By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,165 Members | 1,089 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,165 IT Pros & Developers. It's quick & easy.

Vista IIS7 write access denied only with windows authentication

P: 2
Hello

Machine: Windows Vista Business, standalone machine (no domain).
Installed an old classic ASP webapplication in IIS7, running under a new app.pool with 'NETWORK SERVICE' account (using existing app.pool gives same results).
This webapplication tries to write to a log file.

Used Process Monitor (from Sysinternals) for monitoring purposes.
Logged in to my machine as 'MYPC\danny', a local account that's a member of the administrators group.

Test 1 and 2: webapp only uses 'windows authentication'.
Test 3: only 'anonymous authentication' with the default IUSR account
Test 4: only 'anonymous authentication' running under the same account that I'm currently logged in with, so 'MYPC\danny'.

1) start internet explorer normally => creating or writing fails => user is 'NETWORK SERVICE' impersonating 'MYPC\danny'
2) start internet explorer with the 'run as administrator' option => creating or writing succeeds => user is 'NETWORK SERVICE' impersonating 'MYPC\danny'
3) start internet explorer normally => creating or writing succeeds => user is 'NETWORK SERVICE' impersonating 'IUSR'
4) start internet explorer normally => creating or writing succeeds => user is 'NETWORK SERVICE' impersonating 'MYPC\danny'

Here are the detailed results from Process monitor:

1) 21320 15:21:26,3239271 w3wp.exe 5940 CreateFile D:\Projects\ebts\webpages\logs\SQL.log ACCESS DENIED Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: MYPC\danny NT AUTHORITY\NETWORK SERVICE
2) 19096 15:22:00,6721660 w3wp.exe 5940 CreateFile D:\Projects\ebts\webpages\logs\SQL.log SUCCESS Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: MYPC\danny, OpenResult: Created NT AUTHORITY\NETWORK SERVICE
3) 22581 15:40:12,7932636 w3wp.exe 5940 CreateFile D:\Projects\ebts\webpages\logs\SQL.log SUCCESS Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: NT AUTHORITY\IUSR, OpenResult: Created NT AUTHORITY\NETWORK SERVICE
4) 58762 14:28:20,0144969 w3wp.exe 5740 CreateFile D:\Projects\ebts\webpages\logs\SQL.log SUCCESS Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, Impersonating: MYPC\danny, OpenResult: Created NT AUTHORITY\NETWORK SERVICE


In test 1 ALL write actions fail (no matter what folder, Foxpro tries to create some temp. tables, this also only fails with test 1).
All read actions succeed.
In all other cases everthing always works.
Giving every possible user and every possible group every possible right to that folder makes no difference.

My question: can anybody explain test case 1, how can this possibly happen ????

Thanks for any help.
Mar 4 '08 #1
Share this Question
Share on Google+
5 Replies


kenobewan
Expert 2.5K+
P: 4,871

P: 2
Thanks for the help, but it did not tell me anything I did not already know or that could explain the strange behavior I'm experiencing. I did post a note an that forum so maybe someone can help me there. Thx !
Mar 8 '08 #3

kenobewan
Expert 2.5K+
P: 4,871
Shame the article contained the solution and helped me with a similar problem a while ago. Good luck.
Mar 8 '08 #4

P: 1
Did you find a solution to the problem?

I am seeing the exactly the same issue.
I tried using basic authentication and it works just fine.
I tried using windows authentication and gives "Access denied" when writing to a file, or trying to access a network share.

Process monitor shows the impersonation of the same user when writing to the file for both basic and windows authentication.

The only difference I saw was when looking at process explorer, the security context tokens looked different

For basic authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:1db04b7
Token NT AUTHORITY\IUSR:3e3

For Windows Authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:2dfc4
Token domain\Imre.Lengyel:2dfc4
Token NT AUTHORITY\IUSR:3e3

does any one know what does the numbers mean in the token names?
Mar 28 '08 #5

kenobewan
Expert 2.5K+
P: 4,871
Did you find a solution to the problem?

I am seeing the exactly the same issue.
I tried using basic authentication and it works just fine.
I tried using windows authentication and gives "Access denied" when writing to a file, or trying to access a network share.

Process monitor shows the impersonation of the same user when writing to the file for both basic and windows authentication.

The only difference I saw was when looking at process explorer, the security context tokens looked different

For basic authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:1db04b7
Token NT AUTHORITY\IUSR:3e3

For Windows Authentication w3wp.exe
Token NT AUTHORITY\IUSR:3e3
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token domain\Imre.Lengyel:2dfc4
Token domain\Imre.Lengyel:2dfc4
Token NT AUTHORITY\IUSR:3e3

does any one know what does the numbers mean in the token names?
This article may help:
Understanding ASP.NET Impersonation Security
Mar 28 '08 #6

Post your reply

Sign in to post your reply or Sign up for a free account.