«

after spending countless hours trying, i give up and hope to get some help
in here.

on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
trying to read a file from an UNC path with a FSO:
Set myFile =
Server.CreateObject("Scripting.FileSystemObject"). GetFile("\\server2\myshare\myfile.txt")
this fails with an Permission Denied.

here's the deal:
- server1 & server2 are members of a domain
- iis6 is used with asp (not .net)
- myweb.com runs in the context of a domain user (my admin account even, for
testing purposes)
- the unc share has full rights to Everyone
- the file permissions on server2 are set to full rights to Everyone
- i can successfully read the file *with the same code* in a test.vbs
- if i set up a virtual folder to the unc path using "connect as" within the
iis6, i can browse the remote files with my webbrowser - but the asp code
still fails.

this is driving me crazy. all howtos, posts and pages i found tell me to run
the web as a domain user with sufficient rights -- this is what i'm doing,
but it just won't work!

any help is greatly appreciated!
- thomas

On Mon, 21 Mar 2005 04:18:23 +0100, "Thomas" <> wrote:

>after spending countless hours trying, i give up and hope to get some help
>in here.
>
>on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
>trying to read a file from an UNC path with a FSO:
>Set myFile =
>Server.CreateObject("Scripting.FileSystemObject") .GetFile("\\server2\myshare\myfile.txt")
>this fails with an Permission Denied.
>
>here's the deal:
>- server1 & server2 are members of a domain
>- iis6 is used with asp (not .net)
>- myweb.com runs in the context of a domain user (my admin account even, for
>testing purposes)
>- the unc share has full rights to Everyone
>- the file permissions on server2 are set to full rights to Everyone
>- i can successfully read the file *with the same code* in a test.vbs
>- if i set up a virtual folder to the unc path using "connect as" within the
>iis6, i can browse the remote files with my webbrowser - but the asp code
>still fails.
>
>this is driving me crazy. all howtos, posts and pages i found tell me to run
>the web as a domain user with sufficient rights -- this is what i'm doing,
>but it just won't work!

You post lots of details, but you left out the most important one --
Just exactly what does "fails" and "won't work" mean?

Jeff

basically, everything in ASP that incorporates FSO accessing remote UNC
paths fails - reading folders, files and writing to them fails. even a
FileExists check fails:

oFSO.FileExists("\\server2\myshare\myfile.txt") returns always false -
eventhough i can access the file directly (i.e. not using oFSO).

i dont think its a problem with my code, as it works perfeclty for local
files - even when i access them through their local UNC path (i.e.
"\\server1\d$\justatest.txt")

so: any function trying to read/write/access remote files through an unc
path within ASP results in a "permission denied" or "file not found"
runtime error.

- thomas

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
considered trying a mapped drive letter instead of the direct UNC share?


On 3/21/05 6:55 AM, in article ,
"thomas h" <> wrote:

> interesting point:
>
> the web does not allow anonymous access.
>
> when i enable anonymous access and put in the domain account as user, my
> script works. so obviously asp is not running in the web application
> pool, but under a different user context (which one??) when anonymous
> access is disabled.
>
> the users logging in are domain users with full rights to the network -
> so iis/asp does not seem to impersonate them either.
>
> so the question comes down to: what user is my asp script running in
> (obviously not the one from my app pool) when i disable anonymous
> access? the web's w3wp.exe is running as the app pool user (my domain
> account).
>
> as a workaround i could just enable anonymous access and then check on
> script basis if the user is logged in. but i somehow feel that this is
> not how it should work.
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

> Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
> considered trying a mapped drive letter instead of the direct UNC share?

maped drives are only valid for logged-on users - which is not the case for
services (i.e. www).
i don't see why IWAM_... could be involved, as the application pool
explicitely specifies a (domain user) identity...

- thomas


"Aaron [SQL Server MVP]" <> wrote in message
news:BE643462.4160%...
> Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
> considered trying a mapped drive letter instead of the direct UNC share?
>
>
> On 3/21/05 6:55 AM, in article ,
> "thomas h" <> wrote:
>
>> interesting point:
>>
>> the web does not allow anonymous access.
>>
>> when i enable anonymous access and put in the domain account as user, my
>> script works. so obviously asp is not running in the web application
>> pool, but under a different user context (which one??) when anonymous
>> access is disabled.
>>
>> the users logging in are domain users with full rights to the network -
>> so iis/asp does not seem to impersonate them either.
>>
>> so the question comes down to: what user is my asp script running in
>> (obviously not the one from my app pool) when i disable anonymous
>> access? the web's w3wp.exe is running as the app pool user (my domain
>> account).
>>
>> as a workaround i could just enable anonymous access and then check on
>> script basis if the user is logged in. but i somehow feel that this is
>> not how it should work.
>>
>> *** Sent via Developersdex http://www.developersdex.com ***
>> Don't just participate in USENET...get rewarded for it!
>

> maped drives are only valid for logged-on users - which is not the case
for
> services (i.e. www).
> i don't see why IWAM_... could be involved, as the application pool
> explicitely specifies a (domain user) identity...

Just throwing out ideas. Tough to troubleshoot when we can't see the box.
<shrug>

On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:

>interesting point:
>
>the web does not allow anonymous access.
>
>when i enable anonymous access and put in the domain account as user, my
>script works. so obviously asp is not running in the web application
>pool, but under a different user context (which one??) when anonymous
>access is disabled.
>
>the users logging in are domain users with full rights to the network -
>so iis/asp does not seem to impersonate them either.
>
>so the question comes down to: what user is my asp script running in
>(obviously not the one from my app pool) when i disable anonymous
>access? the web's w3wp.exe is running as the app pool user (my domain
>account).

Normally IUSR/IWAM or the logged in user account. This is ASP and not
..NET correct? Have you tried giving the network account access?

Jeff

>as a workaround i could just enable anonymous access and then check on
>script basis if the user is logged in. but i somehow feel that this is
>not how it should work.
>
>*** Sent via Developersdex http://www.developersdex.com ***
>Don't just participate in USENET...get rewarded for it!

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed in-process
within the web. i somehow can't believe this... especially as it seems to
work when enabling anonymous access to the web. i KNOW asp.net runs within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me... ;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i don't
want to) give iusr or iwam access to the network shares. this would other
webs allow to read & write there as well - intolerable.

thomas





"Jeff Cochran" <> wrote in message
news:...
> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:
>
>>interesting point:
>>
>>the web does not allow anonymous access.
>>
>>when i enable anonymous access and put in the domain account as user, my
>>script works. so obviously asp is not running in the web application
>>pool, but under a different user context (which one??) when anonymous
>>access is disabled.
>>
>>the users logging in are domain users with full rights to the network -
>>so iis/asp does not seem to impersonate them either.
>>
>>so the question comes down to: what user is my asp script running in
>>(obviously not the one from my app pool) when i disable anonymous
>>access? the web's w3wp.exe is running as the app pool user (my domain
>>account).
>
> Normally IUSR/IWAM or the logged in user account. This is ASP and not
> .NET correct? Have you tried giving the network account access?
>
> Jeff
>
>>as a workaround i could just enable anonymous access and then check on
>>script basis if the user is logged in. but i somehow feel that this is
>>not how it should work.
>>
>>*** Sent via Developersdex http://www.developersdex.com ***
>>Don't just participate in USENET...get rewarded for it!
>

On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <> wrote:

>this is pure asp, yep.
>
>if you're right, this would imply asp scripts not being executed in-process
>within the web. i somehow can't believe this... especially as it seems to
>work when enabling anonymous access to the web. i KNOW asp.net runs within
>the web application pool process and its identity. not having the same
>possibility for classic asp looks like a bug or design failure to me... ;-(
>
>also, asp not using the "connect as" identity when accessing unc virtual
>folders does not make any sense. i just can not (well, i can, but i don't
>want to) give iusr or iwam access to the network shares. this would other
>webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff



>
>"Jeff Cochran" <> wrote in message
>news:...
>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <> wrote:
>>
>>>interesting point:
>>>
>>>the web does not allow anonymous access.
>>>
>>>when i enable anonymous access and put in the domain account as user, my
>>>script works. so obviously asp is not running in the web application
>>>pool, but under a different user context (which one??) when anonymous
>>>access is disabled.
>>>
>>>the users logging in are domain users with full rights to the network -
>>>so iis/asp does not seem to impersonate them either.
>>>
>>>so the question comes down to: what user is my asp script running in
>>>(obviously not the one from my app pool) when i disable anonymous
>>>access? the web's w3wp.exe is running as the app pool user (my domain
>>>account).
>>
>> Normally IUSR/IWAM or the logged in user account. This is ASP and not
>> .NET correct? Have you tried giving the network account access?
>>
>> Jeff
>>
>>>as a workaround i could just enable anonymous access and then check on
>>>script basis if the user is logged in. but i somehow feel that this is
>>>not how it should work.
>>>
>>>*** Sent via Developersdex http://www.developersdex.com ***
>>>Don't just participate in USENET...get rewarded for it!
>>
>