473,289 Members | 1,810 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,289 software developers and data experts.

Vista IIS7 write access denied only with windows authentication

Hello

Machine: Windows Vista Business, standalone machine (no domain).
Installed an old classic ASP webapplication in IIS7, running under a new app.pool with 'NETWORK SERVICE' account (using existing app.pool gives same results).
This webapplication tries to write to a log file.

Used Process Monitor (from Sysinternals) for monitoring purposes.
Logged in to my machine as 'MYPC\danny', a local account that's a member of the administrators group.

Test 1 and 2: webapp only uses 'windows authentication'.
Test 3: only 'anonymous authentication' with the default IUSR account
Test 4: only 'anonymous authentication' running under the same account that I'm currently logged in with, so 'MYPC\danny'.

1) start internet explorer normally => creating or writing fails => user is 'NETWORK SERVICE' impersonating 'MYPC\danny'
2) start internet explorer with the 'run as administrator' option => creating or writing succeeds => user is 'NETWORK SERVICE' impersonating 'MYPC\danny'
3) start internet explorer normally => creating or writing succeeds => user is 'NETWORK SERVICE' impersonating 'IUSR'
4) start internet explorer normally => creating or writing succeeds => user is 'NETWORK SERVICE' impersonating 'MYPC\danny'

Here are the detailed results from Process monitor:

1) 21320 15:21:26,3239271 w3wp.exe 5940 CreateFile D:\Projects\ebts\webpages\logs\SQL.log ACCESS DENIED Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: MYPC\danny NT AUTHORITY\NETWORK SERVICE
2) 19096 15:22:00,6721660 w3wp.exe 5940 CreateFile D:\Projects\ebts\webpages\logs\SQL.log SUCCESS Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: MYPC\danny, OpenResult: Created NT AUTHORITY\NETWORK SERVICE
3) 22581 15:40:12,7932636 w3wp.exe 5940 CreateFile D:\Projects\ebts\webpages\logs\SQL.log SUCCESS Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: NT AUTHORITY\IUSR, OpenResult: Created NT AUTHORITY\NETWORK SERVICE
4) 58762 14:28:20,0144969 w3wp.exe 5740 CreateFile D:\Projects\ebts\webpages\logs\SQL.log SUCCESS Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: MYPC\danny, OpenResult: Created NT AUTHORITY\NETWORK SERVICE


In test 1 ALL write actions fail (no matter what folder, Foxpro tries to create some temp. tables, this also only fails with test 1).
All read actions succeed.
In all other cases everthing always works.
Giving every possible user and every possible group every possible right to that folder makes no difference.

My question: can anybody explain test case 1, how can this possibly happen ????

Thanks for any help.
Mar 4 '08 #1
5 12514
kenobewan
4,871 Expert 4TB
This article may help:
Understanding ASP.NET Impersonation Security
Mar 6 '08 #2
Thanks for the help, but it did not tell me anything I did not already know or that could explain the strange behavior I'm experiencing. I did post a note an that forum so maybe someone can help me there. Thx !
Mar 8 '08 #3
kenobewan
4,871 Expert 4TB
Shame the article contained the solution and helped me with a similar problem a while ago. Good luck.
Mar 8 '08 #4
Did you find a solution to the problem?

I am seeing the exactly the same issue.
I tried using basic authentication and it works just fine.
I tried using windows authentication and gives "Access denied" when writing to a file, or trying to access a network share.

Process monitor shows the impersonation of the same user when writing to the file for both basic and windows authentication.

The only difference I saw was when looking at process explorer, the security context tokens looked different

For basic authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:1db04b7
Token NT AUTHORITY\IUSR:3e3

For Windows Authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:2dfc4
Token domain\Imre.Lengyel:2dfc4
Token NT AUTHORITY\IUSR:3e3

does any one know what does the numbers mean in the token names?
Mar 28 '08 #5
kenobewan
4,871 Expert 4TB
Did you find a solution to the problem?

I am seeing the exactly the same issue.
I tried using basic authentication and it works just fine.
I tried using windows authentication and gives "Access denied" when writing to a file, or trying to access a network share.

Process monitor shows the impersonation of the same user when writing to the file for both basic and windows authentication.

The only difference I saw was when looking at process explorer, the security context tokens looked different

For basic authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:1db04b7
Token NT AUTHORITY\IUSR:3e3

For Windows Authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:2dfc4
Token domain\Imre.Lengyel:2dfc4
Token NT AUTHORITY\IUSR:3e3

does any one know what does the numbers mean in the token names?
This article may help:
Understanding ASP.NET Impersonation Security
Mar 28 '08 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

51
by: Steven Spits | last post by:
Hi, Plannig to buy Vista, but not sure what version to get. I do VS.NET development, mostly ASP.NET. Can IIS be installed on Vista home premium? Or do I need business or ultimate? Steven
8
by: Darwiniv | last post by:
1. Does anyone run ASAPI and mysql succesfully on Vista /IIS7? 2. Does anyone run CGI and display all SESSION errors on Vista /IIS7? php ASAPI doesn't works with MYSQL. And CGI doesn't show...
4
by: Viviana Vc | last post by:
Hi all, I've read the WindowsVistaUACDevReqs.doc documentation and I have done different small tests on Vista to understand the bahaviour and now I have a few questions. 1) If I create a...
6
by: John Kotuby | last post by:
Hi all... Well my earlier post aboout not being able to access http://localhost has been resolved. I am still having problems testing my Web site project. First, thanks to Juan Libre I edited...
10
by: hugh welford | last post by:
Hi Have just installed IIS7 on Vista and am trying to access a .mdb file through ASP. Getting server error. I think the problem is in the file permission. Under XP Pro/IIS6 is used to have to...
5
by: =?Utf-8?B?bXVzb3NkZXY=?= | last post by:
Hi, I wonder if someone could shed some light on this one for me. I have developed a web app in VS2005 with the built in server. It uses an sql database, everytihng works. I need to test it...
0
by: Erwin Moller | last post by:
Hi, I am one of those questionable people that started with Vista (Home Premium). Not because I think it is a ready/steady OS, but partly out of curiousity, and partly because I needed to work...
6
by: ma | last post by:
Hello, I am new to IIS and ASP.NET. I wrote my first ASP.NET and I want to deploy in to a system which has Vista Business and IIS7. I copied my files to the target computer and created a virtual...
11
by: =?Utf-8?B?QXNhZg==?= | last post by:
Hello, I have just installed VISTA Enterprise and VS.NET 2008. When pressing F5 to debug my test ASP.NET website, IE 7 display the message "Internet Explorer cannot display the webpage". The...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.