We have a customer with multiple servers. Let's say the important ones are ServerX - their current production web server, ServerY - their share server, and ServerZ - their new web server they are trying to move to. Today, the .net application on ServerX uses an IIS7 virtual directory to point to a share folder on ServerY. I set up ServerZ's IIS virtual directory as exactly as I could to look the same (same Physical Path, Credentials, Logon type). But the Fileupload.SaveAs(...) method keeps failing with the message "System.UnauthorizedAccessException: Access to the path '\[ServerY][Share]\file.png' is denied."
I have checked permissions. Both ServerX and ServerZ's apppool identity is network service. The share was set up with full access to "Everyone." I even specified Network Service and the Credentials account to have access. The folder is not read only and, again, the site running on ServerX operates saves fine.
To add to my confusion, the application on ServerZ can read and open files from the virtual directory. It only has issue when I try to save a new one. And when logged into ServerZ with the Credentials used for the Virtual Directory, I can create/save files.
I should specify two more things:
I had to do some work to get ServerZ on Active Directory. Maybe I missed something in that step that would only affect the application?
Both ServerY and ServerZ are Server 2012 instances. ServerX is Server 2008.
Let me know if you have any other questions or suggestions. Thank you
Related
I have an application developed using ASP.NET Web API deployed to a site in IIS. Recently the application began crashing during initialization due to an exception saying that it could not access a particular folder (where it writes logs to). The app pool being used by the site uses a domain account and I verified that that account has full permissions on the folder, just as it always has. What wound up fixing the problem for me was to specify the username and password of a user who has access to the folder in the site's Physical Path Credentials field. Previously this had been set to "Application user (pass-through authentication)".
What could have changed in the application or IIS configuration to suddenly require this field to be set?
It turns out that this came down to a permissions issue. Write permissions on the folder for IIS_IUSRS got changed from Allow to Deny. After switching that back to Allow, I can remove the Physical Path Credentials setting.
My internal web app is on server //tom... but i need to upload a file from server //jerry..
while fileupload.saveas works just great to bring the file locally on //tom, when i try to send it back to //jerry, it tells me that access is denied. I tried to give permissions to //jerry/users to do everything but still nothing.
what is the user/group that a web app resting on //tom would be ?
in my code behind i even tried FIle.Copy (..). file.move etc.. but it tells me that access is denied to that particular file from //jerry...
what can i do ?
PS: when i run the web app locally (localhost), everything works just fine, the problem happens only when i go live...
This sounds like a permissions issue. When you run the app locally, it's most likely running under your account but on the server it usually defaults to the NetworkService account, which probably isn't in the network domain. You'll likely need to create a domain account to run your application under, either that or impersonate the user's domain account if they have access to the directory.
In my ASP.NET application I have to show some images. Actually these images saved in some other server. In my database I have the file path. I need to access file from remote server to my application. How can I do that? I am using the following code
imgFiles = Directory.GetFiles(strFullPath,
strPkStock + "_*",
SearchOption.TopDirectoryOnly);
But this throws an error saying "Access to the path denied"
You have to have file system access on other server to do this and I am sure you will not have it.
The shortest way to get it done is, publish the images folder from other server and use the url of the images to access it rather then file system path. This way, your asp.net application will be able to easily access these images. In fact, it will be the client browser which will directly access these images from the other server, you will just change the src of images.
Murtuza Kabul's suggestion to access files over HTTP/HTTPS is probably easiest approach. You may use HTTPS with client ceritficates to prevent other users/machines to read files from the same HTTPS server.
If you want to access files directly on other server's shared folder you need to make sure that code that accesses files runs under account that have at least read permissions for that shared folder.
Note that default configuration (where code runs under either special anonymous account or calling user's credentials) account that code runs under will not have permissions on other servers (anonymous becuse it is local account, user's due to restrictions on delegation also called "NTLM one hop hell").
Your easiest bet is to run app polls under some account that have permissions on other server and de-impersonate current user to process account. You can also explcitly impresonate some account to access remote files.
I am using a Tree View Directory browser in my application. I am using
DirectoryInfo.GetDirectories()
DirectoryInfo.Getfiles()
My requirement is that I need to browse the server folders from client with this. I am able to access shared drives also from the same machine. I hosted the site in IIS6 in a virtual directory. When I try to access the shared drive from the client I dont find it. Do we have to do something in IIS? I tried giving IdentityImpersonate="true" but still getting same problem.
This is a double hop problem. The IIS server would have to do delegation to move your credentials across 2 hops, (your machine to IIS - IIS to file share). Configuring delegation is a tricky process, but I haven't tried in a while, maybe the diagnostics have improved. Normally you follow the delegation instructions and still get access denied.
The easier solution is to use explicit credentials to go from IIS to the file share. The down side to this is that you have to specify username and password of a windows account somewhere in your web.config or source code.
I have a winforms, and it connecting wit webservice.
Webservice has method which create folder
Directory.Create(path);
Webservice is at company server, and this folder must me create at another disc in out company.
When I invoke this method, i get exception "Access denied to path..."
When webservice was running at my computer everything was ok.
I have full access to this network disc.
But how to set full access to my company server??
When I check this method:
[WebMethod]
public string GetNameOfUser()
{
return WindowsIdentity.GetCurrent().Name;
}
I get <string>NT AUTHORITY\NETWORK SERVICE</string>
Rest of webmethods without directory instructions working properly
Edited Structure
Computer A is in domain and there is running win forms
Server A : there is running webservice
Network disc: there are folders with important files for winforms application
yes, we have a domain.Computer A has access to network disc.
As I understand, your application tries to create a folder which resides on a different server than the web application.
Your web application is running under a local account NT AUTHORITY\NETWORK SERVICE. In order to access a network share you need it to be running under an account available on both machines, for example a domain account.
If both the web server and the server with the network share are on a domain, you can:
Create a domain account
Grant the account write access to the parent folder where you want to create new folders
Make the Application Pool on your web server run under the domain account
This will should let your web application create foldera on the other server.
When you were running your web-app on your own machine, it worked onder your own account, therefore it could create directories.
On the server the app runs under an account with very low rights.
If you want to create those new directories below a specific fixed directory, you can allow that server account to modify that particular directory.