Re: Virtual Directory - Permission Denied with fso CopyFile

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 09/11/04 

Date: Fri, 10 Sep 2004 20:28:04 -0700

Hmm. Well, it is working perfectly for me as I had described -- I just went
and tried it all out on two WS03 machines.

1. I wrote an ASP page which called CopyFile ( "C:\local.file",
"\\archive\share\remote.file" )
2. I shared out the ASP page onto a UNC share
3. I configured IIS on another machine to use that UNC share as its website
root and created "C:\local.file" on it
4. I configured the same username/password on both the machine with the UNC
share and the IIS machine
5. I set both ConnectAs and AnonymousUser to this user credential
6. I made sure that the user credential had Write/Modify access on the
remote file system
7. The UNC share was Everyone:Full

I made an anonymous request to the ASP page, and the file copied from the
web server where ASP executes to a separate remote server.

FYI: This scenario only works if you use Basic or Anonymous
authentication -- Integrated will not work because it'd be a double-hop
issue (you'd get Access Denied). But, you're only using anonymous
authentication, so it should be no problems.

So, I'm really out of ideas because it works. You can try using FileMon
(www.sysinternals.com) on the server to see what credentials is actually
failing the CopyFile in your scenario, turn on Anonymous and configure it
with a shared credential between IIS and the archive server, and turn off
any other authentication schemes. The ConnectAs credentials is really
irrelevant to this whole thing because IIS first uses ConnectAs credentials
to obtain the ASP page, then executes the ASP page using the impersonated
credentials (in anonymous authentication, it's the configured anonymous
user). So in your scenario, as long as the configured anonymous user has
write access through the UNC share and its filesystem, it works. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Barry" <no_one@home.net> wrote in message
news:Of5vpl0lEHA.3428@TK2MSFTNGP11.phx.gbl...
David,
In answer to your questions:
1. The fso.CopyFile is server side.  The pdf generation is on our server as
well as the copying of the file to the archive directory.
2. Domain Admins, Enterprise Admins, Everyone and IUSR_<machinename> have
all privledges on the filesystem
3. Everyone has full control, change and read for the share
-I've setup the site to use the IUSR_<machinename> in the "Connect As"
I went through all these steps and I'm still getting the access denied
error.
Any ideas?
Thanks,
Barry
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:u25%23DKxlEHA.3520@tk2msftngp13.phx.gbl...
> Access denied with filesystems indicates that the identity executing the
> CopyFile does not have permissions on the named remote resource.  Thus,
you
> need to clearly describe your settings such that you can determine what
the
> identity is, and what the permissions are.  Please clarify the following:
>
> 1. Is Fso.CopyFile executed as client-side script or server-side script
> (i.e. is the PDF copied from the user's machine to the archive server, or
> from the web server to the archive server).
> 2. What are the ACLs of the Filesystem namespace mapped to the UNC share
> 3. What are the ACLs of the UNC share itself
>
> "Connect As" only affects IIS retrieving resources from remote servers,
> while Fso.CopyFile is script executed by a ScriptEngine with no relation
to
> "Connect As". Based on your current description, you should:
> 1. Set "Connect As" to be the IUSR.  Make sure this IUSR account exists on
> both web server and archive server and has the same credentials (i.e. you
> can use either two identically named local accounts with synchronized
> passwords, or a single domain account).
> 2. Set the ACLs of the FileSystem namespace to allow Write & Modify access
> to IUSR (if server-side script) or the individual remote authenticated
user
> (if client-side script)
> 3. Set the ACLs on the UNC share to Everyone:Full.  This allows you to
> control access with purely filesystem ACLs without the confusion of the
UNC
> share ACLs
>
> I suggest reading this URL for more info on how UNC shares work.
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Barry" <no_one@home.net> wrote in message
> news:ekqu4LnlEHA.3988@tk2msftngp13.phx.gbl...
> I have 2 servers running win2k, one is a web server and the other is going
> to be an archive server.  The process would be that a user generates a pdf
> report, and then they would choose to archive the report in which the file
> would then be copied to the archive directory.
>
> Both servers are running win2k which is currently my test servers and my
> live servers will be win2k3.  I've setup the archive directory for sharing
> and given everyone all permissions except full control.  I've setup the
> virtual directory within my site using \\<ip>\archive, where the connect
as
> has been setup using my username/password (I'm a domain admin, this is too
> wide open, but I'm just trying to get it to work for now).  The site is
> using anonymous access.  I've even given the archive directory anonymous,
> everyone and iusr_machinename sharing and security permission for all
> permissions except full control.
>
> The problem that I'm running into is when a user selects save, I create a
> FileSystemObject and use the CopyFile function to which I get a permission
> denied error.
>
> Any ideas?
>
> Thanks,
> Barry
>
>
>
>