keep in mind that the "Temporary Folder" used by Web services
will be whatever folder you have designated as your Windows temp directory.

Don't worry about the .Net version number ( 1.0.3705 ) in the article's text..
It's the same permission scheme for all versions of the .Net Framework.

That hasn't changed from version to version.

The Windows installation directory they show (WINNT) is for W2K,
but if you're using XP or Windows Server 2003 it will be \Windows,
unless you have chosen a custom installation directory name.

If you follow the guidelines in the article, you can't go wrong.
 
S

Siegfried Heintze

That KB doesn't apply to your case.


Shucks -- the newsgroup lost my posting I typed in yesterday.

I have a problem that I think can be solved by impersonation (I have perl
programs populating my MSAccess database from my Administrator account. This
creates an ldb file that IUSR_MACHINE cannot open and subsequently
IUSR_MACHINE cannot access the mdb file. I really should not have those perl
jobs running from the administrator account).

Presently, my application is working because I granted everyone full control
to my mdb file. This is not a good approach for a public web site (which
this is not at this time).

I assume that since I am presently not using impersonation, there is no file
c:\Documents and Settings\Server Name\ASPNET directory. If I start using
impersonation, will it create this directory and then I apply
http://support.microsoft.com/default.aspx?scid=kb;en-us;825738?

So how do I create an account specifically for impersonation. Yeah, I know
how to start->administrative tools->computer management->users and
groups->users. I guess I create an account that is a member of the user
group. Then what? Do you recommend I add this account read/write access to
the database file. This account also has to be able to create ldb files too.
Or should I change the ownership of all the files in directory
c:\inetpub\wwwroot\keyword-job-search so they are owned by this new account
instead of Administrator?

Thanks,
Siegfried
 
J

Juan T. Llibre

re:
So how do I create an account specifically for impersonation.

Hmmm... you must have missed my reply yesterday.

Here it is again :
----------------

I think all your questions are answered in this article :

"How To Create a Custom Account to Run ASP.NET" :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod15.asp

Please review it, implement your new account to impersonate ASP.NET as,
and let us know how you did and if you ran into any problems.

Keep in mind that the "Temporary Folder" used by Web services
will be whatever folder you have designated as your Windows temp directory.

Don't worry about the .Net version number ( 1.0.3705 ) in the article's text..
It's the same permission scheme for all versions of the .Net Framework.

That hasn't changed from version to version.

The Windows installation directory they show (WINNT) is for W2K,
but if you're using XP or Windows Server 2003 it will be \Windows,
unless you have chosen a custom installation directory name.

If you follow the guidelines in the article, you can't go wrong.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top