NT AUTHORITY\Network Service can't write to .NET Directory?

[musosdev]

Hi

An addition to my IWA query really - the sysadmin had promoted the web
server to a domain controller, and it *seems* to be letting us into the
Intranet app, but it's throwing the following error...

I wonder if some could explain what it's trying to do, and how to fix it?

Ta, Dan.


Server Error in '/' Application.
________________________________________
The current identity (NT AUTHORITY\NETWORK SERVICE) does not have write
access to 'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.Web.HttpException: The current identity (NT
AUTHORITY\NETWORK SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files'.

Source Error:
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.

Stack Trace:

[HttpException (0x80004005): The current identity (NT AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files'.]
System.Web.HttpRuntime.SetUpCodegenDirectory(CompilationSection
compilationSection) +3482379
System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags hostingFlags)
+226

[HttpException (0x80004005): The current identity (NT AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files'.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +3435007
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +88
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +252

 

[Dominick Baier]

Well - you really shouldn't do that...and it is also not necessary.

This directory is used by ASP.NET to temporarily store the compiled pages.
The worker process account needs modify privileges on that IIRC..

 

[musosdev]

Hi Dominick,

Um... do what, exactly? I have no idea what it's doing. I've never seen that
error before, and I've not written any code to access the .NET directories.

What/why is it trying to do!?

Well - you really shouldn't do that...and it is also not necessary.

This directory is used by ASP.NET to temporarily store the compiled pages.
The worker process account needs modify privileges on that IIRC..

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi

An addition to my IWA query really - the sysadmin had promoted the web
server to a domain controller, and it *seems* to be letting us into
the Intranet app, but it's throwing the following error...

I wonder if some could explain what it's trying to do, and how to fix
it?

Ta, Dan.

Server Error in '/' Application.
________________________________________
The current identity (NT AUTHORITY\NETWORK SERVICE) does not have
write
access to 'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files'.
Description: An unhandled exception occurred during the execution of
the
current web request. Please review the stack trace for more
information about
the error and where it originated in the code.
Exception Details: System.Web.HttpException: The current identity (NT
AUTHORITY\NETWORK SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.

Source Error: An unhandled exception was generated during the
execution of the current web request. Information regarding the origin
and location of the exception can be identified using the exception
stack trace below.

Stack Trace:

[HttpException (0x80004005): The current identity (NT
AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.]
System.Web.HttpRuntime.SetUpCodegenDirectory(CompilationSection
compilationSection) +3482379
System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags
hostingFlags)
+226
[HttpException (0x80004005): The current identity (NT
AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
+3435007
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
+88
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
+252

 

[Dominick Baier]

Hi,

a) you should not run productive applications on domain controllers
b) thats how ASP.NET works - pages are compiled to classes, these classes
go into assemblies and these assemblies have to be stored somewhere. ASP.NET
is using this directory. I remember that there are some issues with asp.net
on DCs, and one of them was (depending on the install order) - that the setup
does not correctly ACL the temp directory. So you have to do that manually.

HTH
-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Dominick,

Um... do what, exactly? I have no idea what it's doing. I've never
seen that error before, and I've not written any code to access the
.NET directories.

What/why is it trying to do!?

Well - you really shouldn't do that...and it is also not necessary.

This directory is used by ASP.NET to temporarily store the compiled
pages. The worker process account needs modify privileges on that
IIRC..

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Hi

An addition to my IWA query really - the sysadmin had promoted the
web server to a domain controller, and it *seems* to be letting us
into the Intranet app, but it's throwing the following error...

I wonder if some could explain what it's trying to do, and how to
fix it?

Ta, Dan.

Server Error in '/' Application.
________________________________________
The current identity (NT AUTHORITY\NETWORK SERVICE) does not have
write
access to 'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files'.
Description: An unhandled exception occurred during the execution of
the
current web request. Please review the stack trace for more
information about
the error and where it originated in the code.
Exception Details: System.Web.HttpException: The current identity
(NT
AUTHORITY\NETWORK SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.
Source Error: An unhandled exception was generated during the
execution of the current web request. Information regarding the
origin and location of the exception can be identified using the
exception stack trace below.

Stack Trace:

[HttpException (0x80004005): The current identity (NT
AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.]
System.Web.HttpRuntime.SetUpCodegenDirectory(CompilationSection
compilationSection) +3482379
System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags
hostingFlags)
+226
[HttpException (0x80004005): The current identity (NT
AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
+3435007
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
+88
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
+252

 

[musosdev]

Thanks!

Hi,

a) you should not run productive applications on domain controllers
b) thats how ASP.NET works - pages are compiled to classes, these classes
go into assemblies and these assemblies have to be stored somewhere. ASP.NET
is using this directory. I remember that there are some issues with asp.net
on DCs, and one of them was (depending on the install order) - that the setup
does not correctly ACL the temp directory. So you have to do that manually.

HTH
-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Dominick,

Um... do what, exactly? I have no idea what it's doing. I've never
seen that error before, and I've not written any code to access the
.NET directories.

What/why is it trying to do!?

Well - you really shouldn't do that...and it is also not necessary.

This directory is used by ASP.NET to temporarily store the compiled
pages. The worker process account needs modify privileges on that
IIRC..

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Hi

An addition to my IWA query really - the sysadmin had promoted the
web server to a domain controller, and it *seems* to be letting us
into the Intranet app, but it's throwing the following error...

I wonder if some could explain what it's trying to do, and how to
fix it?

Ta, Dan.

Server Error in '/' Application.
________________________________________
The current identity (NT AUTHORITY\NETWORK SERVICE) does not have
write
access to 'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files'.
Description: An unhandled exception occurred during the execution of
the
current web request. Please review the stack trace for more
information about
the error and where it originated in the code.
Exception Details: System.Web.HttpException: The current identity
(NT
AUTHORITY\NETWORK SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.
Source Error: An unhandled exception was generated during the
execution of the current web request. Information regarding the
origin and location of the exception can be identified using the
exception stack trace below.

Stack Trace:

[HttpException (0x80004005): The current identity (NT
AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.]
System.Web.HttpRuntime.SetUpCodegenDirectory(CompilationSection
compilationSection) +3482379
System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags
hostingFlags)
+226
[HttpException (0x80004005): The current identity (NT
AUTHORITY\NETWORK
SERVICE) does not have write access to
'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files'.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
+3435007
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
+88
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
+252

 

[Steven Cheng[MSFT]]

Hi Dan,

As Dominick has mentioned, on DC box, there has some problem with the
ASP.NET process identity(the IIS worker process account), some permission
may has been removed. You can first try switching the ASP.NET process
identity(application pool identity) to a powerful account(such as admin
account) and test it to see whether the problem disappear, if so, it is
surely some certain permissions is missed on the default Network Service
identity.

Here are two articles introduce setup the proper permissions for ASP.NET
worker process identity(1.x and 2.0):

#Process and request identity in ASP.NET
http://support.microsoft.com/kb/317012

#How To: Create a Service Account for an ASP.NET 2.0 Application
http://msdn2.microsoft.com/en-us/library/ms998297.aspx

You can also have a look on this.

Hope this helps. If you have any further questions, please feel free to
post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.