I am trying to create a Directory in .NET using Directory.CreateDirectory, I followed the directions here to give access permission but I am still getting an UnauthorizedAccessException. Does anyone have any advice? Note, this is a web application that uses the IIS7 server.
In the directory you are attempting to create a new directory, make sure that your app pool user has Read/Write permissions for that directory. You have to specifically do that in addition to adding the user to the user groups.
2 more potential issues (+1 to user959729):
you are creating directory at different place than you think you are (i.e. you building path wrong)
the code runs under impersonated account (user's or anonymous) and such user does not have permissions to create folder (to verify try check System.Environment.UserName before creating directory). To fix you need to run code as process account.
Related
I'm trying to delete a user profile folder suing C# and ASP.net, when i do this through windows UI i get a UAC prompt which is fine.
I wish to this programmatically using ASP.net & C# .
The objective is for admin users to launch a webform and do this remotely on workstation but i'm currently getting permission errors.
(im running visual studio as admin in my debugging environment to delete local users)
{"Access to the path 'C:\Users\nzsp2013admin\AppData\Local\Microsoft\Windows\Application ..... is denied."}
code:
var dir = new DirectoryInfo("C:\Users\nzsp2013admin");
dir.Attributes = dir.Attributes & ~FileAttributes.ReadOnly;
dir.Delete(true); // true => recursive delete
This has to do with the permissions which are configured in IIS.
Every ASP.NET application that you run in IIS will be run using an identity that can be managed in the Application Pools section in IIS Manager.
By default, each Application Pool that is created (including the default one) will have permissions within a limited scope.
If I'm honest, the phrase Application Pool makes things sound more complicated than what they actually are. An application pool is just an identity exactly like the one that you use to sign on to your PC, and in your case an identity with normal user permissions is attempting to perform an action that requires a set of higher permissions.
To resolve this, open up IIS.
Click on Application Pools
Select the Application Pool that your web application is running under
Click on Advanced Settings
Click on identity and select Custom identity
Enter the credentials of an account that has administrative privileges.
However, I do have to warn you that you could be opening yourself up to a wide range of security concerns and that there are alternatives such as adding explicit permissions to specific directories that include the identity which the ASP.NET application is running from.
I used this approach and it works very well. With this approach you dont use an account with high level privileges all the time just when required and not for the application execution.
Try to use a domain account and add privileges to the folder or lacation you required. And share the folder so you can use an unc path.
Accessing a Shared File (UNC) From a Remote, Non-Trusted Domain With Credentials
You could use code impersonation:
http://csharptuning.blogspot.com/2007/06/impersonation-in-c.html
http://www.codeproject.com/Articles/14358/User-Impersonation-in-NET
regardless, whomever you use as the impersonation must be able to read/write to the location. We use this method in applications for delete/create folder across network but in theory, you should be able to wrap this around any piece of code, check to see if the user is an admin, and if so use the impersonated user to delete the folder, or however you prefer to do it.
Also, I noticed you mention that you are wanting to do it remotely, but your examples have the local path.
You may also find this useful: Deleting Windows user accounts remotely WCF and C#
I know this question has already been already many times,but doesn't help me tackle my equation.
I currently have a Folder shared for the respective users to be zipped when the user calls the service. I get Access to the path \\IP\FolderName is denied. On research, I found out several solutions for this issue, but none worked.
I tested by trying to zip the files inside the folder and was able to do it successfully. I do not know what might be the issue! I even tried going the bad way by giving permission for Everyone for the folder (out of frustration though) and still was not successful.
My Anonymous, Asp.Net Impersonate and Windows Authentication were enabled.I do not know what might be the issue.
PS: Could I know in what identity the IIS is accessing the folder, so that I can give permissions only to that User.
I can not help you with your main problem, but for the following:
Could I know in what identity the IIS is accessing the folder, so that I can give permissions only to that User.
You need to check what Application Pool is assigned to your application in IIS. Then go to the application pools section and there the user is listed:
As mentioned by Chrfin you need to first find out the Application pool used by your application(Ex: DefaultAppPool, ASP.NET v4.0 etc). Right click on the relevant App pool and go to Advanced Settings there you should see the Identity.
But best way is to go for impersonation, Check this thread for more details. With impersonation what you do is, Giving required folder access permission to an admin user on the web server and whenever you try to access these folder from within your code, you impersonate particular code block,
Using(Impersonator impersonator = new Impersonator())
{
//Write the folder accessing logic here
}
I All,
I have been stuck in this issue for a week now.I want the directory to be created in the root of my project when my application runs in IIS.But since IIS user account can't be given full permission in the root directory , i get the access denied error while trying to create directory.I tried to find a work around by keeping the images in App_Data folder but does not look like a good approach as per the post enter link description here
I need to create the folder on fly when the request comes to the application for the first time without getting access denied error.It is also ok if i am able to create directory with permission during deployment.
What is the best approach for the above problem to solve,
Thanks S.
You are misunderstanding the information in your link. It's true that the browser shouldn't have access to the App_Data folder, but in your case it's the server, your ASP.NET code that does this.
If this scenario is for letting user upload and download files, and you have sensitive files in the app_data folder, create a dedicated folder for your purpose instead let's say /Uploads.
Create this folder in your project directly and deploy it to your destination web server.
Give the app pool account read/write permissions, and that should do it.
Minimize the number of folders that the app pool account has write permissions to.
If you create a folder /wwwroot/Uploads and give the app pool account full permission to Uploads only, it's not necessary to have full permissions on the root level. The app can create folders dynamically in the /Uploads folder.
I am currently creating a folder and writing a file to the folder that need to be create on a file server that we have. When i do a localhost test, it work perfectly but when i access the website from outside the localhost and from another pc. It said that
System.UnauthorizedAccessException: Access to the path 'My File Server
URL' is denied
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
But the thing is that i have already set the identity impersonate="true" in the web.config and it still didn't work. My web server is running on Winder Server 2003 and IIS 6
Any advice and help will be deeply appreciated
Thanks
Brandon
You need to grant write, modify permission to the Users group for that file/folder.
Check your IIS Authentication setting and make sure that Anonymous authentication is enabled.
Hi Guys i manage to find the solution to it
If u are creating a folder, using this code before file or folder creation
WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero);
// Insert the create code here
ctx.Undo();
Well i do not know if this is the best solution. if anyone know the downside or implication of this code please share and comment.
no harm knowing more
I have a local Intranet application that does some file validation using Directory.Exists and File.Exists. Unfortunately, the checks fail due to the fact that the application is running as "ApplicationPoolIdentity" and that account doesn't have access to the UNC paths the Directory.Exists and File.Exists are checking.
Should I give that ApplicationPoolIdentity account permissions to read those directories? (All of the directories appear under a top level folder of a single server.) If so, how?
Or, should I run the Application Pool under a domain account and grant that account permissions? (If I do need to create a new account, what permissions should I give it?)
Thanks for any input!
As a rule I normally create a custom account, but if you want to grant additional rights to shares etc. I would say that it is the best option.
Create a new AppPool with a custom identity with the relevant access to the shares. Then have the application run under this new AppPool. That way you can have other applications that do not require access to the shares in AppPools that do not have this access.
If you are using Windows 7 or Window 2008 R2 you might want to look at Virtual Accounts.
Here is a good article on the topic of Application Pool Identities
You need to set read ACLs for the following identity: IIS AppPool\. You can do it either from the folder properties dialog (if your computer is on the domain, make sure Locations is set to the local machine in the "Select Users or Groups" dialog) or using icacls from the command line.