Access Is Denied...

[James Goodman]

Ok, I had an ASP.NET application which after much trouble worked on a
server, SERVER1. I need to move this application to another server, DC2.

Both are domain controllers, both are running the same OS, SP etc.

The files are stored in C:\NET\App on SERVER1 & D:\NET\App on DC2.

I tried manually copying the files to the new server, as well as using the
copy project command inside VS.NET 2003. Both succeed.

When I attempt to load an aspx page I get 'Access Is Denied.'

I have enabled object access auditing & no accesses are logged in the
application directory (neither succeed or fail).

To test, I created a standard WebApplication1 application which printed
Environ("UserName") to a label control. This worked as expected.

I therefore suspect it is some kind of fault in the application (rather than
a true permission denied error which should be logged?).

Any suggestions???

 

[Joyjit Mukherjee]

Hi,

does the ASPNET account (which is used by the aspnet_wp.exe worker process)
has enough access permission on your new server. As your windows app is
working perfectly, it seems it is not a .net framework issue but an issue
with ASP .NET itself.

Let me know if it worked.

Thanks
Joyjit

 

[James Goodman]

It is not running under the ASPNET account, as it uses identity impersonate.

To ensure it is not permissions, the everyone group has full control.

 

[Patrice]

I noticed you are using a DC. Could be :
http://msdn.microsoft.com/library/d...s/wss/wss/_exch2k_running_asp_net_on_a_dc.asp

Patrice

 

[Guest]

Does it show as access denied to the user loged in? If that's the case, let
me know, because it is bug with microsoft, which will send you the address to
the solution - I sweat this for a month and no one could tell me the
solution. Will go look for the address for you....

 

[James Goodman]

Yes it does. However, the very same user can view the files through a shared
folder...

 

[James Goodman]

I have encountered that problem before. I have configured the machine.config
to use the SYSTEM Account but it still makes no difference...

 

[James Goodman]

Ok, I have now isolated it to the identity impersonate section of the
web.config file.

If I clear this option, my app fails, but only due to the IWAM user not
having access to my DB.

If I keep this option I get 'access is denied'

Any further suggestions?

 

[Patrice]

If I remember user accounts are not allowed to open a session on a DC. Maybe
worth to give this a try (you should be able to change this in the security
policy admin tool) ?

Patrice

--

 

[James Goodman]

Found the solution. I knew I had encountered this before but couldnt
remember the fix!

The problem was that the IWAM account was not allowed to impersonate a
client after authentication.
http://support.microsoft.com/default.aspx?scid=kb;en-us;824308

 

[Scott Allen]

You are using impersonation but letting anonymous users in?
Have you tried <deny users="?"/> in the <authorization> section.

 

[Scott Allen]

Hi James:

You might want to reconsider your setup as you seem to be breaking a
good many best practice rules. Running as SYSTEM and elevating the
privileges of the anon user are both risky and only provide more
opportunity for someone with malicious intent. Particularly on a DC!