Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > file permissions

Reply
Thread Tools

file permissions

 
 
James Martin
Guest
Posts: n/a
 
      10-15-2003
I have a W2K server, running IIS 6 and Active Directory
Services. I have an ASP.Net application off the root web
directory named "Apps". Within the IIS Manager I have the
Authentication method set to "Anonymous Access" as well
as "Authenticated Access" using "Integrated Windows
Authentication" for both the root web and the "Apps" sub-
directory. All files and directories under the "Apps"
folder are set in this manner.

The web config file is set to use "Windows" for
Authentication and "*" for Authorization.

Using Explorer I have changed the permissions for one file
in the "Apps" directory. For this file, let's call
it "myfile.aspx", I have removed the "Everyone" group. The
permissions for this file are as follows:

Creator Owner - Full Control
System - Full Control
mydomain\Administrators - Full Control
mydomain\MyGroup - Read, Read/Execute

If I attempt to access any file on this web via a web
browser it works as it should with the exception of this
single file, "myfile.aspx". When attempting to access this
file it will ask for a username/password/domain and will
not accept anyone, including anyone from
the "Administrators" or "MyGroup" groups.
The error I get in the browser is:

Server Error in '/Apps' Application.
-----------------------------------------------------------
---------------------

Access is denied.
Description: An error occurred while accessing the
resources required to serve this request. You might not
have permission to view the requested resources.

Error message 401.3: You do not have permission to view
this directory or page using the credentials you supplied
(access denied due to ACLs). Ask the Web server's
administrator to give you access
to 'c:\inetpub\wwwroot\apps\myfile.aspx'.


-----------------------------------------------------------
---------------------
Version Information: Microsoft .NET Framework
Version:1.1.4322.573; ASP.NET Version:1.1.4322.573

This is the same basic configuration I use on other web
servers for security and have not had this problem before.
I have another server within this domain that is
configured in the same manner that works although it is
not an ASP.Net application. I have tried this from systems
logged into the domain and from systems not logged into
the domain with the same results.
 
Reply With Quote
 
 
 
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      10-15-2003
James,

In the scenario you describe, you will need to give the aspnet_wp.exe
process account access or make it a member of your group. By default, this
would be the ASPNET account.

You can also enable impersonation and deny unauthenticated users so that
you get the identity of the user actually browsing the site.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
http://www.velocityreviews.com/forums/(E-Mail Removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
>Content-Class: urn:content-classes:message
>From: "James Martin" <(E-Mail Removed)>
>Sender: "James Martin" <(E-Mail Removed)>
>Subject: file permissions
>Date: Wed, 15 Oct 2003 09:21:31 -0700
>Lines: 58
>Message-ID: <037001c39338$6513bd70$(E-Mail Removed)>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa06.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7186
>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have a W2K server, running IIS 6 and Active Directory
>Services. I have an ASP.Net application off the root web
>directory named "Apps". Within the IIS Manager I have the
>Authentication method set to "Anonymous Access" as well
>as "Authenticated Access" using "Integrated Windows
>Authentication" for both the root web and the "Apps" sub-
>directory. All files and directories under the "Apps"
>folder are set in this manner.
>
>The web config file is set to use "Windows" for
>Authentication and "*" for Authorization.
>
>Using Explorer I have changed the permissions for one file
>in the "Apps" directory. For this file, let's call
>it "myfile.aspx", I have removed the "Everyone" group. The
>permissions for this file are as follows:
>
>Creator Owner - Full Control
>System - Full Control
>mydomain\Administrators - Full Control
>mydomain\MyGroup - Read, Read/Execute
>
>If I attempt to access any file on this web via a web
>browser it works as it should with the exception of this
>single file, "myfile.aspx". When attempting to access this
>file it will ask for a username/password/domain and will
>not accept anyone, including anyone from
>the "Administrators" or "MyGroup" groups.
>The error I get in the browser is:
>
>Server Error in '/Apps' Application.
>-----------------------------------------------------------
>---------------------
>
>Access is denied.
>Description: An error occurred while accessing the
>resources required to serve this request. You might not
>have permission to view the requested resources.
>
>Error message 401.3: You do not have permission to view
>this directory or page using the credentials you supplied
>(access denied due to ACLs). Ask the Web server's
>administrator to give you access
>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
>
>
>-----------------------------------------------------------
>---------------------
>Version Information: Microsoft .NET Framework
>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
>
>This is the same basic configuration I use on other web
>servers for security and have not had this problem before.
>I have another server within this domain that is
>configured in the same manner that works although it is
>not an ASP.Net application. I have tried this from systems
>logged into the domain and from systems not logged into
>the domain with the same results.
>


 
Reply With Quote
 
 
 
 
James Martin
Guest
Posts: n/a
 
      10-15-2003
Okay in web.config I have :

<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" userName="" password=""/>


I added mydomain\ASPNET to the ACL.

When I attempt to access the page I am NO LONGER prompted
for a username/password/domain and the web page returned
reports the following:

Server Error in '/Apps' Application.
-----------------------------------------------------------
---------------------

Access is denied.
Description: An unhandled exception occurred during the
execution of the current web request. Please review the
stack trace for more information about the error and where
it originated in the code.

Exception Details: System.ApplicationException: Access is
denied.

Source Error:

An unhandled exception was generated during the execution
of the current web request. Information regarding the
origin and location of the exception can be identified
using the exception stack trace below.

Stack Trace:


[ApplicationException: Access is denied.
]

System.Security.Principal.WindowsIdentity._Resolve Identity
(IntPtr userToken) +0
System.Security.Principal.WindowsIdentity.get_Name () +71

System.Web.Configuration.AuthorizationConfigRule.I sUserAllo
wed(IPrincipal user, String verb) +100

System.Web.Configuration.AuthorizationConfig.IsUse rAllowed
(IPrincipal user, String verb) +81
System.Web.Security.UrlAuthorizationModule.OnEnter
(Object source, EventArgs eventArgs) +178

System.Web.SyncEventExecutionStep.System.Web.HttpA pplicatio
n+IExecutionStep.Execute() +60
System.Web.HttpApplication.ExecuteStep(IExecutionS tep
step, Boolean& completedSynchronously) +87



>-----Original Message-----
>James,
>
>In the scenario you describe, you will need to give the

aspnet_wp.exe
>process account access or make it a member of your

group. By default, this
>would be the ASPNET account.
>
>You can also enable impersonation and deny

unauthenticated users so that
>you get the identity of the user actually browsing the

site.
>
>Jim Cheshire [MSFT]
>Developer Support
>ASP.NET
>(E-Mail Removed)
>
>This post is provided as-is with no warranties and

confers no rights.
>
>--------------------
>>Content-Class: urn:content-classes:message
>>From: "James Martin"

<(E-Mail Removed)>
>>Sender: "James Martin"

<(E-Mail Removed)>
>>Subject: file permissions
>>Date: Wed, 15 Oct 2003 09:21:31 -0700
>>Lines: 58
>>Message-ID: <037001c39338$6513bd70$(E-Mail Removed)>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="iso-8859-1"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
>>Newsgroups:

microsoft.public.dotnet.framework.aspnet.security
>>Path: cpmsftngxa06.phx.gbl
>>Xref: cpmsftngxa06.phx.gbl

>microsoft.public.dotnet.framework.aspnet.security :7186
>>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
>>X-Tomcat-NG:

microsoft.public.dotnet.framework.aspnet.security
>>
>>I have a W2K server, running IIS 6 and Active Directory
>>Services. I have an ASP.Net application off the root web
>>directory named "Apps". Within the IIS Manager I have

the
>>Authentication method set to "Anonymous Access" as well
>>as "Authenticated Access" using "Integrated Windows
>>Authentication" for both the root web and the "Apps" sub-
>>directory. All files and directories under the "Apps"
>>folder are set in this manner.
>>
>>The web config file is set to use "Windows" for
>>Authentication and "*" for Authorization.
>>
>>Using Explorer I have changed the permissions for one

file
>>in the "Apps" directory. For this file, let's call
>>it "myfile.aspx", I have removed the "Everyone" group.

The
>>permissions for this file are as follows:
>>
>>Creator Owner - Full Control
>>System - Full Control
>>mydomain\Administrators - Full Control
>>mydomain\MyGroup - Read, Read/Execute
>>
>>If I attempt to access any file on this web via a web
>>browser it works as it should with the exception of this
>>single file, "myfile.aspx". When attempting to access

this
>>file it will ask for a username/password/domain and will
>>not accept anyone, including anyone from
>>the "Administrators" or "MyGroup" groups.
>>The error I get in the browser is:
>>
>>Server Error in '/Apps' Application.
>>---------------------------------------------------------

--
>>---------------------
>>
>>Access is denied.
>>Description: An error occurred while accessing the
>>resources required to serve this request. You might not
>>have permission to view the requested resources.
>>
>>Error message 401.3: You do not have permission to view
>>this directory or page using the credentials you

supplied
>>(access denied due to ACLs). Ask the Web server's
>>administrator to give you access
>>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
>>
>>
>>---------------------------------------------------------

--
>>---------------------
>>Version Information: Microsoft .NET Framework
>>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
>>
>>This is the same basic configuration I use on other web
>>servers for security and have not had this problem

before.
>>I have another server within this domain that is
>>configured in the same manner that works although it is
>>not an ASP.Net application. I have tried this from

systems
>>logged into the domain and from systems not logged into
>>the domain with the same results.
>>

>
>.
>

 
Reply With Quote
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      10-16-2003
James,

This is definitely a permissions issue. The easiest way to troubleshoot
these issues it to use Filemon from www.sysinternals.com. You can get a
log of the request and look for an ACCDENIED. The new version will tell
you what the user account is that is being denied access and where they are
being denied.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(E-Mail Removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
>Content-Class: urn:content-classes:message
>From: "James Martin" <(E-Mail Removed)>
>Sender: "James Martin" <(E-Mail Removed)>
>References: <037001c39338$6513bd70$(E-Mail Removed)>

<(E-Mail Removed)>
>Subject: RE: file permissions
>Date: Wed, 15 Oct 2003 16:55:18 -0700
>Lines: 179
>Message-ID: <0a9601c39377$c94fd730$(E-Mail Removed)>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>Thread-Index: AcOTd8lNFW+h1BH6S7y6nZmtQUdOYg==
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa06.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7196
>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Okay in web.config I have :
>
><authentication mode="Windows" />
><authorization>
> <deny users="?" />
></authorization>
><identity impersonate="true" userName="" password=""/>
>
>
>I added mydomain\ASPNET to the ACL.
>
>When I attempt to access the page I am NO LONGER prompted
>for a username/password/domain and the web page returned
>reports the following:
>
>Server Error in '/Apps' Application.
>-----------------------------------------------------------
>---------------------
>
>Access is denied.
>Description: An unhandled exception occurred during the
>execution of the current web request. Please review the
>stack trace for more information about the error and where
>it originated in the code.
>
>Exception Details: System.ApplicationException: Access is
>denied.
>
>Source Error:
>
>An unhandled exception was generated during the execution
>of the current web request. Information regarding the
>origin and location of the exception can be identified
>using the exception stack trace below.
>
>Stack Trace:
>
>
>[ApplicationException: Access is denied.
>]
>
>System.Security.Principal.WindowsIdentity._Resolv eIdentity
>(IntPtr userToken) +0
> System.Security.Principal.WindowsIdentity.get_Name () +71
>
>System.Web.Configuration.AuthorizationConfigRule. IsUserAllo
>wed(IPrincipal user, String verb) +100
>
>System.Web.Configuration.AuthorizationConfig.IsUs erAllowed
>(IPrincipal user, String verb) +81
> System.Web.Security.UrlAuthorizationModule.OnEnter
>(Object source, EventArgs eventArgs) +178
>
>System.Web.SyncEventExecutionStep.System.Web.Http Applicatio
>n+IExecutionStep.Execute() +60
> System.Web.HttpApplication.ExecuteStep(IExecutionS tep
>step, Boolean& completedSynchronously) +87
>
>
>
>>-----Original Message-----
>>James,
>>
>>In the scenario you describe, you will need to give the

>aspnet_wp.exe
>>process account access or make it a member of your

>group. By default, this
>>would be the ASPNET account.
>>
>>You can also enable impersonation and deny

>unauthenticated users so that
>>you get the identity of the user actually browsing the

>site.
>>
>>Jim Cheshire [MSFT]
>>Developer Support
>>ASP.NET
>>(E-Mail Removed)
>>
>>This post is provided as-is with no warranties and

>confers no rights.
>>
>>--------------------
>>>Content-Class: urn:content-classes:message
>>>From: "James Martin"

><(E-Mail Removed)>
>>>Sender: "James Martin"

><(E-Mail Removed)>
>>>Subject: file permissions
>>>Date: Wed, 15 Oct 2003 09:21:31 -0700
>>>Lines: 58
>>>Message-ID: <037001c39338$6513bd70$(E-Mail Removed)>
>>>MIME-Version: 1.0
>>>Content-Type: text/plain;
>>> charset="iso-8859-1"
>>>Content-Transfer-Encoding: 7bit
>>>X-Newsreader: Microsoft CDO for Windows 2000
>>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>>>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
>>>Newsgroups:

>microsoft.public.dotnet.framework.aspnet.securi ty
>>>Path: cpmsftngxa06.phx.gbl
>>>Xref: cpmsftngxa06.phx.gbl

>>microsoft.public.dotnet.framework.aspnet.securit y:7186
>>>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
>>>X-Tomcat-NG:

>microsoft.public.dotnet.framework.aspnet.securi ty
>>>
>>>I have a W2K server, running IIS 6 and Active Directory
>>>Services. I have an ASP.Net application off the root web
>>>directory named "Apps". Within the IIS Manager I have

>the
>>>Authentication method set to "Anonymous Access" as well
>>>as "Authenticated Access" using "Integrated Windows
>>>Authentication" for both the root web and the "Apps" sub-
>>>directory. All files and directories under the "Apps"
>>>folder are set in this manner.
>>>
>>>The web config file is set to use "Windows" for
>>>Authentication and "*" for Authorization.
>>>
>>>Using Explorer I have changed the permissions for one

>file
>>>in the "Apps" directory. For this file, let's call
>>>it "myfile.aspx", I have removed the "Everyone" group.

>The
>>>permissions for this file are as follows:
>>>
>>>Creator Owner - Full Control
>>>System - Full Control
>>>mydomain\Administrators - Full Control
>>>mydomain\MyGroup - Read, Read/Execute
>>>
>>>If I attempt to access any file on this web via a web
>>>browser it works as it should with the exception of this
>>>single file, "myfile.aspx". When attempting to access

>this
>>>file it will ask for a username/password/domain and will
>>>not accept anyone, including anyone from
>>>the "Administrators" or "MyGroup" groups.
>>>The error I get in the browser is:
>>>
>>>Server Error in '/Apps' Application.
>>>---------------------------------------------------------

>--
>>>---------------------
>>>
>>>Access is denied.
>>>Description: An error occurred while accessing the
>>>resources required to serve this request. You might not
>>>have permission to view the requested resources.
>>>
>>>Error message 401.3: You do not have permission to view
>>>this directory or page using the credentials you

>supplied
>>>(access denied due to ACLs). Ask the Web server's
>>>administrator to give you access
>>>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
>>>
>>>
>>>---------------------------------------------------------

>--
>>>---------------------
>>>Version Information: Microsoft .NET Framework
>>>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
>>>
>>>This is the same basic configuration I use on other web
>>>servers for security and have not had this problem

>before.
>>>I have another server within this domain that is
>>>configured in the same manner that works although it is
>>>not an ASP.Net application. I have tried this from

>systems
>>>logged into the domain and from systems not logged into
>>>the domain with the same results.
>>>

>>
>>.
>>

>


 
Reply With Quote
 
James Martin
Guest
Posts: n/a
 
      10-16-2003
Ok here is what I now know based on some pointers from
ZRH. These are the steps I had to take to enable selective
access to files using Windows as the authentication
format. I chose this format because the management of
users and files is already in place and it does not
require yet another username and password combination to
be remembered.

Keep in mind my configuration included a W2K server, IIS
5, and Active Directory services with the web server also
acting as a Domain Controller. So, having said that, to
control access to a file or directory with W2K and IIS5
when accessed via a web browser you must do the following:

In IIS Management Console set the "Authentication" method
to whatever level you prefer. This can be done for the
folder or virtual directory as well as individual files.
In my case I wish to allow some files to be accessed by
everyone so I have enabled both "Anonymous Access" for
this purpose and under "Authenticated Access" I have
enabled "Integrated Windows authentication". This allows
further access control using NTFS file permissions. The
most restrictive permissions will apply.
Enabling "Anonymous Access" will not allow an
unauthenticated user or user without proper credentials to
access a resource for which he has not been given access
rights through NTFS permissions. As a side note my
installation used the IUSR_machinename as the Anonymous
User account and the checkbox was enabled to allow IIS to
manage the password. Close IIS Management Console.

In Windows Explorer right-click on the file or folder that
you wish to change permissions for. Add or remove groups
and users as needed and change permissions for these
groups and users. I have found that the following accounts
must be added regardless of the other settings and have
found documentation that seems to support this:

Creator Owner - Full Control
System - Full Control
domainname\ASPNET - Read, Read/Execute
domainname\IWAM_machinename - Read, Read/Execute

and any other accounts you wish to have access this
resource. Close Windows Explorer.

Once this has been accomplished go to Start-->Program
Files-->Administrative Tools and open the Domain
Controller Security Policy. Once inside the Domain
Controller Security Policy Console go to Windows Settings--
>Security Settings-->Local Policies-->User Rights

Assignments. In the right hand pane double-click
on "Impersonate a client after authentication". Enable
the "Define these policy settings" checkbox and
click "Add". Click "Browse" then find and select the
account IWAM_machinename and click OK-->OK-->OK. Close the
Domain Controller Security Policy Console.

At a command prompt issue the following command:

secedit /refreshpolicy machine_policy /enforce

then at the command prompt issue the following command:

iisreset

Close the command prompt window. Now we need to modify the
web.config file for the ASP.NET application as follows:

<authentication mode="Windows" />
<authorization>
<allow users="*" /> <!-- This allows all users to access
even if they are outside the domain provided NTFS
permissions allow it and IIS allows "Anonymous Access" -->
</authorization>
<identity impersonate="true"/> <!-- This allows ASP.NET to
impersonate the user requesting a restricted resource
after authentication has taken place. It requires that an
account be specified for the impersonation on the macine
hosting the ASP.NET application -->

Save the file and check for proper operation of the web
site pages you have modified the permissions for. If
anyone notices inaccuracies in document please feel free
to make corrections and thanks again to ZRH.

Here are some external resources I used:

http://support.microsoft.com/default.aspx?scid=kb;EN-
US;Q815171#4
http://4guysfromrolla.411asp.net/
http://www.jsiinc.com/SUBN/tip6900/rh6981.htm

>-----Original Message-----
>Okay in web.config I have :
>
><authentication mode="Windows" />
><authorization>
> <deny users="?" />
></authorization>
><identity impersonate="true" userName="" password=""/>
>
>
>I added mydomain\ASPNET to the ACL.
>
>When I attempt to access the page I am NO LONGER prompted
>for a username/password/domain and the web page returned
>reports the following:
>
>Server Error in '/Apps' Application.
>----------------------------------------------------------

-
>---------------------
>
>Access is denied.
>Description: An unhandled exception occurred during the
>execution of the current web request. Please review the
>stack trace for more information about the error and

where
>it originated in the code.
>
>Exception Details: System.ApplicationException: Access is
>denied.
>
>Source Error:
>
>An unhandled exception was generated during the execution
>of the current web request. Information regarding the
>origin and location of the exception can be identified
>using the exception stack trace below.
>
>Stack Trace:
>
>
>[ApplicationException: Access is denied.
>]
>
>System.Security.Principal.WindowsIdentity._Resolv eIdentity
>(IntPtr userToken) +0
> System.Security.Principal.WindowsIdentity.get_Name ()

+71
>
>System.Web.Configuration.AuthorizationConfigRule. IsUserAll

o
>wed(IPrincipal user, String verb) +100
>
>System.Web.Configuration.AuthorizationConfig.IsUs erAllowed
>(IPrincipal user, String verb) +81
> System.Web.Security.UrlAuthorizationModule.OnEnter
>(Object source, EventArgs eventArgs) +178
>
>System.Web.SyncEventExecutionStep.System.Web.Http Applicati

o
>n+IExecutionStep.Execute() +60
> System.Web.HttpApplication.ExecuteStep(IExecutionS tep
>step, Boolean& completedSynchronously) +87
>
>
>
>>-----Original Message-----
>>James,
>>
>>In the scenario you describe, you will need to give the

>aspnet_wp.exe
>>process account access or make it a member of your

>group. By default, this
>>would be the ASPNET account.
>>
>>You can also enable impersonation and deny

>unauthenticated users so that
>>you get the identity of the user actually browsing the

>site.
>>
>>Jim Cheshire [MSFT]
>>Developer Support
>>ASP.NET
>>(E-Mail Removed)
>>
>>This post is provided as-is with no warranties and

>confers no rights.
>>
>>--------------------
>>>Content-Class: urn:content-classes:message
>>>From: "James Martin"

><(E-Mail Removed)>
>>>Sender: "James Martin"

><(E-Mail Removed)>
>>>Subject: file permissions
>>>Date: Wed, 15 Oct 2003 09:21:31 -0700
>>>Lines: 58
>>>Message-ID: <037001c39338$6513bd70$(E-Mail Removed)>
>>>MIME-Version: 1.0
>>>Content-Type: text/plain;
>>> charset="iso-8859-1"
>>>Content-Transfer-Encoding: 7bit
>>>X-Newsreader: Microsoft CDO for Windows 2000
>>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>>>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
>>>Newsgroups:

>microsoft.public.dotnet.framework.aspnet.securi ty
>>>Path: cpmsftngxa06.phx.gbl
>>>Xref: cpmsftngxa06.phx.gbl

>>microsoft.public.dotnet.framework.aspnet.securit y:7186
>>>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
>>>X-Tomcat-NG:

>microsoft.public.dotnet.framework.aspnet.securi ty
>>>
>>>I have a W2K server, running IIS 6 and Active Directory
>>>Services. I have an ASP.Net application off the root

web
>>>directory named "Apps". Within the IIS Manager I have

>the
>>>Authentication method set to "Anonymous Access" as well
>>>as "Authenticated Access" using "Integrated Windows
>>>Authentication" for both the root web and the "Apps"

sub-
>>>directory. All files and directories under the "Apps"
>>>folder are set in this manner.
>>>
>>>The web config file is set to use "Windows" for
>>>Authentication and "*" for Authorization.
>>>
>>>Using Explorer I have changed the permissions for one

>file
>>>in the "Apps" directory. For this file, let's call
>>>it "myfile.aspx", I have removed the "Everyone" group.

>The
>>>permissions for this file are as follows:
>>>
>>>Creator Owner - Full Control
>>>System - Full Control
>>>mydomain\Administrators - Full Control
>>>mydomain\MyGroup - Read, Read/Execute
>>>
>>>If I attempt to access any file on this web via a web
>>>browser it works as it should with the exception of

this
>>>single file, "myfile.aspx". When attempting to access

>this
>>>file it will ask for a username/password/domain and

will
>>>not accept anyone, including anyone from
>>>the "Administrators" or "MyGroup" groups.
>>>The error I get in the browser is:
>>>
>>>Server Error in '/Apps' Application.
>>>--------------------------------------------------------

-
>--
>>>---------------------
>>>
>>>Access is denied.
>>>Description: An error occurred while accessing the
>>>resources required to serve this request. You might not
>>>have permission to view the requested resources.
>>>
>>>Error message 401.3: You do not have permission to view
>>>this directory or page using the credentials you

>supplied
>>>(access denied due to ACLs). Ask the Web server's
>>>administrator to give you access
>>>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
>>>
>>>
>>>--------------------------------------------------------

-
>--
>>>---------------------
>>>Version Information: Microsoft .NET Framework
>>>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
>>>
>>>This is the same basic configuration I use on other web
>>>servers for security and have not had this problem

>before.
>>>I have another server within this domain that is
>>>configured in the same manner that works although it is
>>>not an ASP.Net application. I have tried this from

>systems
>>>logged into the domain and from systems not logged into
>>>the domain with the same results.
>>>

>>
>>.
>>

>.
>

 
Reply With Quote
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      10-16-2003
Hi James,

Thanks very much for posting so much good information after resolving your
problem. That will help a lot of people! A couple of clarifications.

1. The "Impersonate a Client After Authentication" is only required if you
are impersonating on a Windows 2000 box.
2. Setting impersonation without explicitly declaring a username and
password with the settings you have configured right now will cause the
application to run under the IUSR account. This is because you are not
specifying a username in your <identity> element and you have anonymous
access enabled. If you want to use the identity of the specific user
browsing the site, you either need to disable anonymous in IIS, or you need
to deny unauthenticated users in your web.config with a <deny users="?" />.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(E-Mail Removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
>Content-Class: urn:content-classes:message
>From: "James Martin" <(E-Mail Removed)>
>Sender: "James Martin" <(E-Mail Removed)>
>References: <037001c39338$6513bd70$(E-Mail Removed)>

<(E-Mail Removed)>
<0a9601c39377$c94fd730$(E-Mail Removed)>
>Subject: RE: file permissions
>Date: Thu, 16 Oct 2003 10:58:46 -0700
>Lines: 286
>Message-ID: <086301c3940f$24d895a0$(E-Mail Removed)>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>Thread-Index: AcOUDyTYlIZvxbQ6RYKFOARDgaKPtA==
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa06.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7208
>NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Ok here is what I now know based on some pointers from
>ZRH. These are the steps I had to take to enable selective
>access to files using Windows as the authentication
>format. I chose this format because the management of
>users and files is already in place and it does not
>require yet another username and password combination to
>be remembered.
>
>Keep in mind my configuration included a W2K server, IIS
>5, and Active Directory services with the web server also
>acting as a Domain Controller. So, having said that, to
>control access to a file or directory with W2K and IIS5
>when accessed via a web browser you must do the following:
>
>In IIS Management Console set the "Authentication" method
>to whatever level you prefer. This can be done for the
>folder or virtual directory as well as individual files.
>In my case I wish to allow some files to be accessed by
>everyone so I have enabled both "Anonymous Access" for
>this purpose and under "Authenticated Access" I have
>enabled "Integrated Windows authentication". This allows
>further access control using NTFS file permissions. The
>most restrictive permissions will apply.
>Enabling "Anonymous Access" will not allow an
>unauthenticated user or user without proper credentials to
>access a resource for which he has not been given access
>rights through NTFS permissions. As a side note my
>installation used the IUSR_machinename as the Anonymous
>User account and the checkbox was enabled to allow IIS to
>manage the password. Close IIS Management Console.
>
>In Windows Explorer right-click on the file or folder that
>you wish to change permissions for. Add or remove groups
>and users as needed and change permissions for these
>groups and users. I have found that the following accounts
>must be added regardless of the other settings and have
>found documentation that seems to support this:
>
>Creator Owner - Full Control
>System - Full Control
>domainname\ASPNET - Read, Read/Execute
>domainname\IWAM_machinename - Read, Read/Execute
>
>and any other accounts you wish to have access this
>resource. Close Windows Explorer.
>
>Once this has been accomplished go to Start-->Program
>Files-->Administrative Tools and open the Domain
>Controller Security Policy. Once inside the Domain
>Controller Security Policy Console go to Windows Settings--
>>Security Settings-->Local Policies-->User Rights

>Assignments. In the right hand pane double-click
>on "Impersonate a client after authentication". Enable
>the "Define these policy settings" checkbox and
>click "Add". Click "Browse" then find and select the
>account IWAM_machinename and click OK-->OK-->OK. Close the
>Domain Controller Security Policy Console.
>
>At a command prompt issue the following command:
>
>secedit /refreshpolicy machine_policy /enforce
>
>then at the command prompt issue the following command:
>
>iisreset
>
>Close the command prompt window. Now we need to modify the
>web.config file for the ASP.NET application as follows:
>
><authentication mode="Windows" />
><authorization>
> <allow users="*" /> <!-- This allows all users to access
>even if they are outside the domain provided NTFS
>permissions allow it and IIS allows "Anonymous Access" -->
></authorization>
><identity impersonate="true"/> <!-- This allows ASP.NET to
>impersonate the user requesting a restricted resource
>after authentication has taken place. It requires that an
>account be specified for the impersonation on the macine
>hosting the ASP.NET application -->
>
>Save the file and check for proper operation of the web
>site pages you have modified the permissions for. If
>anyone notices inaccuracies in document please feel free
>to make corrections and thanks again to ZRH.
>
>Here are some external resources I used:
>
>http://support.microsoft.com/default.aspx?scid=kb;EN-
>US;Q815171#4
>http://4guysfromrolla.411asp.net/
>http://www.jsiinc.com/SUBN/tip6900/rh6981.htm
>
>>-----Original Message-----
>>Okay in web.config I have :
>>
>><authentication mode="Windows" />
>><authorization>
>> <deny users="?" />
>></authorization>
>><identity impersonate="true" userName="" password=""/>
>>
>>
>>I added mydomain\ASPNET to the ACL.
>>
>>When I attempt to access the page I am NO LONGER prompted
>>for a username/password/domain and the web page returned
>>reports the following:
>>
>>Server Error in '/Apps' Application.
>>----------------------------------------------------------

>-
>>---------------------
>>
>>Access is denied.
>>Description: An unhandled exception occurred during the
>>execution of the current web request. Please review the
>>stack trace for more information about the error and

>where
>>it originated in the code.
>>
>>Exception Details: System.ApplicationException: Access is
>>denied.
>>
>>Source Error:
>>
>>An unhandled exception was generated during the execution
>>of the current web request. Information regarding the
>>origin and location of the exception can be identified
>>using the exception stack trace below.
>>
>>Stack Trace:
>>
>>
>>[ApplicationException: Access is denied.
>>]
>>
>>System.Security.Principal.WindowsIdentity._Resol veIdentity
>>(IntPtr userToken) +0
>> System.Security.Principal.WindowsIdentity.get_Name ()

>+71
>>
>>System.Web.Configuration.AuthorizationConfigRule .IsUserAll

>o
>>wed(IPrincipal user, String verb) +100
>>
>>System.Web.Configuration.AuthorizationConfig.IsU serAllowed
>>(IPrincipal user, String verb) +81
>> System.Web.Security.UrlAuthorizationModule.OnEnter
>>(Object source, EventArgs eventArgs) +178
>>
>>System.Web.SyncEventExecutionStep.System.Web.Htt pApplicati

>o
>>n+IExecutionStep.Execute() +60
>> System.Web.HttpApplication.ExecuteStep(IExecutionS tep
>>step, Boolean& completedSynchronously) +87
>>
>>
>>
>>>-----Original Message-----
>>>James,
>>>
>>>In the scenario you describe, you will need to give the

>>aspnet_wp.exe
>>>process account access or make it a member of your

>>group. By default, this
>>>would be the ASPNET account.
>>>
>>>You can also enable impersonation and deny

>>unauthenticated users so that
>>>you get the identity of the user actually browsing the

>>site.
>>>
>>>Jim Cheshire [MSFT]
>>>Developer Support
>>>ASP.NET
>>>(E-Mail Removed)
>>>
>>>This post is provided as-is with no warranties and

>>confers no rights.
>>>
>>>--------------------
>>>>Content-Class: urn:content-classes:message
>>>>From: "James Martin"

>><(E-Mail Removed)>
>>>>Sender: "James Martin"

>><(E-Mail Removed)>
>>>>Subject: file permissions
>>>>Date: Wed, 15 Oct 2003 09:21:31 -0700
>>>>Lines: 58
>>>>Message-ID: <037001c39338$6513bd70$(E-Mail Removed)>
>>>>MIME-Version: 1.0
>>>>Content-Type: text/plain;
>>>> charset="iso-8859-1"
>>>>Content-Transfer-Encoding: 7bit
>>>>X-Newsreader: Microsoft CDO for Windows 2000
>>>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>>>>Thread-Index: AcOTOGUTgn87zP1oTlWgylW3LfDTgQ==
>>>>Newsgroups:

>>microsoft.public.dotnet.framework.aspnet.securit y
>>>>Path: cpmsftngxa06.phx.gbl
>>>>Xref: cpmsftngxa06.phx.gbl
>>>microsoft.public.dotnet.framework.aspnet.securi ty:7186
>>>>NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
>>>>X-Tomcat-NG:

>>microsoft.public.dotnet.framework.aspnet.securit y
>>>>
>>>>I have a W2K server, running IIS 6 and Active Directory
>>>>Services. I have an ASP.Net application off the root

>web
>>>>directory named "Apps". Within the IIS Manager I have

>>the
>>>>Authentication method set to "Anonymous Access" as well
>>>>as "Authenticated Access" using "Integrated Windows
>>>>Authentication" for both the root web and the "Apps"

>sub-
>>>>directory. All files and directories under the "Apps"
>>>>folder are set in this manner.
>>>>
>>>>The web config file is set to use "Windows" for
>>>>Authentication and "*" for Authorization.
>>>>
>>>>Using Explorer I have changed the permissions for one

>>file
>>>>in the "Apps" directory. For this file, let's call
>>>>it "myfile.aspx", I have removed the "Everyone" group.

>>The
>>>>permissions for this file are as follows:
>>>>
>>>>Creator Owner - Full Control
>>>>System - Full Control
>>>>mydomain\Administrators - Full Control
>>>>mydomain\MyGroup - Read, Read/Execute
>>>>
>>>>If I attempt to access any file on this web via a web
>>>>browser it works as it should with the exception of

>this
>>>>single file, "myfile.aspx". When attempting to access

>>this
>>>>file it will ask for a username/password/domain and

>will
>>>>not accept anyone, including anyone from
>>>>the "Administrators" or "MyGroup" groups.
>>>>The error I get in the browser is:
>>>>
>>>>Server Error in '/Apps' Application.
>>>>--------------------------------------------------------

>-
>>--
>>>>---------------------
>>>>
>>>>Access is denied.
>>>>Description: An error occurred while accessing the
>>>>resources required to serve this request. You might not
>>>>have permission to view the requested resources.
>>>>
>>>>Error message 401.3: You do not have permission to view
>>>>this directory or page using the credentials you

>>supplied
>>>>(access denied due to ACLs). Ask the Web server's
>>>>administrator to give you access
>>>>to 'c:\inetpub\wwwroot\apps\myfile.aspx'.
>>>>
>>>>
>>>>--------------------------------------------------------

>-
>>--
>>>>---------------------
>>>>Version Information: Microsoft .NET Framework
>>>>Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
>>>>
>>>>This is the same basic configuration I use on other web
>>>>servers for security and have not had this problem

>>before.
>>>>I have another server within this domain that is
>>>>configured in the same manner that works although it is
>>>>not an ASP.Net application. I have tried this from

>>systems
>>>>logged into the domain and from systems not logged into
>>>>the domain with the same results.
>>>>
>>>
>>>.
>>>

>>.
>>

>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using File:Stat.mode method to find file permissions in Unix Vikram Sharma Ruby 2 12-01-2008 12:24 PM
In-depth documenation on User Permissions, Group Permissions, ACLs, DCLs etc. Curt K ASP .Net 0 11-03-2006 04:54 PM
Upload file to server via asp without changing file permissions N. Quisitive ASP General 0 01-17-2006 12:33 AM
ASPX file returning obscur runtime error - after changing permissions to a subweb (.net app) to different permissions than on its parent ? Isabelle ASP .Net 0 08-11-2004 02:04 PM
Re: Permissions - giving "everyone" full permissions is bad ? Scott Allen ASP .Net 0 07-13-2004 08:54 PM



Advertisments