By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,474 Members | 966 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,474 IT Pros & Developers. It's quick & easy.

Win2003 Server - Access to the path is denied

P: n/a
We are having an issue in that when trying to read a file that is on Server2
from Server1 (through our ASP.NET project), we receive the error:
Access to the path "\\Server2\MyShare\MyFile.tif" is denied.
Here is the server setup that we have:
Dev - Development Computer on WinXP Pro SP2 (IIS5), VS2003 developing
under .NET Framework 1.1
Server1 - Web Server on Win2003 Server (IIS6)
Server2 - File Server on Win2003 Server
All servers are a part of the same domain
The error only happens on Server1 (Win2003 w/IIS6). The error does not
occur on Dev (WinXP Pro SP2 w/IIS5). We have also tried running this web
application on another Win2003 server with the same error as Server1. On
each server, we were logged on with an Administrator account (which has
permission to Server2) even though log-in is not required.
The line of code which generates the error is:
iStream = New System.IO.FileStream(filepath, System.IO.FileMode.Open, _
IO.FileAccess.Read, IO.FileShare.Read)
Anonymous access to our web project has been disabled by doing the
following:
In the Web.Config of the ASP.NET project:
<authentication mode="Windows"/>
<identity impersonate="true"/> (this is only on the Dev machine and
has been removed on Server1)
<authorization>
<deny users="?"/> <!-- Deny Anonymous users -->
<allow users="*"/> <!-- Allow only authenticated users -->
</authorization>
Within IIS on Dev and Server1
- "Anonymous access" has been disabled
- "Integrated Windows authentication" has been enabled
We have verified, before and after the error, that the user is the current
Windows user (from the client machine) and that they are a part of the group
assigned to the "MyShare" folder on Server2 with sufficient privileges. We
have also tried using an Administrator account to no avail.
The code used for checking the current user is:
Me.User.Identity.Name

The code used for checking permissions is:
HasPermission(New System.Security.Permissions.FileIOPermission( _
System.Security.Permissions.FileIOPermissionAccess .AllAccess, _
filepath))

Private Function HasPermission(ByVal permission As
System.Security.CodeAccessPermission) As Boolean
Dim bolReturn As Boolean
Try
If Not permission Is Nothing Then
permission.Demand()
End If
bolReturn = True
Catch
bolReturn = False
End Try
Return bolReturn
End Function
We have also tried running the following code before trying to read the
file:
AppDomain.CurrentDomain.SetPrincipalPolicy(Princip al.PrincipalPolicy.WindowsPrincipal)

' Thread.CurrentPrincipal represents the Windows Authenticated user
Thread.CurrentPrincipal = New
Principal.WindowsPrincipal(Principal.WindowsIdenti ty.GetCurrent())

'Thread.CurrentPrincipal.Identity
'HttpContext.Current.User
Dim wic As WindowsImpersonationContext =
CType(HttpContext.Current.User.Identity,
System.Security.Principal.WindowsIdentity).Imperso nate()
The "MyShare" folder on Server2 has restricted permissions set for a
specific group of people when the error occurs. If we add "Everybody" to
the permissions list and give "Everybody" read access, then we are able to
download the file. Even though this works, it is not a solution that we are
happy with.
We tried accessing the file directly from the Web Service (on Server2) when
called from Server1, but that also failed with the same "Access to the path
...." error message. Something that did work successfully was to create the
following structure on Server2:
Business Tier (COM+ DLL running under local Admin account)
Web Service
The web project would call a Web Service function which would then call a
Business Tier function to return a byte array of a specified file.
We also noticed that if you copy the path in the error message and paste it
directly into Windows/Internet Explorer, that the file can be accessed
without any problems. This, to me, indicates that the opening of the
FileStream is not being called under the permission of the authenticated
user.
Based on the Web.Config and IIS settings, I was under the assumption that
the user would impersonated on Server1 which should also give them access to
the appropriate resources on Server2. Even though the username is correct
and the HasPermission function which checks for AllAccess permission on the
file on Server2 was successful, the error message when trying to read the
file makes it seem as if the impersonation failed.
The questions that I have are:
1. Why is this happening?
2. What is the solution?
TIA,
Jody
Nov 19 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
On Wed, 17 Aug 2005 10:12:59 -0400, "Jody Gelowitz" <jg**************@blah.leevalley.com> wrote:

We are having an issue in that when trying to read a file that is on Server2
from Server1 (through our ASP.NET project), we receive the error:
Access to the path "\\Server2\MyShare\MyFile.tif" is denied.


Here is the server setup that we have:
Dev - Development Computer on WinXP Pro SP2 (IIS5), VS2003 developing
under .NET Framework 1.1
Server1 - Web Server on Win2003 Server (IIS6)
Server2 - File Server on Win2003 Server
All servers are a part of the same domain


The error only happens on Server1 (Win2003 w/IIS6). The error does not
occur on Dev (WinXP Pro SP2 w/IIS5). We have also tried running this web
application on another Win2003 server with the same error as Server1. On
each server, we were logged on with an Administrator account (which has
permission to Server2) even though log-in is not required.


The line of code which generates the error is:
iStream = New System.IO.FileStream(filepath, System.IO.FileMode.Open, _
IO.FileAccess.Read, IO.FileShare.Read)


Anonymous access to our web project has been disabled by doing the
following:
In the Web.Config of the ASP.NET project:
<authentication mode="Windows"/>
<identity impersonate="true"/> (this is only on the Dev machine and
has been removed on Server1)
<authorization>
<deny users="?"/> <!-- Deny Anonymous users -->
<allow users="*"/> <!-- Allow only authenticated users -->
</authorization>
Within IIS on Dev and Server1
- "Anonymous access" has been disabled
- "Integrated Windows authentication" has been enabled


We have verified, before and after the error, that the user is the current
Windows user (from the client machine) and that they are a part of the group
assigned to the "MyShare" folder on Server2 with sufficient privileges. We
have also tried using an Administrator account to no avail.


The code used for checking the current user is:
Me.User.Identity.Name

The code used for checking permissions is:
HasPermission(New System.Security.Permissions.FileIOPermission( _
System.Security.Permissions.FileIOPermissionAccess .AllAccess, _
filepath))

Private Function HasPermission(ByVal permission As
System.Security.CodeAccessPermission) As Boolean
Dim bolReturn As Boolean
Try
If Not permission Is Nothing Then
permission.Demand()
End If
bolReturn = True
Catch
bolReturn = False
End Try
Return bolReturn
End Function


We have also tried running the following code before trying to read the
file:
AppDomain.CurrentDomain.SetPrincipalPolicy(Princip al.PrincipalPolicy.WindowsPrincipal)

' Thread.CurrentPrincipal represents the Windows Authenticated user
Thread.CurrentPrincipal = New
Principal.WindowsPrincipal(Principal.WindowsIdenti ty.GetCurrent())

'Thread.CurrentPrincipal.Identity
'HttpContext.Current.User
Dim wic As WindowsImpersonationContext =
CType(HttpContext.Current.User.Identity,
System.Security.Principal.WindowsIdentity).Imperso nate()


The "MyShare" folder on Server2 has restricted permissions set for a
specific group of people when the error occurs. If we add "Everybody" to
the permissions list and give "Everybody" read access, then we are able to
download the file. Even though this works, it is not a solution that we are
happy with.


We tried accessing the file directly from the Web Service (on Server2) when
called from Server1, but that also failed with the same "Access to the path
..." error message. Something that did work successfully was to create the
following structure on Server2:
Business Tier (COM+ DLL running under local Admin account)
Web Service
The web project would call a Web Service function which would then call a
Business Tier function to return a byte array of a specified file.


We also noticed that if you copy the path in the error message and paste it
directly into Windows/Internet Explorer, that the file can be accessed
without any problems. This, to me, indicates that the opening of the
FileStream is not being called under the permission of the authenticated
user.


Based on the Web.Config and IIS settings, I was under the assumption that
the user would impersonated on Server1 which should also give them access to
the appropriate resources on Server2. Even though the username is correct
and the HasPermission function which checks for AllAccess permission on the
file on Server2 was successful, the error message when trying to read the
file makes it seem as if the impersonation failed.


The questions that I have are:
1. Why is this happening?
2. What is the solution?


Thanks for the comprehensive description and information.

I think you're hung up on the delegation issue. IIS cannot delegate credentials to a remote resource
when authenticating with Integrated Windows security. NTLM handles the authentication and the
credentials are never passed on to IIS.

If the goal is to impersonate and then delegate using Integrated Windows authentication you need to
implement Kerberos. There are some other workarounds that might be acceptable. See the following
document:

http://msdn.microsoft.com/library/de...delegation.asp

BTW, this probably works w/your DEV box because you're already authenticated locally as opposed to
being authenticated via IIS.
Paul
~~~~
Microsoft MVP (Visual Basic)
Nov 19 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.