Question

Permissions in ASP.NET application

Asked by: martinjamesd

OK, I guess this is a good location for this question.

I have a W2K server, running IIS 6 and Active Directory Services. I have an ASP.Net application off the root web directory named "Apps". Within the IIS Manager I have the Authentication method set to "Anonymous Access" as well as "Authenticated Access" using "Integrated Windows Authentication" for both the root web and the "Apps" sub-directory. All files and directories under the "Apps" folder are set in this manner.

The web config file is set to use "Windows" for Authentication and "*" for Authorization.

Using Explorer I have changed the permissions for one file in the "Apps" directory. For this file, let's call it "myfile.aspx", I have removed the "Everyone" group. The permissions for this file are as follows:

Creator Owner - Full Control
System - Full Control
mydomain\Administrators - Full Control
mydomain\MyGroup - Read, Read/Execute

If I attempt to access any file on this web via a web browser it works as it should with the exception of this single file, "myfile.aspx". When attempting to access this file it will ask for a username/password/domain and will not accept anyone, including anyone from the "Administrators" or "MyGroup" groups.
The error I get in the browser is:

Server Error in '/Apps' Application.
--------------------------------------------------------------------------------

Access is denied.
Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.

Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to ACLs). Ask the Web server's administrator to give you access to 'c:\inetpub\wwwroot\apps\myfile.aspx'.


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573

This is the same basic configuration I use on other web servers for security and have not had this problem before. I have another server within this domain that is configured in the same manner that works although it is not an ASP.Net application. I have tried this from systems logged into the domain and from systems not logged into the domain with the same results.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-10-15 at 08:42:43ID20767751
Tags

you

,

denied

,

permission

Topics

.NET

,

Microsoft Programming

Participating Experts
4
Points
250
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. ASP.NET Deployment - Applications do not work outside …
    Hi, I have a dedicated server with Windows 2003 and IIS6 with Helm control panel. I am hosting 7 websites on this server. My websites are created in the folder C:\Domains i.e. they are outside the default C:\Inetpub\wwwroot folder. Thus my domains are in folders such as: C:\...
  2. Access denied to 'c:\inetpub\wwwroot\VaraibleEdit…
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Web.HttpException: Access denied to 'c:\inetpub\ww...
  3. Access to the path "c:\inetpub\wwwroot\XmlDataGri…
    Hi, I am keep getting this error message. The problem is that i dont have enough permission to write to the project folder. I tried many different ways to set up the permission but could not figure it out. I looked IIS and checked the 'write' box but it didnt help . I also t...
  4. Error: Access to the path "D:\Inetpub\wwwroot\We…
    Hi I am trying to upload a file in the folder using the following code: void Button1_Click(object sender, EventArgs e) { string fn = System.IO.Path.GetFileName(File1.PostedFile.FileName); string SaveLocation = Server.MapPath("troubleDocs")+ &...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: GoodJunPosted on 2003-10-15 at 11:17:42ID: 9556757

what's the user.Name in your case? machinename\ASPNET?

 

by: martinjamesdPosted on 2003-10-15 at 11:33:42ID: 9556871

I am not sure what you mean.

 

by: naveenkohliPosted on 2003-10-15 at 11:34:03ID: 9556876

<<W2K server, running IIS 6>>
Are you sure?? IIS6 is for Windows 2003

 

by: martinjamesdPosted on 2003-10-15 at 11:44:02ID: 9556935

You are right it is IIS 5.

 

by: zrhPosted on 2003-10-15 at 12:31:35ID: 9557281

You need to give myfile.aspx permissions for ASPNET or you need to have the app impersonate a user who does have permissions for the app to be able to access the file.

I believe permissions are applied in this order: from first to last (i may be wrong though)
1. File (ACL or NTFS permissions)
2. IIS
3. ASP.NET

You'll need access from each one before to get the next. (you can skip some by not setting them)
So if your using ASP.NET you need to allow the two above it.  It's complicated, and can be confusing...

ZRH

 

by: zrhPosted on 2003-10-15 at 12:33:11ID: 9557296

Also, you might want to make sure there isn't any inheritance from super-directories permissions interfereing.
ZRH

 

by: martinjamesdPosted on 2003-10-15 at 15:28:23ID: 9558403

Adding the user ASPNET did not have any effect. Adding the user IWAM_SERVERNAME worked but just allows everyone to access the file.

 

by: zrhPosted on 2003-10-15 at 18:54:42ID: 9558847

Ok, I read your question more carefully and noticed that the issue is involving the ACL checks.

Adding <identity impersonate="true"/> to your web.config file ought do the trick.  This way the app will use the account specified by IIS using Windows authentication.  It will use that account's file access permissions.  If logged in has/or is in a group that has permission to access the file it will be granted.  The app otherwise will use the anonymous user account that IIS uses (IUSR_MACHINENAME).

This link will shed more light:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetimpersonation.asp

ZRH

 

by: martinjamesdPosted on 2003-10-16 at 05:53:30ID: 9561522

In web.config I have the following:

<authentication mode="Windows" />
<authorization>
  <deny users="?" /> <!-- Deny unauthenticated users -->
</authorization>
<identity impersonate="true"/>

and to recap I have the following permissions on "myfile.aspx":

Creator Owner - Full Control
System - Full Control
mydomain\Administrators - Full Control
mydomain\MyGroup - Read, Read/Execute
mydomain\ASPNET - Read, Read/Execute

Now when I attempt to access the page I am not prompted for the login and I get the error below:


Server Error in '/Apps' Application.
--------------------------------------------------------------------------------

Access is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ApplicationException: Access is denied.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace:


[ApplicationException: Access is denied.
]
   System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr userToken) +0
   System.Security.Principal.WindowsIdentity.get_Name() +71
   System.Web.Configuration.AuthorizationConfigRule.IsUserAllowed(IPrincipal user, String verb) +100
   System.Web.Configuration.AuthorizationConfig.IsUserAllowed(IPrincipal user, String verb) +81
   System.Web.Security.UrlAuthorizationModule.OnEnter(Object source, EventArgs eventArgs) +178
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +60
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87

 

 

by: zrhPosted on 2003-10-16 at 09:27:26ID: 9563385

Are you still allowing anonymous access in IIS for the Apps directory? I see that you are denying unauthenticated requests in ASP.NET, so you might want to uncheck the anonymous access in IIS.  If so, IIS might passing the IUSR_<MACHINENAME> identity to the application.  Then the app might be being denied permission to access the .aspx based on those credentials.  Because I think IIS uses anonymous credentials unless more is needed.

Also, you might want to check out this link (I think this might apply to your config):
http://www.jsiinc.com/SUBN/tip6900/rh6981.htm

ZRH

 

by: zrhPosted on 2003-10-16 at 09:36:35ID: 9563467

By the way, you can avoid all these permission settings if you want by just doing some programattic checking in the .aspx file.

i.e)
Set permissions like all other files...
then:
In Page_Load event.

WindowsPrincipal principal = (WindowsPrincipal)Thread.CurrentPrincipal;
if(!principal.IsInRole("MyGroup") && !principal.IsInRole("Administrators")) {
    Request.Redirect("./access_denied.aspx");
}

ZRH

 

by: martinjamesdPosted on 2003-10-16 at 10:54:23ID: 9564088

Ok here is what I now know based on some pointers from ZRH. These are the steps I had to take to enable selective access to files using Windows as the authentication format. I chose this format because the management of users and files is already in place and it does not require yet another username and password combination to be remembered.

Keep in mind my configuration included a W2K server, IIS 5, and Active Directory services with the web server also acting as a Domain Controller. So, having said that, to control access to a file or directory with W2K and IIS5 when accessed via a web browser you must do the following:

In IIS Management Console set the "Authentication" method to whatever level you prefer. This can be done for the folder or virtual directory as well as individual files. In my case I wish to allow some files to be accessed by everyone so I have enabled both "Anonymous Access" for this purpose and under "Authenticated Access" I have enabled "Integrated Windows authentication". This allows further access control using NTFS file permissions. The most restrictive permissions will apply. Enabling "Anonymous Access" will not allow an unauthenticated user or user without proper credentials to access a resource for which he has not been given access rights through NTFS permissions. As a side note my installation used the IUSR_machinename as the Anonymous User account and the checkbox was enabled to allow IIS to manage the password. Close IIS Management Console.

In Windows Explorer right-click on the file or folder that you wish to change permissions for. Add or remove groups and users as needed and change permissions for these groups and users. I have found that the following accounts must be added regardless of the other settings and have found documentation that seems to support this:

Creator Owner - Full Control
System - Full Control
domainname\ASPNET - Read, Read/Execute
domainname\IWAM_machinename - Read, Read/Execute

and any other accounts you wish to have access this resource. Close Windows Explorer.

Once this has been accomplished go to Start&#61664;Program Files&#61664;Administrative Tools and open the Domain Controller Security Policy. Once inside the Domain Controller Security Policy Console go to Windows Settings&#61664;Security Settings&#61664;Local Policies&#61664;User Rights Assignments. In the right hand pane double-click on "Impersonate a client after authentication". Enable the "Define these policy settings" checkbox and click "Add". Click "Browse" then find and select the account IWAM_machinename and click OK&#61664;OK&#61664;OK. Close the Domain Controller Security Policy Console.

At a command prompt issue the following command:

secedit /refreshpolicy machine_policy /enforce

then at the command prompt issue the following command:

iisreset

Close the command prompt window. Now we need to modify the web.config file for the ASP.NET application as follows:

<authentication mode="Windows" />
<authorization>
  <allow users="*" /> <!-- This allows all users to access even if they are outside the domain provided NTFS permissions allow it and IIS allows "Anonymous Access" -->
</authorization>
<identity impersonate="true"/> <!-- This allows ASP.NET to impersonate the user requesting a restricted resource after authentication has taken place. It requires that an account be specified for the impersonation on the macine hosting the ASP.NET application -->

Save the file and check for proper operation of the web site pages you have modified the permissions for. If anyone notices inaccuracies in document please feel free to make corrections and thanks again to ZRH.

Here are some external resources I used:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q815171#4
http://4guysfromrolla.411asp.net/
http://www.jsiinc.com/SUBN/tip6900/rh6981.htm

 

by: martinjamesdPosted on 2003-10-16 at 10:56:52ID: 9564104

Ok here is what I now know based on some pointers from ZRH. These are the steps I had to take to enable selective access to files using Windows as the authentication format. I chose this format because the management of users and files is already in place and it does not require yet another username and password combination to be remembered.

Keep in mind my configuration included a W2K server, IIS 5, and Active Directory services with the web server also acting as a Domain Controller. So, having said that, to control access to a file or directory with W2K and IIS5 when accessed via a web browser you must do the following:

In IIS Management Console set the "Authentication" method to whatever level you prefer. This can be done for the folder or virtual directory as well as individual files. In my case I wish to allow some files to be accessed by everyone so I have enabled both "Anonymous Access" for this purpose and under "Authenticated Access" I have enabled "Integrated Windows authentication". This allows further access control using NTFS file permissions. The most restrictive permissions will apply. Enabling "Anonymous Access" will not allow an unauthenticated user or user without proper credentials to access a resource for which he has not been given access rights through NTFS permissions. As a side note my installation used the IUSR_machinename as the Anonymous User account and the checkbox was enabled to allow IIS to manage the password. Close IIS Management Console.

In Windows Explorer right-click on the file or folder that you wish to change permissions for. Add or remove groups and users as needed and change permissions for these groups and users. I have found that the following accounts must be added regardless of the other settings and have found documentation that seems to support this:

Creator Owner - Full Control
System - Full Control
domainname\ASPNET - Read, Read/Execute
domainname\IWAM_machinename - Read, Read/Execute

and any other accounts you wish to have access this resource. Close Windows Explorer.

Once this has been accomplished go to Start-->Program Files-->Administrative Tools and open the Domain Controller Security Policy. Once inside the Domain Controller Security Policy Console go to Windows Settings-->Security Settings-->Local Policies-->User Rights Assignments. In the right hand pane double-click on "Impersonate a client after authentication". Enable the "Define these policy settings" checkbox and click "Add". Click "Browse" then find and select the account IWAM_machinename and click OK-->OK-->OK. Close the Domain Controller Security Policy Console.

At a command prompt issue the following command:

secedit /refreshpolicy machine_policy /enforce

then at the command prompt issue the following command:

iisreset

Close the command prompt window. Now we need to modify the web.config file for the ASP.NET application as follows:

<authentication mode="Windows" />
<authorization>
  <allow users="*" /> <!-- This allows all users to access even if they are outside the domain provided NTFS permissions allow it and IIS allows "Anonymous Access" -->
</authorization>
<identity impersonate="true"/> <!-- This allows ASP.NET to impersonate the user requesting a restricted resource after authentication has taken place. It requires that an account be specified for the impersonation on the macine hosting the ASP.NET application -->

Save the file and check for proper operation of the web site pages you have modified the permissions for. If anyone notices inaccuracies in document please feel free to make corrections and thanks again to ZRH.

Here are some external resources I used:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q815171#4
http://4guysfromrolla.411asp.net/
http://www.jsiinc.com/SUBN/tip6900/rh6981.htm

 

by: rsalunkhePosted on 2004-08-16 at 14:43:04ID: 11815373

Help!!!

I read everything you guys said above but here is the situation i am facing similar to yours but slightly differnt

I have enabled windows integrated authentication

Web.config-
authentication mode="Windows" />

    <authorization>
        <deny users="?" />
               </authorization>

<identity impersonate="true"/>

My ntfs permissions has
admin - full
Raj-full
system-full

I do NOT have ASPNET account.

When i run the application the app, i enter my name (Raj), password and domain and i can enter the wbsite. Then when i press an arrow (tht calls another aspx page which is supposed to check the entered credentials and see if the user can access the next page or not) I get an error!!!

Access denied to 'C:\webroot\testapp\'. Failed to start monitoring file changes.

But when i add ASPNET to the NTFS ACL then it works....but then anyone can access the page.
I want only the specifiled users in NTFS ACL on tht directory to access it.

Why am i getting the error?

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...