• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

How to make filesystemobject work across a network

I am not an ASP programmer, I'm a network administrator. I'm trying to help our ASP programmer who has become stumped by this problem.  If I get a workable answer today (we are under a deadline) I will at least double the point value.

We have the following code which is looking for the existence of a specific image file, then building it into an "IMG SRC" string. If the file doesn't exist I want it to instead use a default image file.

In the first line, if PropertyPictFilePath is set to a local path i.e. "c:\somepathname\" it works. If it is set to "\\thiswebserver\somepathname\" If it is set as shown below, it doesn't find anything, so all images are shown as the default, even when the image exists.

I think the problem has to do with permissions... the pictures are not located on the webserver but on another server. This is a very large folder of pictures and we don't have enough disk space available on the real web server to hold it. Instead, they are served via a website that is getting content from a network share.

Both servers are members of the same domain but NOT domain controllers.

The actual question: How do I enable the webserver's asp code to access the folder on the network unc path?

The code snippet is supposed to check the existence of the file at \\servername\somepathname\picture01.gif and if it exists, build a path for inclusion in the resulting http of http://someurl.com/picture01.gif. If it doesn't exist the path will be built as http://someurl.com/DefaultPicture.gif". someurl.com is the url of a website whose content is coming from \\servername\somepathname.

As I said if the propertypictfilepath is on the local machine either by "c:\..." or by a unc, it works fine but doesn't work when the unc is a different machine.

Alternatively, can you provide a code sample that transparently fetches the file from the webserver, and if it detects a 404 error would substitute the default image.

Here's the existing code:

     Private Const PropertyPictFilePath = "\\servername\somepathname\"
     Private Const PropertyPictHttpPath = "http://someurl.com/"
     Private Const PropertyDefaultImage = "DefaultPicture.gif"
     Set fso = CreateObject("Scripting.FileSystemObject")
     if (not fso.FileExists(PropertyPictFilePath & PropertyPhoto))then
          PropertyPhoto = PropertyDefaultImage
     end if
     Set fso = Nothing
     GetPropertyPic = PropertyPictHttpPath & PropertyPhoto
  • 4
  • 2
  • 2
  • +4
1 Solution
IIS is usually signed in to the machine on which it is running as IUSR_<machine name>. I think this is a local user and not a part of the domain, and so is unlikely to be able to do reads on the network.

try going to IIS management console --> machine --> site --> properties --> directory security --> edit anonymous access properties --> edit anonymous account

choose an account for anoymous access that has rights to the areas of the network you are interested in. don't know if it'll work, i haven't done it, but you can try,

myrrhAuthor Commented:

All I can say is "DUH" why didn't I see that before. Works like a champ! And easy too. Thanks!

Assuming I make it through lunchtime tomorrow without the customer screaming about something that broke because of this, I will accept your comment then with the promised double points.
keep in mind this will change the security on that server, now anyone browsing with a browser will have access as that user.

This is a security risk.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

That's why you create virtual directories and dummy users...  A virtual dir that is linked to the network dir and accessed by the dummy user, this way no one else can access it unless specifically granted rights, and the IUSER_ can't go anywhere else in the network.
they make good points.
myrrhAuthor Commented:
Points taken. The user account I specified is one that only has the necessary privileges on the web content folders and nothing else.
PRB: Cannot Access Remote Files with the FileSystemObject

Let me know if there is a problem with following the steps described (I guess there isn't).
Michel SakrCommented:
The way you implemented is a security issue.. robbert's link is good.. also read:

How does FileSystemObject access files from a UNC \\share\?

IUSR_webservername on the web server trying to access the share must have access to the share. That
means IUSR_webservername must exist as a domain user (or at least a local user on the machine with the
share) WITH THE SAME PASSWORD and possessing appropriate permissions. We recommend RXW for IUSR_webservername
because some versions of FileSystemObject seem to choke on anything less.

In other words.. Create on the remote server that you want to access a local account with the same credentials
as the IUSR_WebServerName and WITH THE SAME PASSWORD (this is very important. if you don't know it you'll
have to change it on the webserver, note that the IUSR is a local account on the web server and not
a domain account ) now share the remote directory (w/o password prot) give the new IUSR on the remote
read/write permissions on the shared directory.. to test it log in to your web server using the IUSR
account and try to perform actions on the share.. if you don't get permission denied then all is ok
and you can now read/write from asp..If you mapped the share the IUSR won't see the map unless you map
it while logged to the web NT box as the IUSR, since mapping is a service.. anyways if you get some
troubles simply post them, this issue is simple to implement when you get used to it..
Good luck..

myrrhAuthor Commented:
MCM's was the most straightforward, easy-to-implement solution. The others suggested later also have merit. Thanks to all who contributed.
Michel SakrCommented:
easy to implement.. I'm sure you've set a domain admonistrator as the anonymous account.. we were telling you how to implement it in a secure way.. you created a security breach this way
myrrhAuthor Commented:
No, I made sure the account has access only to the specific resources in question. Definitely NOT an admin account.

Whether I create the same IUSR account on the other machine and synchronize the passwords on the two, or create a restricted account on the domain, is not the effect (and the security) the same?
I also have a similar but different problem,
See the question I posted today "ASP Call up NotePad to open remote file". Thanks.

- Angus

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now