IIS6 & ASP: accessing network files with FSO fails

[Thomas]

after spending countless hours trying, i give up and hope to get some help
in here.

on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
trying to read a file from an UNC path with a FSO:
Set myFile =
Server.CreateObject("Scripting.FileSystemObject").GetFile("\\server2\myshare\myfile.txt")
this fails with an Permission Denied.

here's the deal:
- server1 & server2 are members of a domain
- iis6 is used with asp (not .net)
- myweb.com runs in the context of a domain user (my admin account even, for
testing purposes)
- the unc share has full rights to Everyone
- the file permissions on server2 are set to full rights to Everyone
- i can successfully read the file *with the same code* in a test.vbs
- if i set up a virtual folder to the unc path using "connect as" within the
iis6, i can browse the remote files with my webbrowser - but the asp code
still fails.

this is driving me crazy. all howtos, posts and pages i found tell me to run
the web as a domain user with sufficient rights -- this is what i'm doing,
but it just won't work!

any help is greatly appreciated!
- thomas

 

[Jeff Cochran]

after spending countless hours trying, i give up and hope to get some help
in here.

on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
trying to read a file from an UNC path with a FSO:
Set myFile =
Server.CreateObject("Scripting.FileSystemObject").GetFile("\\server2\myshare\myfile.txt")
this fails with an Permission Denied.

here's the deal:
- server1 & server2 are members of a domain
- iis6 is used with asp (not .net)
- myweb.com runs in the context of a domain user (my admin account even, for
testing purposes)
- the unc share has full rights to Everyone
- the file permissions on server2 are set to full rights to Everyone
- i can successfully read the file *with the same code* in a test.vbs
- if i set up a virtual folder to the unc path using "connect as" within the
iis6, i can browse the remote files with my webbrowser - but the asp code
still fails.

this is driving me crazy. all howtos, posts and pages i found tell me to run
the web as a domain user with sufficient rights -- this is what i'm doing,
but it just won't work!

You post lots of details, but you left out the most important one --
Just exactly what does "fails" and "won't work" mean?

Jeff

 

[thomas h]

basically, everything in ASP that incorporates FSO accessing remote UNC
paths fails - reading folders, files and writing to them fails. even a
FileExists check fails:

oFSO.FileExists("\\server2\myshare\myfile.txt") returns always false -
eventhough i can access the file directly (i.e. not using oFSO).

i dont think its a problem with my code, as it works perfeclty for local
files - even when i access them through their local UNC path (i.e.
"\\server1\d$\justatest.txt")

so: any function trying to read/write/access remote files through an unc
path within ASP results in a "permission denied" or "file not found"
runtime error.

- thomas

 

[thomas h]

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

 

[Aaron [SQL Server MVP]]

Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
considered trying a mapped drive letter instead of the direct UNC share?

 

[Thomas]

Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you

considered trying a mapped drive letter instead of the direct UNC share?

maped drives are only valid for logged-on users - which is not the case for
services (i.e. www).
i don't see why IWAM_... could be involved, as the application pool
explicitely specifies a (domain user) identity...

- thomas

 

[Aaron [SQL Server MVP]]

maped drives are only valid for logged-on users - which is not the case
for

services (i.e. www).
i don't see why IWAM_... could be involved, as the application pool
explicitely specifies a (domain user) identity...

Just throwing out ideas. Tough to troubleshoot when we can't see the box.
<shrug>

 

[Jeff Cochran]

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

Normally IUSR/IWAM or the logged in user account. This is ASP and not
..NET correct? Have you tried giving the network account access?

Jeff

 

[Thomas]

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed in-process
within the web. i somehow can't believe this... especially as it seems to
work when enabling anonymous access to the web. i KNOW asp.net runs within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me... ;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i don't
want to) give iusr or iwam access to the network shares. this would other
webs allow to read & write there as well - intolerable.

thomas

 

[Jeff Cochran]

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed in-process
within the web. i somehow can't believe this... especially as it seems to
work when enabling anonymous access to the web. i KNOW asp.net runs within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me... ;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i don't
want to) give iusr or iwam access to the network shares. this would other
webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

 

[Thomas]

With Windows integrated authentication, the connection should be the

account of the logged in user. Unless your user isn't getting logged
in correctly.

i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off. once i turn it on and
supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas

 

[Jeff Cochran]

i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off.

This seems to indicate you're not passing credentials and logging in
as the account you say you're logged in as.

Try creating a simple HTML file on the web server. Using NTFS
permissions, only allow access to a single user account. Log onto a
workstation with this account and see if you can access the HTML file.
No second server connection involved here. As long as IE is passing
credentials for the server/domain (the domain is in the intranet
security zone) then you should have access. If not, you're not using
the account you think you are.

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

Jeff


once i turn it on and

supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

 

[Thomas]

security zone) then you should have access. If not, you're not using

the account you think you are.

i did this test and it works just fine - i can login with the domain account
and browse the website. but i cannot access the remote files - the eventlog
still shows the same results. :-(

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

already tried this. there is no activity on the files in question. i guess
asp therefore can not even access the share (which is configured to give
Everyone full access).

- thomas

i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off.

This seems to indicate you're not passing credentials and logging in
as the account you say you're logged in as.

Try creating a simple HTML file on the web server. Using NTFS
permissions, only allow access to a single user account. Log onto a
workstation with this account and see if you can access the HTML file.
No second server connection involved here. As long as IE is passing
credentials for the server/domain (the domain is in the intranet
security zone) then you should have access. If not, you're not using
the account you think you are.

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

Jeff


once i turn it on and

supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed
in-process
within the web. i somehow can't believe this... especially as it seems
to
work when enabling anonymous access to the web. i KNOW asp.net runs
within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me...
;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i
don't
want to) give iusr or iwam access to the network shares. this would
other
webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff





interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user,
my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the
network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

Normally IUSR/IWAM or the logged in user account. This is ASP and not
.NET correct? Have you tried giving the network account access?

Jeff

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

 

[Aaron [SQL Server MVP]]

Aaron Bertrand
99 Kingstown Rd
Richmond, RI
02898

Thanks again!

A

 

[Aaron [SQL Server MVP]]

Umm, whoops, hit reply in the wrong place. Everyone please disregard that
address, and go about your business.

Anyway, I'm still not convinced that you are authenticating the way you
think you are when IIS tries to access the other machine. Are you abslutely
positive that anonymous access is disabled? Are you prompted to enter
network credentials, or does this happen transparently (in other words, you
assume you are authenticating correctly)?

You say that you gave "Everyone" full access on Server2. Well, this only
includes accounts that Server2 knows about. Humor us and add an explicit
local username IUSR_Server1 and synchronize the password with the IUSR
account on Server1.

A

security zone) then you should have access. If not, you're not using
the account you think you are.

i did this test and it works just fine - i can login with the domain account
and browse the website. but i cannot access the remote files - the eventlog
still shows the same results. :-(

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

already tried this. there is no activity on the files in question. i guess
asp therefore can not even access the share (which is configured to give
Everyone full access).

- thomas

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off.

This seems to indicate you're not passing credentials and logging in
as the account you say you're logged in as.

Try creating a simple HTML file on the web server. Using NTFS
permissions, only allow access to a single user account. Log onto a
workstation with this account and see if you can access the HTML file.
No second server connection involved here. As long as IE is passing
credentials for the server/domain (the domain is in the intranet
security zone) then you should have access. If not, you're not using
the account you think you are.

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

Jeff


once i turn it on and

supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas



this is pure asp, yep.

if you're right, this would imply asp scripts not being executed
in-process
within the web. i somehow can't believe this... especially as it seems
to
work when enabling anonymous access to the web. i KNOW asp.net runs
within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me...
;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i
don't
want to) give iusr or iwam access to the network shares. this would
other
webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

 

[Aaron [SQL Server MVP]]

(Where's the damned recall feature.)

 

[Thomas]

Anyway, I'm still not convinced that you are authenticating the way you

think you are when IIS tries to access the other machine. Are you
abslutely
positive that anonymous access is disabled?

well. "[ ] enable anonmyous access" is unchecked. and i'm prompted for login
credentials when browsing the website.

Are you prompted to enter
network credentials, or does this happen transparently (in other words,
you
assume you are authenticating correctly)?

100% - i am prompted for password and stuff ;-)
also i can see on the domain server my login events.

You say that you gave "Everyone" full access on Server2. Well, this only
includes accounts that Server2 knows about. Humor us and add an explicit
local username IUSR_Server1 and synchronize the password with the IUSR
account on Server1.

created user IUSR_TATOOINE on server2. no luck:

Microsoft VBScript runtime error '800a0046'
Permission denied

eventlog on server2 still shows:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x10FB1B4)
Logon Type: 3

- thomas

Umm, whoops, hit reply in the wrong place. Everyone please disregard that
address, and go about your business.

Anyway, I'm still not convinced that you are authenticating the way you
think you are when IIS tries to access the other machine. Are you
abslutely
positive that anonymous access is disabled? Are you prompted to enter
network credentials, or does this happen transparently (in other words,
you
assume you are authenticating correctly)?

You say that you gave "Everyone" full access on Server2. Well, this only
includes accounts that Server2 knows about. Humor us and add an explicit
local username IUSR_Server1 and synchronize the password with the IUSR
account on Server1.

A

security zone) then you should have access. If not, you're not using
the account you think you are.

i did this test and it works just fine - i can login with the domain account
and browse the website. but i cannot access the remote files - the eventlog
still shows the same results. :-(

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

already tried this. there is no activity on the files in question. i
guess
asp therefore can not even access the share (which is configured to give
Everyone full access).

- thomas

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off.

This seems to indicate you're not passing credentials and logging in
as the account you say you're logged in as.

Try creating a simple HTML file on the web server. Using NTFS
permissions, only allow access to a single user account. Log onto a
workstation with this account and see if you can access the HTML file.
No second server connection involved here. As long as IE is passing
credentials for the server/domain (the domain is in the intranet
security zone) then you should have access. If not, you're not using
the account you think you are.

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

Jeff


once i turn it on and
supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID
538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication
enabled.
this is doing my head in ;-(

- thomas


this is pure asp, yep.

if you're right, this would imply asp scripts not being executed
in-process
within the web. i somehow can't believe this... especially as it
seems
to
work when enabling anonymous access to the web. i KNOW asp.net runs
within
the web application pool process and its identity. not having the
same
possibility for classic asp looks like a bug or design failure to me...
;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i
don't
want to) give iusr or iwam access to the network shares. this would
other
webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

 

[Aaron [SQL Server MVP]]

created user IUSR_TATOOINE on server2. no luck:

Does it have the same password as IUSR on the machine tatooine?

User Name: ANONYMOUS LOGON

AHA! See, your credentials are not being passed. This means that this page
is really not authenticating as you. What does this yield:

Response.Write Request.ServerVariables("LOGON_USER")

A

 

[Thomas]

Does it have the same password as IUSR on the machine tatooine?

yep

AHA! See, your credentials are not being passed. This means that this
page
is really not authenticating as you. What does this yield:

Response.Write Request.ServerVariables("LOGON_USER")

DOM\iistest

my test account with admin rights. the credentials are passed. but that does
unfortunately not proof asp is actually running in this context. if it
would, it could access the files as the account is a domain admin (and yes,
it does have the group policy set "allow logon as service")...

- thomas

 

[Aaron [SQL Server MVP]]

my test account with admin rights. the credentials are passed.

Sorry, but you're going to have to hire a consultant to help you figure this
out, or change your approach. (You mentioned before that it was a cardinal
sin to allow anonymous access to these shares for all your webs, but that is
still limited to the code you place in the folders of your web
applications - in other words, you are in control over what your ASP code
does using Scripting.FileSystemObject... unless you are afraid of what
people can do when they have access to the file system directly, in which
case this is the least of your worries, and if they don't have direct access
to the web server, e.g. with term server, they would have to guess your
share name exists AND that IUSR can access it. Anyway, a file share that is
accessible to one web site on a machine inside your network shouldn't really
have anything on it that is too sensitive for other web apps on the same
machine to have access to it.)

We keep telling you your credentials aren't passed, and you keep insisting
that they are, even though you admit that the ASP page isn't using them.

I give up. <shrug>

A