Writing to a network share

[Tyler Davey]

I posted this message in dotnet.framework.security, and was told to repost it her

Alright, I've been trying to figure out the solution to this problem for a few days and I'm officially stumped.

My web app server, Machine A, needs the ability to create a file(xml) on my db server, Machine B. The application performs this task after a user invokes a business object through an ASP.net page. Now, if I do this on the app server (ie, log on locally), it works fine. However, if i do this from another client machine, Machine C, I get the beautiful error message

Access to path \\machineb\log\log.xml is denied

<code
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Access to the path "\\orchard\Log\test.xml" is denied.

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access

</code

Now, here is what I've done

I've given full control to the directory on the network share to everyon
I've changed machine.config process model to the SYSTEM account. When that didn't work, I changed it to my network account, which has local admin rights on the network
I've tried mucking around with the Internet zone permissions and Intranet zone permissions through the .net tools, giving both full trust priviledges, no luc
We've set the asp.net service to log on as a local system account, network system account, my domain account, and finally, the domains admin account, still no luc

My code is very simple

<code
private void Button1_Click(object sender, System.EventArgs e

XmlTextWriter writer = new XmlTextWriter(@"\\machinea\Log\log.xml", Encoding.UTF8)
writer.WriteStartDocument()
writer.WriteStartElement("DATA")
writer.WriteElementString("TEST", "Is this going to work")
writer.WriteEndElement()
writer.WriteEndDocument()
writer.Close()

</code

So, what am I missing?

[Prodip Saha]

Take a close look at this document--
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication.

Or,
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT01.asp[/url]

If you are using Windows Authentication--follow the Mirrored Account with No impersonation. That's the easiest way to access network resources.


"Tyler Davey" <anonymous@discussions.microsoft.com> wrote in message news:715EB9C1-2DD9-4E52-B902-284DA7833F6D@microsoft.com...

> I posted this message in dotnet.framework.security, and was told to repost it here
>
> Alright, I've been trying to figure out the solution to this problem for a few days and I'm officially stumped.
>
> My web app server, Machine A, needs the ability to create a file(xml) on my db server, Machine B. The application performs this task after a user invokes a business object through an ASP.net page. Now, if I do this on the app server (ie, log on locally), it works fine. However, if i do this from another client machine, Machine C, I get the beautiful error message:
>
> Access to path \\machineb\log\log.xml is denied.
>
> <code>
> Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
>
> Exception Details: System.UnauthorizedAccessException: Access to the path "\\orchard\Log\test.xml" is denied.
>
> ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
>
> To grant ASP.NET write access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
>
> </code>
>
> Now, here is what I've done:
>
> I've given full control to the directory on the network share to everyone
> I've changed machine.config process model to the SYSTEM account. When that didn't work, I changed it to my network account, which has local admin rights on the network.
> I've tried mucking around with the Internet zone permissions and Intranet zone permissions through the .net tools, giving both full trust priviledges, no luck
> We've set the asp.net service to log on as a local system account, network system account, my domain account, and finally, the domains admin account, still no luck
>
> My code is very simple:
>
> <code>
> private void Button1_Click(object sender, System.EventArgs e)
> {
> XmlTextWriter writer = new XmlTextWriter(@"\\machinea\Log\log.xml", Encoding.UTF8);
> writer.WriteStartDocument();
> writer.WriteStartElement("DATA");
> writer.WriteElementString("TEST", "Is this going to work");
> writer.WriteEndElement();
> writer.WriteEndDocument();
> writer.Close();
> }
> </code>
>
> So, what am I missing?
>
>

[Ken Schaefer]

Hi

Machine\ASPNET is a local account - it can't be assigned permissions to
remote resources
LocalSystem is also a local account.

Try using a *domain* account that has permissions to the remote resource.

Cheers
Ken

"Tyler Davey" <anonymous@discussions.microsoft.com> wrote in message
news:715EB9C1-2DD9-4E52-B902-284DA7833F6D@microsoft.com...
: I posted this message in dotnet.framework.security, and was told to repost
it here
:
: Alright, I've been trying to figure out the solution to this problem for a
few days and I'm officially stumped.
:
: My web app server, Machine A, needs the ability to create a file(xml) on
my db server, Machine B. The application performs this task after a user
invokes a business object through an ASP.net page. Now, if I do this on the
app server (ie, log on locally), it works fine. However, if i do this from
another client machine, Machine C, I get the beautiful error message:
:
: Access to path \\machineb\log\log.xml is denied.
:
: <code>
: Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
:
: Exception Details: System.UnauthorizedAccessException: Access to the path
"\\orchard\Log\test.xml" is denied.
:
: ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.
:
: To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the
boxes for the desired access.
:
: </code>
:
: Now, here is what I've done:
:
: I've given full control to the directory on the network share to everyone
: I've changed machine.config process model to the SYSTEM account. When
that didn't work, I changed it to my network account, which has local admin
rights on the network.
: I've tried mucking around with the Internet zone permissions and Intranet
zone permissions through the .net tools, giving both full trust priviledges,
no luck
: We've set the asp.net service to log on as a local system account, network
system account, my domain account, and finally, the domains admin account,
still no luck
:
: My code is very simple:
:
: <code>
: private void Button1_Click(object sender, System.EventArgs e)
: {
: XmlTextWriter writer = new XmlTextWriter(@"\\machinea\Log\log.xml",
Encoding.UTF8);
: writer.WriteStartDocument();
: writer.WriteStartElement("DATA");
: writer.WriteElementString("TEST", "Is this going to work");
: writer.WriteEndElement();
: writer.WriteEndDocument();
: writer.Close();
: }
: </code>
:
: So, what am I missing?
:
:

[Prodip Saha]

Using domain account to run the aspnet_wp is risky. Compromizing one domain
account is amount to compromizing the whole domain.

Local Machine\ASPNET mirrored account on the remote server with same
password as that of webserver machine is sufficient to access remote
resource.

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%230sduLbKEHA.2712@TK2MSFTNGP10.phx.gbl...

> Hi
>
> Machine\ASPNET is a local account - it can't be assigned permissions to
> remote resources
> LocalSystem is also a local account.
>
> Try using a *domain* account that has permissions to the remote resource.
>
> Cheers
> Ken
>
> "Tyler Davey" <anonymous@discussions.microsoft.com> wrote in message
> news:715EB9C1-2DD9-4E52-B902-284DA7833F6D@microsoft.com...
> : I posted this message in dotnet.framework.security, and was told to

repost

> it here
> :
> : Alright, I've been trying to figure out the solution to this problem for

a

> few days and I'm officially stumped.
> :
> : My web app server, Machine A, needs the ability to create a file(xml) on
> my db server, Machine B. The application performs this task after a user
> invokes a business object through an ASP.net page. Now, if I do this on

the

> app server (ie, log on locally), it works fine. However, if i do this

from

> another client machine, Machine C, I get the beautiful error message:
> :
> : Access to path \\machineb\log\log.xml is denied.
> :
> : <code>
> : Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
> :
> : Exception Details: System.UnauthorizedAccessException: Access to the

path

> "\\orchard\Log\test.xml" is denied.
> :
> : ASP.NET is not authorized to access the requested resource. Consider
> granting access rights to the resource to the ASP.NET request identity.
> ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5

or

> Network Service on IIS 6) that is used if the application is not
> impersonating. If the application is impersonating via <identity
> impersonate="true"/>, the identity will be the anonymous user (typically
> IUSR_MACHINENAME) or the authenticated request user.
> :
> : To grant ASP.NET write access to a file, right-click the file in

Explorer,

> choose "Properties" and select the Security tab. Click "Add" to add the
> appropriate user or group. Highlight the ASP.NET account, and check the
> boxes for the desired access.
> :
> : </code>
> :
> : Now, here is what I've done:
> :
> : I've given full control to the directory on the network share to

everyone

> : I've changed machine.config process model to the SYSTEM account. When
> that didn't work, I changed it to my network account, which has local

admin

> rights on the network.
> : I've tried mucking around with the Internet zone permissions and

Intranet

> zone permissions through the .net tools, giving both full trust

priviledges,

> no luck
> : We've set the asp.net service to log on as a local system account,

network

> system account, my domain account, and finally, the domains admin account,
> still no luck
> :
> : My code is very simple:
> :
> : <code>
> : private void Button1_Click(object sender, System.EventArgs e)
> : {
> : XmlTextWriter writer = new XmlTextWriter(@"\\machinea\Log\log.xml",
> Encoding.UTF8);
> : writer.WriteStartDocument();
> : writer.WriteStartElement("DATA");
> : writer.WriteElementString("TEST", "Is this going to work");
> : writer.WriteEndElement();
> : writer.WriteEndDocument();
> : writer.Close();
> : }
> : </code>
> :
> : So, what am I missing?
> :
> :
>
>