Here is a nasty issue that has been giving me grief for the last couple days. This requires good knowledge of IIS, MSXML, and Windows/NTFS permissions.
We have an existing ASP (VBScript) app hosted on IIS 6.0 (W2K3). We need to restrict access to specific users within our company network. To reduce development effort I figured the easiest solution was to enable Integrated Windows Authentication. However once I enable IWA and disable Anonymous access, the app generates the following error:
msxml3.dll error '80070005'
Access is denied.
/training/quickstart/functions.asp, line 172
The relevant code:
-
'g_sClassInfoXMLPath set to "\\JRIEGER\Share\classinfo.xml" for testing purposes
-
Function LoadDocument
-
Dim xmlInfo
-
Set xmlInfo = Server.CreateObject("MSXML2.DOMDocument")
-
xmlInfo.async = False
-
Call xmlInfo.Load(g_sClassInfoXMLPath) 'generates error
-
'etc...
For testing purposes, I hosted the XML file from a share on my box and recreated the problem. I have granted access to the share to my user. I have also created a local user on my box matching the username and password of the IUSR account on the server, and granted it access to the share. If I log into the server as myself and then navigate to the shared folder, I can access the file. Both my box and the server are on the same domain, and my user account is on the domain.
If I change the app back to Anonymous access, it works fine.
I need to host the XML file on a network share because the application could possibly be load-balanced in production and we want to store a single copy of the XML file on our NAS device to keep the data consistent between web servers.
Here are some things I've tried:
- On my box, I opened Computer Management > System Tools > Shared Folders > Sessions and then ran the app; sometimes when I refreshed the sessions window, I caught a new session from the user CSSSQAWEB01$ (this is the name of the server, followed by a $). There is no such user on the server. Does this indicate that the user is not authenticating properly?
- I ran FIlemon on my box to try to see which user was attempting to access the file, but I couldn't find any record of the attempt. In fact, when I switched the app back to Anonymous access, Filemon still didn't see anything, even though the attempt succeeded. I wasn't filtering the output and I did a Find for "xml" but nothing came up.
Any suggestions would be much appreciated.
