|
|
You're in the
iis security
group:Access Denied to share with anonymous access disabled
iis security:
share and the server are on the same box. To begin with, I gave the ASPNet local user account full access to the share. Then I enabled anonymous access with integrated windows security on the web site. It works like a charm. Disable anonymous access with integrated windows security and I get the error listed at the bottom of this message. As a test case, I wrote a small test harness to display the current identity (WindowsIdentity.GetCurrent().Name). With anonymous access enabled it displays the IUser account. When anonymous access is disabled it shows my user name. My user account has access to the share and still gets the error. Does anyone know what I'm doing wrong? System.UnauthorizedAccessException: Access to the path "\\CorpServer\Applications\appFRSQA\ReportShare\0616200641342PM.txt" is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize) at System.IO.StreamWriter.CreateFile(String path, Boolean append) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize) at System.IO.StreamWriter..ctor(String path) at Hca.Tcs.Service.Report.Helper.WriteAuditFileData(SqlDataReader dataReader, AuditFileReportHeader reportHeader)
Does your user account have access through BOTH the Share's ACLs as well as
actual NTFS ACLs on the directory itself? If the scenario works if you change it to Basic authentication instead of Integrated Windows authentication, then you are looking at the classic "double hop" situation (even though you short-circuit it right now) and the fact that NTLM does not delegate. You will need to use an authentication protocol (like Basic [insecure] or Kerberos) that delegates in order to access "shares" remotely. The logic behind it is simple. If you log onto a server, why should the server automatically be able to use your credentials to access some other network resource? In other words, do you believe that when you log onto a server that the server be automatically able to use your credentials to debit money from your bank account on another network resource. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] <cis042000@yahoo.com> wrote in message My asp.net app is trying to access a local share on my my server. Thenews:1114559695.832177.35210@g14g2000cwa.googlegroups.com... share and the server are on the same box. To begin with, I gave the ASPNet local user account full access to the share. Then I enabled anonymous access with integrated windows security on the web site. It works like a charm. Disable anonymous access with integrated windows security and I get the error listed at the bottom of this message. As a test case, I wrote a small test harness to display the current identity (WindowsIdentity.GetCurrent().Name). With anonymous access enabled it displays the IUser account. When anonymous access is disabled it shows my user name. My user account has access to the share and still gets the error. Does anyone know what I'm doing wrong? System.UnauthorizedAccessException: Access to the path "\\CorpServer\Applications\appFRSQA\ReportShare\0616200641342PM.txt" is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize) at System.IO.StreamWriter.CreateFile(String path, Boolean append) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize) at System.IO.StreamWriter..ctor(String path) at Hca.Tcs.Service.Report.Helper.WriteAuditFileData(SqlDataReader dataReader, AuditFileReportHeader reportHeader)
Quick question in response....
I have a IIS 6 running. I setup a new website. The home directory points to a network share \\server\sharename. Share and NTFS permissions are setup correctly. I want to use IWA to connect but it fails with HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource. If you go to properties of your website and select the Home Directory tab you will see the "Connect As..." button. The connect as button default setting is to use always use authenticated users credentials. Why wouldn't this work? Is it a problem using NTLM to authenticate (we are still in nt 4.0 domain)? Thanks for the help! -Jeff [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:uvYEaHuSFHA.140@TK2MSFTNGP10.phx.gbl... > Does your user account have access through BOTH the Share's ACLs as well as > actual NTFS ACLs on the directory itself? > > If the scenario works if you change it to Basic authentication instead of > Integrated Windows authentication, then you are looking at the classic > "double hop" situation (even though you short-circuit it right now) and the > fact that NTLM does not delegate. You will need to use an authentication > protocol (like Basic [insecure] or Kerberos) that delegates in order to > access "shares" remotely. The logic behind it is simple. If you log onto a > server, why should the server automatically be able to use your credentials > to access some other network resource? In other words, do you believe that > when you log onto a server that the server be automatically able to use your > credentials to debit money from your bank account on another network > resource. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > <cis042000@yahoo.com> wrote in message > news:1114559695.832177.35210@g14g2000cwa.googlegroups.com... > My asp.net app is trying to access a local share on my my server. The > share and the server are on the same box. To begin with, I gave the > ASPNet local user account full access to the share. Then I enabled > anonymous access with integrated windows security on the web site. It > works like a charm. Disable anonymous access with integrated windows > security and I get the error listed at the bottom of this message. As > a test case, I wrote a small test harness to display the current > identity (WindowsIdentity.GetCurrent().Name). With anonymous access > enabled it displays the IUser account. When anonymous access is > disabled it shows my user name. My user account has access to the > share and still gets the error. Does anyone know what I'm doing wrong? > > System.UnauthorizedAccessException: Access to the path > "\\CorpServer\Applications\appFRSQA\ReportShare\0616200641342PM.txt" is > denied. > at System.IO.__Error.WinIOError(Int32 errorCode, String str) > at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess > access, FileShare share, Int32 bufferSize, Boolean useAsync, String > msgPath, Boolean bFromProxy) > at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess > access, FileShare share, Int32 bufferSize) > at System.IO.StreamWriter.CreateFile(String path, Boolean append) > at System.IO.StreamWriter..ctor(String path, Boolean append, > Encoding encoding, Int32 bufferSize) > at System.IO.StreamWriter..ctor(String path) > at Hca.Tcs.Service.Report.Helper.WriteAuditFileData(SqlDataReader > dataReader, AuditFileReportHeader reportHeader) > > >
Please read this URL for details on how to correctly configure what you are
trying to do. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx The short answer is that for security reasons, you cannot double-hop with an IWA credential unless you set up protocol transitioning. Exactly the same reasoning as I've stated earlier. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Billnitro45" <billnitro45@comcast.net> wrote in message Quick question in response....news:%23Il0YPnVFHA.3188@TK2MSFTNGP09.phx.gbl... I have a IIS 6 running. I setup a new website. The home directory points to a network share \\server\sharename. Share and NTFS permissions are setup correctly. I want to use IWA to connect but it fails with HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource. If you go to properties of your website and select the Home Directory tab you will see the "Connect As..." button. The connect as button default setting is to use always use authenticated users credentials. Why wouldn't this work? Is it a problem using NTLM to authenticate (we are still in nt 4.0 domain)? Thanks for the help! -Jeff [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:uvYEaHuSFHA.140@TK2MSFTNGP10.phx.gbl... > Does your user account have access through BOTH the Share's ACLs as well as > actual NTFS ACLs on the directory itself? > > If the scenario works if you change it to Basic authentication instead of > Integrated Windows authentication, then you are looking at the classic > "double hop" situation (even though you short-circuit it right now) and the > fact that NTLM does not delegate. You will need to use an authentication > protocol (like Basic [insecure] or Kerberos) that delegates in order to > access "shares" remotely. The logic behind it is simple. If you log onto a > server, why should the server automatically be able to use your credentials > to access some other network resource? In other words, do you believe that > when you log onto a server that the server be automatically able to use your > credentials to debit money from your bank account on another network > resource. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > <cis042000@yahoo.com> wrote in message > news:1114559695.832177.35210@g14g2000cwa.googlegroups.com... > My asp.net app is trying to access a local share on my my server. The > share and the server are on the same box. To begin with, I gave the > ASPNet local user account full access to the share. Then I enabled > anonymous access with integrated windows security on the web site. It > works like a charm. Disable anonymous access with integrated windows > security and I get the error listed at the bottom of this message. As > a test case, I wrote a small test harness to display the current > identity (WindowsIdentity.GetCurrent().Name). With anonymous access > enabled it displays the IUser account. When anonymous access is > disabled it shows my user name. My user account has access to the > share and still gets the error. Does anyone know what I'm doing wrong? > > System.UnauthorizedAccessException: Access to the path > "\\CorpServer\Applications\appFRSQA\ReportShare\0616200641342PM.txt" is > denied. > at System.IO.__Error.WinIOError(Int32 errorCode, String str) > at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess > access, FileShare share, Int32 bufferSize, Boolean useAsync, String > msgPath, Boolean bFromProxy) > at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess > access, FileShare share, Int32 bufferSize) > at System.IO.StreamWriter.CreateFile(String path, Boolean append) > at System.IO.StreamWriter..ctor(String path, Boolean append, > Encoding encoding, Int32 bufferSize) > at System.IO.StreamWriter..ctor(String path) > at Hca.Tcs.Service.Report.Helper.WriteAuditFileData(SqlDataReader > dataReader, AuditFileReportHeader reportHeader) > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |