IIS6 & ASP: accessing network files with FSO fails

[Jeff Cochran]

DOM\iistest

my test account with admin rights. the credentials are passed. but that does
unfortunately not proof asp is actually running in this context. if it
would, it could access the files as the account is a domain admin (and yes,
it does have the group policy set "allow logon as service")...

You're logging into server 1 fine, there's still something goofy about
permissions to the second server though. IISTest is a domain user,
correct? And it has permissions on server 2 for the
files/folders/share in question, correct? And remember, "Everyone: is
just a group. It isn't necessarily every account on the system.

This is using a UNC convention for the virtual directory pointing to
server 2's share, correct? As in \\server2\sharename? If you log
onto server 1 as the user, can they connect to the share with a NET
USE or just browsing in Windows Explorer?

I gotta say there's something we're missing here. This just isn't
that hard to do. Make sure you're hitting all the steps:

HOW TO: Create a Virtual Directory on an Existing Web Site to a Folder
That Resides on a Remote Computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308150

Jeff

 

[Thomas]

Sorry, but you're going to have to hire a consultant to help you figure

this
out, or change your approach.

*cough*cough* i'm one of those consultants ;-)

(You mentioned before that it was a cardinal
sin to allow anonymous access to these shares for all your webs

no, the shares are not the problem, they are firewalled. the problem is the
web itself cannot be given anonymous access. if i could give it anonymous
access, i could specify the anon user and everything works. but this web
contains sensitive data that has to be protected. but once anon access is
turned off, the asp scripts stop working.

We keep telling you your credentials aren't passed, and you keep insisting
that they are, even though you admit that the ASP page isn't using them.

thats exactly my point! the asp engine is falsely NOT using the credentials
even if it should. it is obviously running in a security context that has no
access to the network files.

give up. <shrug>

thanks for trying. ;-)

- thomas

 

[Aaron [SQL Server MVP]]

*cough*cough* i'm one of those consultants ;-)

Whoops. Better get another book.

no, the shares are not the problem, they are firewalled. the problem is the
web itself cannot be given anonymous access. if i could give it anonymous
access, i could specify the anon user and everything works. but this web
contains sensitive data that has to be protected.

Then have a job move/copy the stuff that this web needs to access to a place
that isn't so sensitive!

A

 

[Thomas]

You're logging into server 1 fine, there's still something goofy about

permissions to the second server though.

IISTest is a domain user, correct?

yes it is. currently belonging to Domain Administrator

And it has permissions on server 2 for the files/folders/share in
question, correct?

yes. the folders & files have explicite rights "Full Control" for this
domain user
yes. share has explicit rights "read" and "write" for this user.

This is using a UNC convention for the virtual directory pointing to
server 2's share, correct? As in \\server2\sharename? \\10.1.1.2\dns$\dns.log

If you log onto server 1 as the user, can they connect to the share
with a NET USE or just browsing in Windows Explorer?

both works fine.

I gotta say there's something we're missing here. This just isn't
that hard to do. Make sure you're hitting all the steps:

i thought so too. but so far i haven't found the missing step.

HOW TO: Create a Virtual Directory on an Existing Web Site to a Folder
That Resides on a Remote Computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308150

i followed this kb entry. i can successfully *browse* the files in internet
explorer through this vf (by directly specify the url). but as soon as i use
an asp script that reads from this virtual directory, i'm hitting the
annoying "permission denied" stuff again.

i really think there is a (design?) fault with credentials when the web has
no anonymous user. i can't find another pausible explanation...

- thomas

 

[Thomas]

Then have a job move/copy the stuff that this web needs to access to a

place
that isn't so sensitive!

true, or i could just use apache... ;-)

i know there are workarounds for the problem. the simplest would be to just
allow anon access in iis and then force authentication in the asp files. but
somehow i think my problem should be solvable... i can't be the only person
that tries to access remote files through an asp script within a secured
website...

- thomas

 

[Aaron [SQL Server MVP]]

true, or i could just use apache... ;-)

Why don't you? Seriously, if you can't solve the problem and you can't work
around it, you should at least offer the client SOME solution.

somehow i think my problem should be solvable... i can't be the only person
that tries to access remote files through an asp script within a secured
website...

No, I have done this in multiple environments, so there's something not
getting relayed correctly, or there's something involved that you're just
not aware of.

Again, without being able to SEE the environment and verify what you've told
us, I'm unconvinced that everything is as you say it is, and I'm still
giving up.

 

[Chris Hohmann]

after spending countless hours trying, i give up and hope to get some help
in here.

on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
trying to read a file from an UNC path with a FSO:
Set myFile =
Server.CreateObject("Scripting.FileSystemObject").GetFile("\\server2\myshare\myfile.txt")
this fails with an Permission Denied.

here's the deal:
- server1 & server2 are members of a domain
- iis6 is used with asp (not .net)
- myweb.com runs in the context of a domain user (my admin account even,
for testing purposes)
- the unc share has full rights to Everyone
- the file permissions on server2 are set to full rights to Everyone
- i can successfully read the file *with the same code* in a test.vbs
- if i set up a virtual folder to the unc path using "connect as" within
the iis6, i can browse the remote files with my webbrowser - but the asp
code still fails.

this is driving me crazy. all howtos, posts and pages i found tell me to
run the web as a domain user with sufficient rights -- this is what i'm
doing, but it just won't work!

any help is greatly appreciated!
- thomas

I suspect you may be encountering the double-hop authentication issue.
Basically, NTLM does not support double-hop authentication because it only
ever deals with a hash of your authentication info. A quick way to see if
this is a double-hop issue is to disable NTLM and enable basic
authentication. Basic authentication will work because the actual
username/password get sent.

IMPORTANT! Basic authentication by itself is not a secure methodology as the
authentication info is sent in clear text across the wire.

As such you have to options:
1. Use basic authentication wrapped in SSL

OR

2. Enable keberos delegation. Here's a white paper on the topic.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

 

[Thomas]

YES!

you're right. having only basic authentication enabled solved my problem.
the asp scripts work as they should! i wasn't aware that basic
authentication would work without ntlm.
the securtity aspect of using basic authentication only is already solved by
having everying in a secure vpn.

thanks very much - now i can sleep in peace again ;-)

- thomas

 

[Thomas]

unchecking "[ ] integrated windows authentication" did the job. thanks
everyone for helping me here, especially chris hohmann for pointing out the
"double-hop authentication issue"!

- thomas

 

[Aaron [SQL Server MVP]]

Good catch Chris. You should ask for a chunk of his consulting fees.

 

[Chris Hohmann]

Good catch Chris. You should ask for a chunk of his consulting fees.

Thomas should feel free to direct all consulting fees here:
http://aspfaq.com/donate.asp

;-)

 

[Aaron [SQL Server MVP]]

Nice.

Thomas should feel free to direct all consulting fees here:
http://aspfaq.com/donate.asp

;-)

 

[Thomas]

unfortunately i'm not hired at the moment, the problem came up in one of my
countless personal projects. nevertheless i'll trow in a little something,
after having paid my psychiatrist... after this session i need some
professional support...

j/k

- thomas

 

[Bernard]

it's always recommended to use UNC rather than mapped drive.
Using Mapped Drives with IIS
http://support.microsoft.com/?id=257174

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/

 

[Aaron [SQL Server MVP]]

Thanks Bernard. As I said, I was just throwing out ideas to help diagnose
the problem, not recommending a solution.

 

[Bob Barrows [MVP]]

YES!

you're right. having only basic authentication enabled solved my
problem. the asp scripts work as they should! i wasn't aware that basic
authentication would work without ntlm.
the securtity aspect of using basic authentication only is already
solved by having everying in a secure vpn.

Everyone thinks that, but they fail to consider that a large percentage of
hacks are perpetrated by disgruntled employees and ex-employees. There is
also the "social engineering" aspect to watch out for (see Google).

Bob Barrows

 

[Thomas]

true. but as only 2 persons (besides me) have access to that vpn, i would
notice someone going astray ;-)

my security concerns are more on outsiders (e.g. web owners with their webs
on the same machine as the one in question) might want to try to sneak
things out. if i had to give IUSR_ share access, that could IMO have been
quite easily done by a malicous user.

- thomas