Professional Web Applications Themes

Help! FileUploading, Windows 2000 permissions, and the ASP.NET account - ASP.NET Security

I have a complex problem that needs a lot of background explanation before I can ask questions, so here goes.... Our system consists of two servers. -WebUI server - Windows 2000 - runs asp.net pages, and handles http requests. All requests go through this frontend public server. Business objects are then called, which execute stored procs, etc on the WebSQL server. -WebSQL server - Windows 2000 - SQLServer2000 database and file server. This server is not public to the internet, but is accessable by the WebUI server. A piece of functionality in our ASP.NET web application is to allow a ...

  1. #1

    Default Help! FileUploading, Windows 2000 permissions, and the ASP.NET account

    I have a complex problem that needs a lot of background explanation before I can ask questions,
    so here goes....

    Our system consists of two servers.

    -WebUI server - Windows 2000 - runs asp.net pages, and handles http requests.
    All requests go through this frontend public server. Business objects are then called, which
    execute stored procs, etc on the WebSQL server.

    -WebSQL server - Windows 2000 - SQLServer2000 database and file server.
    This server is not public to the internet, but is accessable by the WebUI server.

    A piece of functionality in our ASP.NET web application is to allow a user to upload
    a file. We store a record in the database with information about the file, but
    physically store the file on the harddrive in a special directory structure.
    All files are stored on the WebSQL server, however, not the WebUI server.

    I use an HtmlInputFile control to transfer the file from the user's machine to the
    WebUI server.
    ex:
    txtFile.PostedFile.SaveAs(strFilePath & "\" & strFileName)

    The file path however is a UNC path, like "\\WebSQL\path\etc"

    Getting the WebUI server to be able to save a file to the WebSQL server took some work.
    I got it to work by doing the following:
    1. Made sure both WebUI and WebSQL had the ASPNET account.
    2. Gave the ASPNET account on the WebSQL machine full rights to the subdirectory structure where we save files.
    3. Gave the ASPNET account "List File Contents" rights for the root drive where the previous directory structure exists.
    4. Changed the username/password of the <processmodel> section of machine.config file of the WebUI machine to "ASPNET" and the corresponding password.

    Doing all of this allows us to be able to upload files through a web page interface and save those files on the backend WebSQL server.

    However, for some reason the Administrator account of the WebSQL server CANNOT delete or change permission on any files or directories that were created by the ASPNET account - even though Administrator is show with FULL CONTROL on the file or directory?!?

    I discovered that if you go into the file properties from file explorer, even though it does not allow the administrator to change ANY security permissions for this specific file or dir, you can go to the Advanced dialog and change the OWNER to the Administrator. For some reason the previous owner said "Unknown". Once the file or directory has been set to Administrator then you can give the correct security rights to the file and actually delete it through windows explorer.

    So my question is:
    -How can I give the ASPNET (on the WebSQL server) account better permissions so that when a file is written, anyone that has the correct permissions can delete/modify/etc the file OTHER than the aspnet account?

    -OR is there a better way to do what I am trying to accomplish?

    Thank you for reading this long message.

    Brian

    Brian Guest

  2. #2

    Default RE: Help! FileUploading, Windows 2000 permissions, and the ASP.NET account

    The ASPNET account is a local account to both machines. There is a method
    of working around the double-hop NTLM problem which required accounts of
    the same name to be included on two different machines to allow
    authentication. I think this is why the scenario you outline is working,
    i.e. because both machines have an account with the same name. I'm
    assuming that you do not impersonate the IIS authenticated user. The
    resulting behaviour sounds like the ACLs on the files created are incorrect
    in some way probably due to the fact that

    To work around this you could create a domian account that is solely
    dedicated to running the ASP.NET process and having permissions on the SQL
    machine. It should be locked down in all other areas. With this scenario
    you have an authentication mechanism as a third party to the two machines
    and is recognised by both.

    You could also try setting something up with Kerberos but again you have to
    be very careful about introducing security holes onto the network.

    Chris Marchal
    Microsoft UK Developer Support
    This posting is provided "AS IS" with no warranties, and confers no rights.


    Chris Marchal[MSFT] Guest

Similar Threads

  1. Permissions Issues With ASPNET Account
    By Yogesh Pancholi in forum ASP.NET Security
    Replies: 4
    Last Post: April 25th, 11:18 PM
  2. Active Directory Machine Account Permissions
    By Jay Armstrong in forum ASP.NET Security
    Replies: 4
    Last Post: March 15th, 04:29 PM
  3. restoring default permissions for aspnet account
    By DC Gringo in forum ASP.NET Security
    Replies: 1
    Last Post: November 18th, 05:01 PM
  4. Using the Jscript to update the ASPNET account to have the needed permissions
    By Giang Thanh via .NET 247 in forum ASP.NET Security
    Replies: 0
    Last Post: May 6th, 08:29 AM
  5. User Permissions in SQL Server 2000
    By Anthony Tanzola in forum Microsoft SQL / MS SQL Server
    Replies: 0
    Last Post: July 10th, 03:43 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139