Access To The Path ... Is Denied

[hufaunder]

I have a website that uses a web service that is located on the same
machine. This webservice calls a program which in return modifies a
file in c:\documents and Settings\All Users\Application Data\...'.
Unfortunately, whenever the webservice is executed I get the following
error message:

Access to the path 'C:\Documents and Settings\All Users\Application
Data\...' is denied.

Permissions for the default website (where the website and web service
reside) include [name]\Administrators and Internet Guest Account
([name]\IUSR_[name]) among others.

In directory security I have Enable anonymous access checked using User
Name = [name]\IUSR_[name] and the password I set up for that account.
Everything else (Integrated Windows authentication, etc) is unchecked.

For the file and the directory it resides in I have given full access
rights to IUSR_[name].

File Monitor (sysinternals.com) shows process = w3wp.exe,
Request=IRP_MJ_CREATE, Result = Access denied, Other = nt
authority\network service

OS is win2k3.

What am I missing here?

 

[Kristofer Gafvert]

Hello,

You have given full access rights to IUSR_[name] but the user account
denied access is nt authority\network service according to FileMon.

I believe this is your problem.

 

[CaffieneRush]

Run aspnet_regiis -i to reinstall asp.net.
Among the other things that the tool does is to give the correct
permissions to the correct users on the correct files and directories.

You can avoid this problem in the future by installing IIS before
installing the .net framework. Otherwise, you'll need to run
aspnet_regiis -i

Andy

 

[hufaunder]

IIS has been installed before the .NET framework, I believe. In any
case, I did re-install it again but the problem is still the same. As
mentioned I have given full access rights to the file and containing
folder to the user defined in the directory security dialog. Therefore,
it seems to me that the web service and/or the program that the
webservice executes run under a different user account. Could that be?
If so how do I find out what user account?

Thanks

Run aspnet_regiis -i to reinstall asp.net.
Among the other things that the tool does is to give the correct
permissions to the correct users on the correct files and directories.

You can avoid this problem in the future by installing IIS before
installing the .net framework. Otherwise, you'll need to run
aspnet_regiis -i

Andy

I have a website that uses a web service that is located on the same
machine. This webservice calls a program which in return modifies a
file in c:\documents and Settings\All Users\Application Data\...'.
Unfortunately, whenever the webservice is executed I get the following
error message:

Access to the path 'C:\Documents and Settings\All Users\Application
Data\...' is denied.

Permissions for the default website (where the website and web service
reside) include [name]\Administrators and Internet Guest Account
([name]\IUSR_[name]) among others.

In directory security I have Enable anonymous access checked using User
Name = [name]\IUSR_[name] and the password I set up for that account.
Everything else (Integrated Windows authentication, etc) is unchecked.

For the file and the directory it resides in I have given full access
rights to IUSR_[name].

File Monitor (sysinternals.com) shows process = w3wp.exe,
Request=IRP_MJ_CREATE, Result = Access denied, Other = nt
authority\network service

OS is win2k3.

What am I missing here?

 

[Juan T. Llibre]

A solution more specific to this problem would be to run :

aspnet_regiis -GA <account name>

In this case :
aspnet_regiis -GA "nt authority\network service"

That command will assign *all* ASP..NET 2.0 permissions needed to the account.

If you have doubts about which account ASP.NET is running as,
save this script as "identity.aspx", run it, and run the aspnet_regiis -ga
command using whatever account name is returned by the script.

identity.aspx:
-------------
<%@ Page Language="VB" %>
<%@ Import NameSpace = System.Security.Principal %>
<script runat="server">
Sub Page_Load()
Dim tmp As String = WindowsIdentity.GetCurrent.Name()
Label1.Text = tmp
End Sub
</script>
<html>
<head>
<title>WindowsIdentity.GetCurrent.Name()</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
</div>
</form>
</body>
</html>
---------

Run aspnet_regiis -i to reinstall asp.net.
Among the other things that the tool does is to give the correct
permissions to the correct users on the correct files and directories.

You can avoid this problem in the future by installing IIS before
installing the .net framework. Otherwise, you'll need to run
aspnet_regiis -i

Andy

I have a website that uses a web service that is located on the same
machine. This webservice calls a program which in return modifies a
file in c:\documents and Settings\All Users\Application Data\...'.
Unfortunately, whenever the webservice is executed I get the following
error message:

Access to the path 'C:\Documents and Settings\All Users\Application
Data\...' is denied.

Permissions for the default website (where the website and web service
reside) include [name]\Administrators and Internet Guest Account
([name]\IUSR_[name]) among others.

In directory security I have Enable anonymous access checked using User
Name = [name]\IUSR_[name] and the password I set up for that account.
Everything else (Integrated Windows authentication, etc) is unchecked.

For the file and the directory it resides in I have given full access
rights to IUSR_[name].

File Monitor (sysinternals.com) shows process = w3wp.exe,
Request=IRP_MJ_CREATE, Result = Access denied, Other = nt
authority\network service

OS is win2k3.

What am I missing here?

 

[Simon Hart]

The recomended guidelines is you need to authenticate the Web Service
request and set the Web Service to NTLM (Integrated Security) turn off
anonymous and set <indentity impersonate="true"/> in web.config.

Doing the above, the call will execute under the user of the authenticated
user.

Look at the Credentials property of the Web Service proxy if you are not
sure how to authenticate web service calls.

Regards
Simon.

 

[Simon Hart]

IUSR_MACHINENAME will only be used if anon access is turned on and
impersonate is turned on otherwise ASPNET user account will be used (unless
of course NTLM is used in the context of my previous post).

General rule of thumb is to never change user permissions.

Regards
Simon.

 

[hufaunder]

Thanks for the input. If I turn on integrated security the user will
have to log in before using the webservice. At least that is from my
limited experience. I do not want that the user has to login, though.
So how can I do this. Note that I have the following

1) in web.config <authentication mode="Windows"/>
2) in web.config <identity impersonate="true"/>
3) in IIS "Enable anonymous access" unchecked
4) in IIS "Integrated Windows authentication" enabled.

BTW, what is 1) and 4) the same and it just can be configured at
different places?

Thanks

The recomended guidelines is you need to authenticate the Web Service
request and set the Web Service to NTLM (Integrated Security) turn off
anonymous and set <indentity impersonate="true"/> in web.config.

Doing the above, the call will execute under the user of the authenticated
user.

Look at the Credentials property of the Web Service proxy if you are not
sure how to authenticate web service calls.

Regards
Simon.

I have a website that uses a web service that is located on the same
machine. This webservice calls a program which in return modifies a
file in c:\documents and Settings\All Users\Application Data\...'.
Unfortunately, whenever the webservice is executed I get the following
error message:

Access to the path 'C:\Documents and Settings\All Users\Application
Data\...' is denied.

Permissions for the default website (where the website and web service
reside) include [name]\Administrators and Internet Guest Account
([name]\IUSR_[name]) among others.

In directory security I have Enable anonymous access checked using User
Name = [name]\IUSR_[name] and the password I set up for that account.
Everything else (Integrated Windows authentication, etc) is unchecked.

For the file and the directory it resides in I have given full access
rights to IUSR_[name].

File Monitor (sysinternals.com) shows process = w3wp.exe,
Request=IRP_MJ_CREATE, Result = Access denied, Other = nt
authority\network service

OS is win2k3.

What am I missing here?

 

[shijobaby]

If your web service anonymous authentication is


turned off you must enable that

Otherwise you have to pass username and password