Help! FileUploading, Windows 2000 permissions, and the ASP.NET account

B

Brian

I have a complex problem that needs a lot of background explanation before I can ask questions,
so here goes....

Our system consists of two servers.

-WebUI server - Windows 2000 - runs asp.net pages, and handles http requests.
All requests go through this frontend public server. Business objects are then called, which
execute stored procs, etc on the WebSQL server.

-WebSQL server - Windows 2000 - SQLServer2000 database and file server.
This server is not public to the internet, but is accessable by the WebUI server.

A piece of functionality in our ASP.NET web application is to allow a user to upload
a file. We store a record in the database with information about the file, but
physically store the file on the harddrive in a special directory structure.
All files are stored on the WebSQL server, however, not the WebUI server.

I use an HtmlInputFile control to transfer the file from the user's machine to the
WebUI server.
ex:
txtFile.PostedFile.SaveAs(strFilePath & "\" & strFileName)

The file path however is a UNC path, like "\\WebSQL\path\etc"

Getting the WebUI server to be able to save a file to the WebSQL server took some work.
I got it to work by doing the following:
1. Made sure both WebUI and WebSQL had the ASPNET account.
2. Gave the ASPNET account on the WebSQL machine full rights to the subdirectory structure where we save files.
3. Gave the ASPNET account "List File Contents" rights for the root drive where the previous directory structure exists.
4. Changed the username/password of the <processmodel> section of machine.config file of the WebUI machine to "ASPNET" and the corresponding password.

Doing all of this allows us to be able to upload files through a web page interface and save those files on the backend WebSQL server.

However, for some reason the Administrator account of the WebSQL server CANNOT delete or change permission on any files or directories that were created by the ASPNET account - even though Administrator is show with FULL CONTROL on the file or directory?!?

I discovered that if you go into the file properties from file explorer, even though it does not allow the administrator to change ANY security permissions for this specific file or dir, you can go to the Advanced dialog and change the OWNER to the Administrator. For some reason the previous owner said "Unknown". Once the file or directory has been set to Administrator then you can give the correct security rights to the file and actually delete it through windows explorer.

So my question is:
-How can I give the ASPNET (on the WebSQL server) account better permissions so that when a file is written, anyone that has the correct permissions can delete/modify/etc the file OTHER than the aspnet account?

-OR is there a better way to do what I am trying to accomplish?

Thank you for reading this long message.

Brian
 
C

Chris Marchal[MSFT]

The ASPNET account is a local account to both machines. There is a method
of working around the double-hop NTLM problem which required accounts of
the same name to be included on two different machines to allow
authentication. I think this is why the scenario you outline is working,
i.e. because both machines have an account with the same name. I'm
assuming that you do not impersonate the IIS authenticated user. The
resulting behaviour sounds like the ACLs on the files created are incorrect
in some way probably due to the fact that

To work around this you could create a domian account that is solely
dedicated to running the ASP.NET process and having permissions on the SQL
machine. It should be locked down in all other areas. With this scenario
you have an authentication mechanism as a third party to the two machines
and is recognised by both.

You could also try setting something up with Kerberos but again you have to
be very careful about introducing security holes onto the network.

Chris Marchal
Microsoft UK Developer Support
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,995
Messages
2,570,236
Members
46,822
Latest member
israfaceZa

Latest Threads

Top