Re: Virtual Directory - Permission Denied with fso CopyFile

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/19/04


Date: Thu, 18 Nov 2004 23:19:30 -0800

Strange. What you describe works for me, and I followed your setup exactly
as-is.

In fact, I put both the ASP page on the local machine and on a UNC vdir and
both work -- I can have the ASP page on UNC copy to a local or remote share,
and ASP page on local filesystem copy to local or remote share. All this
worked with either the administrator (same identity on both machines) or
TestUser (normal user account with same credentials on all machines).

Can you please describe what Authentication protocols you have enabled.
Only Anonymous and Basic authentication will work with this configuration
because they are insecure and implicitly delegate a user's credentials.
Integrated and other secure authentication protocols require additional
configuration and common AD for trust configuration.

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Bill" <Bill@discussions.microsoft.com> wrote in message
news:C99614E5-30DE-4A54-B2E7-5D90A5BF998B@microsoft.com...
Well, let me ensure I'm understanging this correctly by outlining what I've
done.
1. I created a share on a remote server (remote to the IIS server).  In
reviewing it's sharing permissions and security tab permissions "everyone"
has "full control"  It was that way by default.  I changed nothing.
2. I created a virtual directory in IIS that points to \\remoteserver\share
and gave it an account with the same name and password on both systems -->
it
is in fact, the local machine administrator account in both cases.  I've
also
tried creating a 3rd unrelated account on both systems named the same with
matching passwords.  Still no dice.
3. I have read a number of q-articles and one suggested opening the
"directory security" tab on the vdir and selecting, edit, edit and manually
setting the account to be used.  I did this and I told IIS not to manage the
password.  In addition I removed the "nt authentication" on the 1st part of
that tab.  All these things have been tried ...
Here's the code I'm using:
<% Option Explicit %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<title></title>
</head>
<body>
<%
On Error Resume Next
dim fso
dim str_vDirName
dim int_id
dim str_vDirPath
dim str_LocalFileName
dim str_DestinationFileName
dim str_DestinationPath
str_vDirName = "mrtg"
' as defined in IIS
int_id = 161829
' a subdirectory to store data in
str_vDirPath = server.MapPath(str_vDirName)
str_DestinationPath = str_vDirPath & "\" & int_id & "\"
str_DestinationFileName = "sample.jpg"
' put a copy of this file in the root of the vdir for display
' testing.
str_LocalFileName = "c:\sample.jpg"
' local to the web server
Response.Write("<p>The physical path to the vDir is:&nbsp;<b style='color:
red;'>" & str_vDirPath & "</b>")
Response.Write("<p>An image file from the vDir:&nbsp;<br><img alt='BROKEN'
src='/" & str_vDirName & "/" & str_DestinationFileName & "'>")
set fso = Server.CreateObject("Scripting.FileSystemObject")
response.write ("<p>The folder&nbsp;" & str_DestinationPath &
"&nbsp;exists: <b style='color: red;'>" &
fso.folderexists(str_DestinationPath) & "</b>")
response.write ("<p>The file&nbsp;" & str_vDirPath & "\" &
str_DestinationFileName & "&nbsp;exists: <b style='color: red;'>" &
fso.fileexists(str_vDirPath & "\" & str_DestinationFileName) & "</b>")
if fso.FileExists(str_LocalFileName) then
' the source file exists
call fso.CopyFile(str_LocalFileName,str_DestinationPath &
str_DestinationFileName)
Response.Write("<p>Copying an image from the local machine to the virtual
directory ...")
end if
Response.Write("<p>Displaying the copied image:&nbsp;<br><img alt='BROKEN'
src='" & str_vDirName & "/" & int_id & "/" & str_DestinationFileName & "'>")
if Err <> 0 then
Response.Write("<p><br>There was an error in the web application.  The
error was:&nbsp;<b style='color: red;'>" & err.Description & "</b>")
Err.clear
end if
set fso = nothing
%>
</body>
</html>
The code assumes you have a copy of sample.jpg in both the root of C on the
web server and in the root of the virtual directory.  The 2nd is used as a
display test to ensure your vdir is correct.
I have 2 vdirs created to test this.  1 sits on the local iis server and is
\\iisserver\test --> this one works!  The copy operation works and the
resulting copied image is displayed.  The 2nd vdir is on
\\remoteserver\share.  The test image is displayed, but both folder and file
exists return FALSE and the copy operation ends in a "permission denied."
To
execute these 2 tests the only parameter that is changed is str_vDirName
from
"local" to "remote" (the corresponding vdir names in IIS).
Thanks for the reply!
B
"David Wang [Msft]" wrote:
> Make sure the UNC share allows Read/Write permissions to the user in
> question, in ADDITION to the NTFS ACLs.  UNC Share ACLs is "Read"-only by
> default.
>
> Suggested simplified Filesharing model uses:
> UNC Share -- Everyone Full Control
> NTFS -- actual file ACLs
>
> This removes the UNC Share permissions from the picture, so you just need
to
> match impersonated identity to filesystem ACL to calculate effective
> permissions.  I have no idea what tabs you are looking at, but the only
ones
> that matter for UNC-based content are:
> 1. Identity in IIS.  You control this by choosing Authentication Type
> 2. UNC Share -- right-click properties on the UNC server's share itself
and
> set it to Everyone:F so that you can ignore it
> 3. NTFS ACLs -- right click on the folder/file on the remote server and
set
> permissions appropriately
>
> Very straight forward -- it's always worked like this since beginning of
NT.
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Bill" <Bill@discussions.microsoft.com> wrote in message
> news:4DCA0AB5-C2D6-46F8-A5D4-594C55ED9837@microsoft.com...
> I am having this same problem.  I can "read" from the vdir, but I cannot
> write to it or create folders.  I made accounts on the UNC server for
> IUSR_computername and IWAM_computername and made sure to sync their
> passwords.
>
> After reading through the suggested steps here and Barry's solution I
tried
> created an unrelated 3rd account on both systems with synchronized
> passwords.
>  I also deleted and recreated the vdir with the new account.  No luck.
> Read=good, write/modify=bad.  In reading a M$ q-article I tried setting
the
> account in the directory security tab (of IIS props on vdir) to the
account.
> Still; no luck.
>
> Any other suggestions?
>
> B
>
> "Barry" wrote:
>
> > I have 2 servers running win2k, one is a web server and the other is
going
> > to be an archive server.  The process would be that a user generates a
pdf
> > report, and then they would choose to archive the report in which the
file
> > would then be copied to the archive directory.
> >
> > Both servers are running win2k which is currently my test servers and my
> > live servers will be win2k3.  I've setup the archive directory for
sharing
> > and given everyone all permissions except full control.  I've setup the
> > virtual directory within my site using \\<ip>\archive, where the connect
> as
> > has been setup using my username/password (I'm a domain admin, this is
too
> > wide open, but I'm just trying to get it to work for now).  The site is
> > using anonymous access.  I've even given the archive directory
anonymous,
> > everyone and iusr_machinename sharing and security permission for all
> > permissions except full control.
> >
> > The problem that I'm running into is when a user selects save, I create
a
> > FileSystemObject and use the CopyFile function to which I get a
permission
> > denied error.
> >
> > Any ideas?
> >
> > Thanks,
> > Barry
> >
> >
> >
>
>
>


Relevant Pages

  • RE: SBS 2003/member Web Server and ISUR access
    ... NTFS permissions for the directories and files ... the IIS content directories have the following permissions. ... Server Extensions, ASPNET, SQL Server and other software is installed. ... The IUSR_MachineName account has the following permissions. ...
    (microsoft.public.windows.server.sbs)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • Re: Server Unavailable - ASP.NET 2.0 on Windows XP
    ... The error message is "Server Application Unavailable". ... The user account I've ... Please review the permissions outlined in this article. ... So I switched to that directory in Command Prompt and tried the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Server Unavailable - ASP.NET 2.0 on Windows XP
    ... Please review the permissions outlined in this article. ... Make sure that the HOME-WKSTATION\ASPNET account has been assigned NTFS ... So I switched to that directory in Command Prompt and tried the following... ... I'm still getting the "Server Unavailable" error... ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Front end server OWA redirection
    ... > Here is a list of the permissions I have configured in IIS and Exchange. ... > server and the BE server serves up the data. ... > Exchweb vdir - Anonymous only ...
    (microsoft.public.exchange2000.admin)