Re: Virtual Directory - Permission Denied with fso CopyFile
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/25/04
- Next message: David Wang [Msft]: "Re: .net 1.1 form submission"
- Previous message: David Wang [Msft]: "Re: ADSI script for IIS 5.0 can not run in IIS 6.0"
- In reply to: Bill: "Re: Virtual Directory - Permission Denied with fso CopyFile"
- Next in thread: Bill: "Re: Virtual Directory - Permission Denied with fso CopyFile"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 24 Nov 2004 20:48:26 -0800
Ok, if you did Basic authentication using vdirUser and it *still* does not
work, the problem is probably not coming from IIS.
Now, most of the configuration changes that you made have NOTHING to do with
Fso.CopyFile -- let me explain.
> Using that same account to "connect as" in the virtual directory
> allows for read-only access.
The "Connect As" account controls the user credential that IIS uses to
access a UNC Vdir (i.e. /vdir maps to \\server\share, so /vdir/page.asp maps
to \\server\share\page.asp, and IIS uses this credential to access
\\server\share\page.asp ). This has nothing to do with your situation since
your Vdir is on the local filesystem. IIS is accessing the ASP page, which
is on the local filesystem -- and meanwhile, the ASP page is doing the
CopyFile to UNC -- IIS is not involved here. Distinguish this from IIS
accessing the ASP page, which happens to be on a UNC share, and thus
UNCUserName comes into play.
> That's when I've changed the authentication settings under
> the virtual directories "directory security" tab. I've edited
> the anonymous credentials to match the vdirUser rather
> than the IUSR_machinename account.
This user account setting controls the user credentials that IIS uses for
"anonymous authenticated" access. Thus, without the browser using anonymous
authentication, this setting is not in effect.
> I've remove the check box for integrated authentication and I've
> even tried "basic" authentication.
Basic authentication should work. If it doesn't, the problem is not likely
to be with IIS. I highly suggest that you only enable one authentication
protocol at a time to make sure that you know what authentication is in
play.
> I *do* have read, write, and browse permissions enabled
> when creating the vdir.
If you set these values in the IIS Manager, it only affects whether IIS
allows you to retrieve resources using GET, PUT, and "/" when DefaultDoc is
not set. It says nothing about the underlying NTFS ACLs on the resources,
which you STILL need to synchronize. In other words, if you set Write
permissions in IIS Manager UI but deny Everyone Write access on the NTFS
resources, you will get access denied when you try to do a PUT or
FSO.CreateFile/Write in that NTFS directory. In other words, IIS allows the
PUT verb only when "Write" permissions is enabled in IIS Manager UI. Even
after IIS allows the PUT request, the authenticated identity MUST have Write
access on NTFS to be able to do the actual PUT of the file.
Maybe you can give AuthDiag a try -- a tool we designed to help troubleshoot
access-denied issues.
You probably want to try to get a UNC PUT under Basic Auth to simulate what
you are doing within the ASP page (AuthDiag looks at issues involving IIS,
not arbitrary programs running on top of IIS).
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Bill" <Bill@discussions.microsoft.com> wrote in message news:99F4DE63-EFF2-4AF9-AD3A-7348DE9EE44D@microsoft.com... Sorry about that. I had originally clicked reply to the wrong message in the thread. Didn't know if you'd get notified that I had posted something. I have tried and re-tried all of those things you mention. I can log into the IIS server as "vdirUser", an account I created to test this whole process, and simply doing \\remoteserver\share brings up an explorer window without prompting for a password so I know I have them in synch. Then I right click in both the root of the share and the subdirectory outlined in my code and create a new file. It works. Using that same account to "connect as" in the virtual directory allows for read-only access. That's when I've changed the authentication settings under the virtual directories "directory security" tab. I've edited the anonymous credentials to match the vdirUser rather than the IUSR_machinename account. I've remove the check box for integrated authentication and I've even tried "basic" authentication. I *do* have read, write, and browse permissions enabled when creating the vdir. "Everyone" as well as the individually named accounts I've tried have been granted "Full Control" on both the sharing security and the NTFS permissions on the remote server. I even added both of the boxes into the domain and tried using the domain admin account to make the thing work. Still the same ... read only. I'm at my wits end on this. Thanks for your assistance, Bill "David Wang [Msft]" wrote: > Since you repeated a post after this one, I'm repeating this post after > yours. > > > Strange. What you describe works for me, and I followed your setup exactly > as-is. > > In fact, I put both the ASP page on the local machine and on a UNC vdir and > both work -- I can have the ASP page on UNC copy to a local or remote share, > and ASP page on local filesystem copy to local or remote share. All this > worked with either the administrator (same identity on both machines) or > TestUser (normal user account with same credentials on all machines). > > Can you please describe what Authentication protocols you have enabled. > Only Anonymous and Basic authentication will work with this configuration > because they are insecure and implicitly delegate a user's credentials. > Integrated and other secure authentication protocols require additional > configuration and common AD for trust configuration. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Bill" <Bill@discussions.microsoft.com> wrote in message > news:A20DC8D2-A5D7-456F-B580-58C288312280@microsoft.com... > More data ... > > I still have not gotten this to work. I did, however, conduct a test with > the "new" account. I created a local system account on each server named > "vdirUser" and synchronized their passwords. > > I logged into the IIS server as vdirUser and simply typed > \\remoteserver\share in the Start->Run dialog. The explorer window popped > open and I had read and write permissions to the share. > > I logged off and back into the IIS server as the administrator and deleted > and recreated the virtual directory. I used the "vdirUser" account and > selected both read and write permissions. This didn't work. So, I opened > the properties and directory security tab. I changed the IUSR_computername > account to the "vdirUser" account and unchecked the box to let IIS manage > the > password. This didn't work. So, finally, I opened the directory security > tab for the virtual directory and unchecked the windows authentication. > This > didn't work. Did the same thing but enabled "basic" authentication. This > didn't work. > > I'm obviously still missing something, but I can't for the life of me figure > out what. > > B > > "David Wang [Msft]" wrote: > > > Strange. What you describe works for me, and I followed your setup > exactly > > as-is. > > > > In fact, I put both the ASP page on the local machine and on a UNC vdir > and > > both work -- I can have the ASP page on UNC copy to a local or remote > share, > > and ASP page on local filesystem copy to local or remote share. All this > > worked with either the administrator (same identity on both machines) or > > TestUser (normal user account with same credentials on all machines). > > > > Can you please describe what Authentication protocols you have enabled. > > Only Anonymous and Basic authentication will work with this configuration > > because they are insecure and implicitly delegate a user's credentials. > > Integrated and other secure authentication protocols require additional > > configuration and common AD for trust configuration. > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Bill" <Bill@discussions.microsoft.com> wrote in message > > news:C99614E5-30DE-4A54-B2E7-5D90A5BF998B@microsoft.com... > > Well, let me ensure I'm understanging this correctly by outlining what > I've > > done. > > > > 1. I created a share on a remote server (remote to the IIS server). In > > reviewing it's sharing permissions and security tab permissions "everyone" > > has "full control" It was that way by default. I changed nothing. > > > > 2. I created a virtual directory in IIS that points to > \\remoteserver\share > > and gave it an account with the same name and password on both systems --> > > it > > is in fact, the local machine administrator account in both cases. I've > > also > > tried creating a 3rd unrelated account on both systems named the same with > > matching passwords. Still no dice. > > > > 3. I have read a number of q-articles and one suggested opening the > > "directory security" tab on the vdir and selecting, edit, edit and > manually > > setting the account to be used. I did this and I told IIS not to manage > the > > password. In addition I removed the "nt authentication" on the 1st part > of > > that tab. All these things have been tried ... > > > > Here's the code I'm using: > > > > <% Option Explicit %> > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" > > "http://www.w3.org/TR/html4/strict.dtd"> > > <html> > > <head> > > <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> > > <title></title> > > </head> > > <body> > > <% > > On Error Resume Next > > > > dim fso > > dim str_vDirName > > dim int_id > > dim str_vDirPath > > dim str_LocalFileName > > dim str_DestinationFileName > > dim str_DestinationPath > > > > str_vDirName = "mrtg" > > ' as defined in IIS > > int_id = 161829 > > ' a subdirectory to store data in > > str_vDirPath = server.MapPath(str_vDirName) > > str_DestinationPath = str_vDirPath & "\" & int_id & "\" > > str_DestinationFileName = "sample.jpg" > > ' put a copy of this file in the root of the vdir for display > > ' testing. > > str_LocalFileName = "c:\sample.jpg" > > ' local to the web server > > > > > > Response.Write("<p>The physical path to the vDir is: <b style='color: > > red;'>" & str_vDirPath & "</b>") > > > > Response.Write("<p>An image file from the vDir: <br><img alt='BROKEN' > > src='/" & str_vDirName & "/" & str_DestinationFileName & "'>") > > > > set fso = Server.CreateObject("Scripting.FileSystemObject") > > > > response.write ("<p>The folder " & str_DestinationPath & > > " exists: <b style='color: red;'>" & > > fso.folderexists(str_DestinationPath) & "</b>") > > response.write ("<p>The file " & str_vDirPath & "\" & > > str_DestinationFileName & " exists: <b style='color: red;'>" & > > fso.fileexists(str_vDirPath & "\" & str_DestinationFileName) & "</b>") > > > > if fso.FileExists(str_LocalFileName) then > > ' the source file exists > > > > call fso.CopyFile(str_LocalFileName,str_DestinationPath & > > str_DestinationFileName) > > Response.Write("<p>Copying an image from the local machine to the virtual > > directory ...") > > > > end if > > > > Response.Write("<p>Displaying the copied image: <br><img alt='BROKEN' > > src='" & str_vDirName & "/" & int_id & "/" & str_DestinationFileName & > "'>") > > > > if Err <> 0 then > > > > Response.Write("<p><br>There was an error in the web application. The > > error was: <b style='color: red;'>" & err.Description & "</b>") > > Err.clear > > > > end if > > > > set fso = nothing > > %> > > </body> > > </html> > > > > The code assumes you have a copy of sample.jpg in both the root of C on > the > > web server and in the root of the virtual directory. The 2nd is used as a > > display test to ensure your vdir is correct. > > > > I have 2 vdirs created to test this. 1 sits on the local iis server and > is > > \\iisserver\test --> this one works! The copy operation works and the > > resulting copied image is displayed. The 2nd vdir is on > > \\remoteserver\share. The test image is displayed, but both folder and > file > > exists return FALSE and the copy operation ends in a "permission denied." > > To > > execute these 2 tests the only parameter that is changed is str_vDirName > > from > > "local" to "remote" (the corresponding vdir names in IIS). > > > > Thanks for the reply! > > > > B > > > > "David Wang [Msft]" wrote: > > > > > Make sure the UNC share allows Read/Write permissions to the user in > > > question, in ADDITION to the NTFS ACLs. UNC Share ACLs is "Read"-only > by > > > default. > > > > > > Suggested simplified Filesharing model uses: > > > UNC Share -- Everyone Full Control > > > NTFS -- actual file ACLs > > > > > > This removes the UNC Share permissions from the picture, so you just > need > > to > > > match impersonated identity to filesystem ACL to calculate effective > > > permissions. I have no idea what tabs you are looking at, but the only > > ones > > > that matter for UNC-based content are: > > > 1. Identity in IIS. You control this by choosing Authentication Type > > > 2. UNC Share -- right-click properties on the UNC server's share itself > > and > > > set it to Everyone:F so that you can ignore it > > > 3. NTFS ACLs -- right click on the folder/file on the remote server and > > set > > > permissions appropriately > > > > > > Very straight forward -- it's always worked like this since beginning of > > NT. > > > > > > -- > > > //David > > > IIS > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > // > > > "Bill" <Bill@discussions.microsoft.com> wrote in message > > > news:4DCA0AB5-C2D6-46F8-A5D4-594C55ED9837@microsoft.com... > > > I am having this same problem. I can "read" from the vdir, but I cannot > > > write to it or create folders. I made accounts on the UNC server for > > > IUSR_computername and IWAM_computername and made sure to sync their > > > passwords. > > > > > > After reading through the suggested steps here and Barry's solution I > > tried > > > created an unrelated 3rd account on both systems with synchronized > > > passwords. > > > I also deleted and recreated the vdir with the new account. No luck. > > > Read=good, write/modify=bad. In reading a M$ q-article I tried setting > > the > > > account in the directory security tab (of IIS props on vdir) to the > > account. > > > Still; no luck. > > > > > > Any other suggestions? > > > > > > B > > > > > > "Barry" wrote: > > > > > > > I have 2 servers running win2k, one is a web server and the other is > > going > > > > to be an archive server. The process would be that a user generates a > > pdf > > > > report, and then they would choose to archive the report in which the > > file > > > > would then be copied to the archive directory. > > > > > > > > Both servers are running win2k which is currently my test servers and > my > > > > live servers will be win2k3. I've setup the archive directory for > > sharing > > > > and given everyone all permissions except full control. I've setup > the > > > > virtual directory within my site using \\<ip>\archive, where the > connect > > > as > > > > has been setup using my username/password (I'm a domain admin, this is > > too > > > > wide open, but I'm just trying to get it to work for now). The site > is > > > > using anonymous access. I've even given the archive directory > > anonymous, > > > > everyone and iusr_machinename sharing and security permission for all > > > > permissions except full control. > > > > > > > > The problem that I'm running into is when a user selects save, I > create > > a > > > > FileSystemObject and use the CopyFile function to which I get a > > permission > > > > denied error. > > > > > > > > Any ideas? > > > > > > > > Thanks, > > > > Barry > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: David Wang [Msft]: "Re: .net 1.1 form submission"
- Previous message: David Wang [Msft]: "Re: ADSI script for IIS 5.0 can not run in IIS 6.0"
- In reply to: Bill: "Re: Virtual Directory - Permission Denied with fso CopyFile"
- Next in thread: Bill: "Re: Virtual Directory - Permission Denied with fso CopyFile"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
