Re: IIS6 & ASP: accessing network files with FSO fails

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Thomas (me_at_alternize.com)
Date: 03/21/05 

Date: Mon, 21 Mar 2005 22:00:14 +0100

> Anyway, I'm still not convinced that you are authenticating the way you
> think you are when IIS tries to access the other machine. Are you
> abslutely
> positive that anonymous access is disabled?

well. "[ ] enable anonmyous access" is unchecked. and i'm prompted for login
credentials when browsing the website.

> Are you prompted to enter
> network credentials, or does this happen transparently (in other words,
> you
> assume you are authenticating correctly)?

100% - i am prompted for password and stuff ;-)
also i can see on the domain server my login events.

> You say that you gave "Everyone" full access on Server2. Well, this only
> includes accounts that Server2 knows about. Humor us and add an explicit
> local username IUSR_Server1 and synchronize the password with the IUSR
> account on Server1.

created user IUSR_TATOOINE on server2. no luck:

Microsoft VBScript runtime error '800a0046'
Permission denied

eventlog on server2 still shows:
User Logoff:
  User Name: ANONYMOUS LOGON
  Domain: NT AUTHORITY
  Logon ID: (0x0,0x10FB1B4)
  Logon Type: 3

- thomas

"Aaron [SQL Server MVP]" <ten.xoc@dnartreb.noraa> wrote in message
news:%2315t2ZlLFHA.1180@TK2MSFTNGP14.phx.gbl...
> Umm, whoops, hit reply in the wrong place. Everyone please disregard that
> address, and go about your business. :-)
>
> Anyway, I'm still not convinced that you are authenticating the way you
> think you are when IIS tries to access the other machine. Are you
> abslutely
> positive that anonymous access is disabled? Are you prompted to enter
> network credentials, or does this happen transparently (in other words,
> you
> assume you are authenticating correctly)?
>
> You say that you gave "Everyone" full access on Server2. Well, this only
> includes accounts that Server2 knows about. Humor us and add an explicit
> local username IUSR_Server1 and synchronize the password with the IUSR
> account on Server1.
>
> A
>
>
>
> "Thomas" <me@alternize.com> wrote in message
> news:uNooSVlLFHA.2492@TK2MSFTNGP14.phx.gbl...
>> > security zone) then you should have access. If not, you're not using
>> > the account you think you are.
>>
>> i did this test and it works just fine - i can login with the domain
> account
>> and browse the website. but i cannot access the remote files - the
> eventlog
>> still shows the same results. :-(
>>
>> > Also, try using filemon on server 2 to see what account is trying to
>> > access the file. From systernals.com.
>>
>> already tried this. there is no activity on the files in question. i
>> guess
>> asp therefore can not even access the share (which is configured to give
>> Everyone full access).
>>
>> - thomas
>>
>>
>> "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>> news:42402bff.81417962@msnews.microsoft.com...
>> > On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <me@alternize.com> wrote:
>> >
>> >>> With Windows integrated authentication, the connection should be the
>> >>> account of the logged in user. Unless your user isn't getting logged
>> >>> in correctly.
>> >>
>> >>i can assure you i'm logged in correctly. and as domain admin i also
> have
>> >>enough rights to access any share or file within the network.
>> >>
>> >>when anonymous access on the web is disabled, i get the following
> eventlog
>> >>entries on server2 (where the asp tries to access the files):
>> >>
>> >>ID 538:
>> >>User Logoff:
>> >> User Name: ANONYMOUS LOGON
>> >> Domain: NT AUTHORITY
>> >> Logon ID: (0x0,0xF44FFC)
>> >> Logon Type: 3
>> >>
>> >>this only happens when anonymous access is turned off.
>> >
>> > This seems to indicate you're not passing credentials and logging in
>> > as the account you say you're logged in as.
>> >
>> > Try creating a simple HTML file on the web server. Using NTFS
>> > permissions, only allow access to a single user account. Log onto a
>> > workstation with this account and see if you can access the HTML file.
>> > No second server connection involved here. As long as IE is passing
>> > credentials for the server/domain (the domain is in the intranet
>> > security zone) then you should have access. If not, you're not using
>> > the account you think you are.
>> >
>> > Also, try using filemon on server 2 to see what account is trying to
>> > access the file. From systernals.com.
>> >
>> > Jeff
>> >
>> >
>> > once i turn it on and
>> >>supply the user information in the iis management console, i get these
>> >>entries in the eventlog:
>> >>
>> >>ID 540:
>> >>Successful Network Logon:
>> >> User Name: iistest
>> >> Domain: DOM
>> >> Logon ID: (0x0,0xF640E0)
>> >> Logon Type: 3
>> >> Logon Process: NtLmSsp
>> >> Authentication Package: NTLM
>> >> Workstation Name: TATOOINE
>> >>
>> >>when having anon disabled, i only get logoff event log entries (ID
>> >>538),
>> >>whereas with anon enabled i get the successfull logons (ID 540). in the
>> >>web's directory security tab, i have [x] windows authentication
>> >>enabled.
>> >>this is doing my head in ;-(
>> >>
>> >>- thomas
>> >>
>> >>
>> >>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>> >>news:42411695.75935900@msnews.microsoft.com...
>> >>> On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <me@alternize.com>
>> >>> wrote:
>> >>>
>> >>>>this is pure asp, yep.
>> >>>>
>> >>>>if you're right, this would imply asp scripts not being executed
>> >>>>in-process
>> >>>>within the web. i somehow can't believe this... especially as it
>> >>>>seems
>> >>>>to
>> >>>>work when enabling anonymous access to the web. i KNOW asp.net runs
>> >>>>within
>> >>>>the web application pool process and its identity. not having the
>> >>>>same
>> >>>>possibility for classic asp looks like a bug or design failure to
> me...
>> >>>>;-(
>> >>>>
>> >>>>also, asp not using the "connect as" identity when accessing unc
> virtual
>> >>>>folders does not make any sense. i just can not (well, i can, but i
>> >>>>don't
>> >>>>want to) give iusr or iwam access to the network shares. this would
>> >>>>other
>> >>>>webs allow to read & write there as well - intolerable.
>> >>>
>> >>> With Windows integrated authentication, the connection should be the
>> >>> account of the logged in user. Unless your user isn't getting logged
>> >>> in correctly.
>> >>>
>> >>> Jeff
>> >>>
>> >>>
>> >>>
>> >>>>
>> >>>>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>> >>>>news:4246dd84.61326082@msnews.microsoft.com...
>> >>>>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com>
> wrote:
>> >>>>>
>> >>>>>>interesting point:
>> >>>>>>
>> >>>>>>the web does not allow anonymous access.
>> >>>>>>
>> >>>>>>when i enable anonymous access and put in the domain account as
> user,
>> >>>>>>my
>> >>>>>>script works. so obviously asp is not running in the web
>> >>>>>>application
>> >>>>>>pool, but under a different user context (which one??) when
> anonymous
>> >>>>>>access is disabled.
>> >>>>>>
>> >>>>>>the users logging in are domain users with full rights to the
>> >>>>>>network -
>> >>>>>>so iis/asp does not seem to impersonate them either.
>> >>>>>>
>> >>>>>>so the question comes down to: what user is my asp script running
>> >>>>>>in
>> >>>>>>(obviously not the one from my app pool) when i disable anonymous
>> >>>>>>access? the web's w3wp.exe is running as the app pool user (my
> domain
>> >>>>>>account).
>> >>>>>
>> >>>>> Normally IUSR/IWAM or the logged in user account. This is ASP and
> not
>> >>>>> .NET correct? Have you tried giving the network account access?
>> >>>>>
>> >>>>> Jeff
>> >>>>>
>> >>>>>>as a workaround i could just enable anonymous access and then check
> on
>> >>>>>>script basis if the user is logged in. but i somehow feel that this
> is
>> >>>>>>not how it should work. ;-)
>> >>>>>>
>> >>>>>>*** Sent via Developersdex http://www.developersdex.com ***
>> >>>>>>Don't just participate in USENET...get rewarded for it!
>> >>>>>
>> >>>>
>> >>>
>> >>
>> >
>>
>>
>
>

Quantcast