I'm Referring to this link as I have to write file from one server to another I'm trying to create a custom domain account on Windows server.
I have done all as told in the link however when I browse the site I get the following error:
I was refferring the following link for the error.
However no success yet
I get this error when I authorise my network service for the application pool
Access to the path '\\servername\c$\fromvini\abc.text is denied.'
To been able to read the file on the remote computer you have two ways.
First way - both computers have the same account.
Both computers must have the same user name / and password
On the IIS server that runs the site, you place that account to run the pool of that site, do not make this account as service account, but you need to correct setup the site directory to be able to run.
On the remote server you let and the share connection to be able to seen by this account, but also you change the credential of the directory and the files to have permission for that account.
Second way - open the file with different login than the pool
The site is run under what ever pool use, maybe service account, we do not care.
Setup on the second server the user name / password that you going to use on the first one.
You open the share of the files, and change the file permissions for that acount.
You use the Impersonate to run under the other user the File access.
for example:
using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
{
//... read the file
}
and one full example: http://forums.asp.net/t/1840443.aspx/1?How+to+copy+file+from+network+share+in+VB
Related
I have an MVC web application that is supposed to allow users to download files that are stored as UNC paths in a database. These files can be in any number of locations on remote servers/shares.
E.g. Server 1 hosts the web application that is used to download a file stored on Server 2
I do not want to give permissions to these folders to the hosting service account, as the security should be dependent on what the user has access to. Therefore, I'm attempting to use Impersonation to retrieve the file.
When I debug on my local machine, everything works great. It impersonates my user and downloads the file.
When I deploy to my test server, I'm getting the following error:
Access to the path '\\Server2\SharedFolder\somefile.txt' is denied
I've tried various pieces from this Microsoft link, but am not having much luck.
Scenarios I've tried:
Just giving the permission to the service account of the AppPool works fine, but as I said, isn't ideal
Implementing the Impersonate a Specific User in Code from the above article, which works perfectly with a hard-coded user and password. This situation is also not ideal.
Implementing the Impersonate the Authenticating User in Code from the above article. This seems to be exactly what I need, but this is what generates the Access Denied error.
The Code that I want to work:
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Code to read all bytes from the file path
impersonationContext.Undo();
I have logging, and System.Security.Principal.WindowsIdentity.GetCurrent().Name after the impersonation does return the intended user (my account instead of the service account), so it does appear to be working.
I thought maybe it was a double-hop thing, so I have also added SPNs for the server and the service account, making sure their Delegation in AD was set to allow for any service. That hasn't helped either.
This question seems to have the exact same problem as me, but there's no follow-up on what the final solution was. I did try the Process Monitor part, but it didn't help at all.
I'm at a loss to why Impersonation seems to be working, but I'm denied access to a file on a second server.
Update 1
I've played around more with my IIS settings and trying to get Kerberos properly set up. The only thing enabled in my IIS Authentication is "Windows Authentication".
When I spit out details after my Impersonate() call, I'm finding that ImpersonationLevel = Impersonation
Is that how it should be, or should that be returning Delegation ?
It would seem the issue was mostly due to my setup with Kerberos and SPNs. I undid all my settings and re-registered my service account, and the Impersonation ended up working properly.
The issue now is that it only seems to work with Internet Explorer. Chrome and MobileIron are doing something different that prevents the ImpersonationLevel of Delegation. That's a whole other question...
I'm trying to get my MVC app to write a simple text file to another server using System.IO.File.WriteAllText. (A separate process is looking in that folder for text files to grab.) It works fine when debugging on my local machine, but when deployed to IIS on a test server, I always get this error when trying to write the file:
Access to the path '\\server\C$\folder\subfolder\file.txt' is denied.
The answer to at least half a dozen similar questions here on SO was to give the application pool identity account access to that folder. However, the app pool on IIS was already running under a service account that had full permissions to the desired folder but was still getting the error. I even tried changing the app pool to my own account (the one used successfully in debugging) and still get the error.
Anonymous access is turned off, and Windows Authentication is turned on (part of the file.txt is info from the user's AD account). I have tried accessing the app with several AD accounts, both with and without access to \\server\C$\folder\subfolder\ but they all give the same error.
I don't see how the app can be running under an authorized account, and the user can be logged in to the app with an authorized account, but still get the access denied error. Is there any way to get more info about specifically what access is denied or which account is actually being denied? Anything else I'm missing here??
You need to check whether other processes already have the file open, e.g, "A separate process is looking in that folder for text files to grab" - perhaps this separate process already has the file open and is therefore locking out your IIS process? Use Process Monitor (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) to monitor activity on the file.
Also you give the file location as '\server\C$\folder\subfolder\file.txt'. UNC paths normally begin with a '\\', e.g., '\\server\C$\folder\subfolder\file.txt'. That may just be an artefact of StackOverflow escaping the double slash to a single slash.
As a simple test, can you use notepad with your own account to open the file in the error message and write to the file? What if you use the application pool identity account?
Edit: You run Process Monitor on the server that has the file location. Add a Path filter like this:
Path excludes file.txt then Exclude
Where file.txt is the file name (without the directory) of the file you are monitoring. This filter will only capture events for that file and will exclude everything else. Once an event occurs, right click it, and go to Properties, Process to see the User initiating the event.
First of all, you can try to give write rights to IUSR user on your folder in which you want to write your text file.
There is a way to imitate an user in your asp.net application by using Impersonate tag in your web.config file but I think this can be dangerous.
<identity impersonate="true" userName="nomducompte" password="motdepasse" />
I hope this helps.
I have an intranet web application developed using C# and .NET and it is hosted on our own internal webserver running IIS 8.5.
I have it set up the application pool to use the built in account ApplicationPoolIdentity and this works fine.
However I need the application to be able to browse a network drive so I have changed the application pool to use a custom account that has access to the network drive. I know it has access as I am using my login details here.
But when I browse to the website I get the following error
Service Unavailable
HTTP Error 503. The service is unavailable.
When I recycle the application pool with these new settings I get the following error:
There was an error while performing this operation Details The object
identifier does not represent a valid object. (Exception from HRESULT:
0x800710D8)
I have also tried using the server admin account but I get the same error messages.
Thanks
Edit
The following message is in the event log
The identity of application pool TestApplicationPool is invalid. The
user name or password that is specified for the identity may be
incorrect, or the user may not have batch logon rights. If the
identity is not corrected, the application pool will be disabled when
the application pool receives its first request. If batch logon
rights are causing the problem, the identity in the IIS configuration
store must be changed after rights have been granted before Windows
Process Activation Service (WAS) can retry the logon. If the identity
remains invalid after the first request for the application pool is
processed, the application pool will be disabled. The data field
contains the error number.
Try granting the user account permissions to access the required asp files and folders, from a command prompt
aspnet_regiis -ga "Domain\SomeAccount"
https://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.100).aspx
Also allow the account to logon as a service:
Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a service
Also add the account to the IIS_WPG Group
In the Computer Management screen, under System Tools, expand Local Users and Groups, and then click Groups.
Right-click the IIS_WPG group, and then click Add to Group.
In the IIS_WPG Properties dialog box, click Add.
https://msdn.microsoft.com/en-us/library/aa544832(v=cs.70).aspx
The group is called IIS_IUSRS in newer versions of IIS.
You may also need the following:
Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Bypass traverse checking
Generate security audit details
Impersonate a client after authentication
Log on as a batch job
Log on as a service
Replace a process level token
Don't forget to remove the custom account from the "Guests" group in Local Users and Groups
I have deployed an asp.net mvc web application on IIS 8 server inside an virtual machine (Windows server 2012 R2).
An azure file storage is mapped as network drive in this virtual machine Windows server 2012 R2.
Now my asp.net mvc web application needs to read the files and folders of this mapped drive by C# System.IO code. By default IIS is not allowed to access mapped drives.
That's why the web application is throwing System.IO exception
"Could not find the specified path Z:\"
. I also tried to pass "\\\\{storage-name}.file.core.windows.net\\{fileshare-name}
but still no success.
Can some one guide me with correct configurations and settings which I should do inside IIS and web application?
Finally, I succeeded to access the mapped network drive through IIS Server.
I performed following steps.
Create a new user account on VM.
The user name for this new account will be the Storage Account Name
The password for this user will be Storage account key which ends with "=="
After creating this new user account I changed the account type for this user to Administrator
Go to My Computer OR This PC
Attach the network drive with the help of Map network drive.. option.
Open IIS Manager window, go to Application Pools
Select the application pool which is being used by your web application (in my case it was DefaultAppPool and click on Advanced Settings... from right side pane.
Change the Identity for this application pool with newly created user account name and password.
Set Load User Profile to true.
Click OK to save changes.
Click on Recycle link from right side pane to refresh the selected application pool.
Now select your web application which is under Default We Site.
Click on Basic Settings... to open Edit Site dialog box.
Make sure that the Application Pool name is correct.
Click on Connect as... button and select Specific user radio button and then set the credentials with this newly created User name (Storage account name) and password (Storage account key).
That's it. Now you can simply write standard C# IO code to access the directory and files of mapped drive. Here is a sample example.
var allDirs = Directory.GetDirectories("\\\\<storageaccountname>.file.core.windows.net\\<storagefileshare>");
ViewBag.Items = allDirs;
Make sure that you access the files and folders by UNC path format only, just like I have done in above code.
I have an intranet application that needs to write a text file. That text file needs to live on a network share folder. I am accessing it via the UNC name "\\fileserver\subfolder\TEST.txt" and am of course running into the dreaded "Access to path denied" error.
My intranet web site is running on IIS 6. I have another application on the intranet that needs to be able to access the logged on user's account using Request.ServerVariables["AUTH_USER"]. I have found that this will not work if I enable anonymous access to the site. I'm using integrated Windows authentication. What can I do to enable write access to my network share folder for the web application? I'm thinking I can't use impersonation without breaking my other app. Can I do something to just this portion (folder) of my site that won't effect my other app?
I'll need step by step what to do in IIS and/or on the folder settings for the network folder I'm trying to write to to get this to work.
Kind of a bit of a hack would be to impersonate the part of the code that writes to the file. I.e. you switch to a user that has enough permissions to write to the file.
There is a small Impersonator helper class that you can use to do this like e.g.:
...
using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
{
...
<code that executes under the new context>
...
}
...
The drawback of this approach is that you somewhere have to store the username and password, either hardcoded in your code or inside e.g. your web.config file. Both things could be bad from a security point-of-view.