I am trying to access files from the shared folder(ftp location) in Asp.net application. It is working fine from visual studio. When i deploy same in IIS 7 , i am getting the following error
"Logon failure: the user has not been granted the requested logon type at this computer."
Stack Trace:
[IOException: Logon failure: the user has not been granted the
requested logon type at this computer. ]
System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
+9723522 System.IO.FileSystemEnumerableIterator1.CommonInit() +245 System.IO.FileSystemEnumerableIterator1..ctor(String path, String
originalUserPath, String searchPattern, SearchOption searchOption,
SearchResultHandler`1 resultHandler) +556
System.IO.DirectoryInfo.InternalGetFiles(String searchPattern,
SearchOption searchOption) +64 System.IO.DirectoryInfo.GetFiles()
+14
......
My application pool is running in NETWORKSERVICE mode
To which user in IIS i need to give the permission for accessing this folder? is it IUSER or NT AUTHORITY\NETWORK SERVICE ? How can i identify the current running user in IIS?
The reason the connection is refused it most likely a Group Policy which disallows access to that service by the user running the IIS service.
I would not want to give any of those system users permission to access a network resource. Other computers could potentially connect as well.
Instead - make your program authenticate with a guest account or another account which you create and give the appropriate permissions.
I would say that it would be a more secure approach.
You may be trying to log on interactively to a computer you can only access over a network, or vice versa.
Change your logon location. Try to log on either locally (interactively) or remotely (over the network), as appropriate. You may want to ask the person who administers computer security to change the security database so you can log on either locally or remotely.
To debug - look at Environment.UserName at the moment of exception. It will be either user that initiated request OR anonymous user.
To fix: if local files - granting permissions may be ok. If remote and using user's impersonated account - need to impersonate with another account that have permissions on remote machine as you can't use already impersonating account to access remote resource ("NTLM one hop").
Note: make sure you review security requirements when allowing access to files.
Related
I wanted to write the log to the server. The following code is going to create a log file and record the details.
private Log in_log;
in_log = new Log(logfolder + call_date.ToString("yyyyMMdd") + "\\" + call_number + ".log");
But I got an exception.
Access to the path '\\10.50.96.221\inbox\messagelogs\20131105\HZ1_20131105132956319_59.log' is denied.
However I can access the folder \\10.50.96.221\inbox\messagelogs\20131105.
My permission is "Administrators;Remote Desktop Users".
What is wrong?
The windows service runs under its own user. Verify that that user has access to the remote just as your user has. Or change the user to be your user when the service runs.
Your computers are not on a a windows domain, so you have two options. Only 1 of which I have confidance will work:
(this works 99% of the time) Grant "All Users" write permission on the folder
(Never tried it but in theory it should work) In the properties of the service, goto Login, chose "This Account" -> Browser -> Locations. If you see the server computer there you should be able to chose that location and add the admin account from the server as the user the Service runs under.
I simply have a web api application on IIS server that simply writes to text file on C:\FileStorage\test.txt however when I call this webservice I get the internal 500 error, after expanding the error,I get the following error, how do I grant write access to this web service on IIS server?
"ExceptionMessage": "Access to the path 'C:\\FileStorage\\test.txt' is denied.",
"ExceptionType": "System.UnauthorizedAccessException",
"StackTrace": " at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\r\n at
Grant permissions for that folder to the application pool. So you'd go to the C:\FileStorage folder in Windows and edit permissions, and add IIS APPPOOL\appPoolNameHere as a user, then give it full permissions.
Hope that helps.
EDIT
Step by Step Instructions...
-Open Windows Explorer
-Browse to your folder
-Right click the folder and go to Properties
-On the Security tab click Edit
-Click Add
-Under Locations, make sure it is pointing at your local machine, not a domain
-For the object name, enter below but replace MyAppPool with the name of your application pool...
IIS APPPOOL\MyAppPool
-Set the permissions to Full, or just add Write, or whatever you need.
or you can repalce APPPOOL to the name of your server or computer and with the IIS_ISURS.
example:
yourserver\IIS_IUSRS
See this Screen Shot
I have an MVC Web application that generates Excel and PDF reports (using Crystal) using templates .xlt and .rpt, it generates the reports without a glitch when I place the templates in the web server itself but once I place the templates in a remote location then I get an Access Denied error which I found out through process monitor, screen shot below
When I manually browse the remote folder through explorer from the server its all OK and I can open the files I needed its just fires the access denied error when its the server reading the files. My web application is using the ApplicationPoolIdentity in Integrated Pipeline. Authentication is through impersonation and Windows Authentication. Whats even makes it confusing is that the User who runs the Excel templates is my self but I get the access denied, while user used in generating PDF is IIS Apppool.
Does anyone know how to resolve the access denied issue, I already tried putting all users full access on that folder but still it does not work.
ADDITIONAL INFO
I am using IIS 7.5, I also checked on the File Server where the share is, on the Event Logs the user registered is not me but with the following details
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x90eb7c7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: MYWEBSERVER
Source Network Address: 10.10.10.01
Source Port: 00000
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
UPDATE
I need to use ApplicationPoolIdentity in this instance, so I am looking for a solution that can still use ApplicationPoolIdentity.
ANOTHER UPDATE
I tried #Davids suggestion below and now I get same error message
System.Runtime.InteropServices.COMException (0x800A03EC): Microsoft
Excel cannot access the file '\MyServer\Templates\MyTemplate.xlt'.
There are several possible reasons:
• The file name or path does not exist. • The file is being used by
another program. • The workbook you are trying to save has the same
name as a currently open workbook. at
Microsoft.Office.Interop.Excel.Workbooks.Open(String Filename, Object
UpdateLinks, Object ReadOnly, Object Format, Object Password, Object
WriteResPassword, Object IgnoreReadOnlyRecommended, Object Origin,
Object Delimiter, Object Editable, Object Notify, Object Converter,
Object AddToMru, Object Local, Object CorruptLoad) at
Ci.Infrastructure.Reporting.ReportProviderExcel.RunReport()
I believe your problem is because the application pool needs to be configured to run either as a domain account or network service account.
If you choose the latter you'll need to grant permissions to '<domainname>\<machinename>$' if you choose to run as a specific account then this is the user you will need to grant permissions to.
You've already granted everyone access, so it should just be a case of changing the app pool user, but once you have it working I recommend you restrict this to the specific account.
The following link will give you more information:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
I am trying to access the files with following c# code, but when i try to execute the code i am encountered with exception saying access to path #"\MAHESH-PC\D$\temp\CloudURL.txt is denied .
Impersonation imp = new Impersonation("MAHESH-PC", "mahesh", "welcome");
File.Copy(#"\MAHESH-PC\D$\temp\CloudURL.txt", #"C:\temp\CloudURL.txt", true);
I have given all the access rights to both the temp folders one in the c: drive and other in the d: drive
I have enabled the Impersonation in the IIS , even then i am getting access denied exception , please can i know is their any other settings i should implement to make this working.
Is impersonation enabled in your web.config? I'm not positive but I wouldn't think enabling impersonation in IIS has any affect on the impersonation of your site. If not, turn it on, or grant the app pool identity read/write access to both your directories and see if that helps.
Also, double check your folder system security. It appears you granted everyone read/write access to the share, but if you're navigating to the path \pc\drive$\ then it may be relying on file system security and not the security on the folder share itself. Make sense?
I'm passing a UNC path to File.GetAttributes(). This works fine when running off my local, but when I move the site to the test server, I get a "Network path not found" error. I am able to navigate to the path from the test server, so I don't know why I would be getting this error. The code is very simple. This is where it errors out:
try
{
if (FileAttributes.Directory != (FileAttributes.Directory & File.GetAttributes(directory)))
directory = GetPath(directory);
}
catch...
Being able to navigate to the share from the server doesn't mean much - remember your application is running under another account, usually whatever the app pool is set to. That account normally does not have access to anything other than the resources in the local machine, because it's not a domain account.
Check what account the app pool is running under. You might have to change that to a domain account on your AD forest to be able to access things on other servers.
Most likely it is "NTLM one hop" issue - credentials of a remote user can't be passed to thrird server.
Machine 1:Browser -(credentials)-> Machine 2:ASP.Net site -(no credentials)-> Machine 3.
Solution is to access "machine 3" under known (i.e. process) account or use Kerberos.