Solved

Delphi 6 Client Server Application to Windows 2000 running IIS 5 "Access is denied" when attempting to run client.

Posted on 2004-04-14
5
495 Views
Last Modified: 2012-08-14

We have a client/server application written in Delphi 6 using Midas. All was working fine until the Webserver was recently overhauled and everything reinstalled.

The WebConnection component in the Client shows a list of the available application ServerNames correctly but when changing Connected to True we get the "Access is denied" error and the client program terminates. The Server executable runs on the server and FileMon shows no failed file access on the Server.

I have ran dcomcnfg on the server and changed the identity to my own account (which has admin rights) for testing with no change.

I feel dcom is the problem somewhere, maybe with regards to the IUSR or IWAM account but don't know enough about that side of things.

If you feel this would be better posted in the IIS section I will set up a question there and close this one.

We need the answer quite quickly if possible.



Thx in advance,

Stephen

0
Comment
Question by:Ashen_Shugar
  • 3
5 Comments
 
LVL 7

Expert Comment

by:sftweng
ID: 10827064
I do recommend that you post to the IIS forum because it sounds very much like an IIS file permissions problem to me, especially since you appear to have made no changes to the Delphi application.

One way of confirming this would be to run a test with all permissions allowed for everyone made on C:/InetPub/WWWRoot. If this gets rid of the problem, then it will just be a case of finding the right permissions for the IIS user, which will probably be "IUSR.<nodename>".

Alan
0
 
LVL 7

Accepted Solution

by:
sftweng earned 500 total points
ID: 10827165
The following is from "Help and Support".

HOW TO: Set Basic NTFS Permissions for IIS 5.0
Applies To
This article was previously published under Q271071
IN THIS TASK
SUMMARY
Give Ownership and Permission to Administrators and System
Disable Inheritance in System Directories
NTFS Permissions
Policies
Grant Permissions in the Registry
Registry
Grant Rights in the Local Security Policy
Policies
Troubleshoot
Services Required
REFERENCES
SUMMARY
This step-by-step article describes the minimum permissions that are required for a dedicated Internet Information Services (IIS) 5.0 Web server.

Warning This article is only valid for dedicated Web servers that use basic IIS functionality, such as serving HTML static content or simple Active Server Pages (ASP) content. The permission requirements that are described in this article are specific ONLY to the basic permissions for a dedicated Web server that is running Microsoft Windows 2000 and IIS 5.0. This article does not take into consideration other Microsoft and third-party products that may require different permissions. Microsoft recommends that you review articles that are specific for the roles of your Web server and perform tests before you make permission changes on a production Web server. For links to related articles for other Microsoft products, see the "References" section.

If you apply these permissions to an IIS server that serves other roles, such as Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, or third-party applications that depend on additional permissions, these products may not operate as expected.

Note This article only applies to IIS 5.0. It does not apply to any other versions of IIS.

For additional information about the necessary permissions for IIS 4.0, click the following article number to view the article in the Microsoft Knowledge Base:
187506 List of NTFS Permissions Required for IIS Site to Work

For additional information about the necessary permissions for IIS 6.0, click the following article number to view the article in the Microsoft Knowledge Base:
812614 INFO: Default Permissions and User Rights for IIS 6.0

Testing for this document included the following functional tests:
Hypertext documents (HTML)
Active Server Pages (ASP)
FrontPage Server Extensions (connecting, editing, and saving), if FPSE is enabled while you use the Lockdown Tool
Secure Socket Layers (SSL) Connections
This document does NOT address any of the specific security needs of the following server roles or applications:
Windows 2000 Domain Controller
Microsoft Exchange 5.5 or Microsoft Exchange 2000 Outlook Web Access
Microsoft Small Business Server 2000
Microsoft SharePoint Portal or Team Services
Microsoft Commerce Server 2000 or Microsoft Commerce Server 2002
Microsoft BizTalk Server 2000 or Microsoft BizTalk Server 2002
Microsoft Content Management Server 2000 or Microsoft Content Management Server 2002
Microsoft Application Center 2000

Review server and application documentation for specific security considerations. Links to related Knowledge Base articles have been provided in the "References" section.

Before you apply the permissions in this article, Microsoft recommends that you run the most current version of the IIS Lockdown Tool. For more information about this tool, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/tools/tools/locktool.asp

The following programs and services were installed as part of the test suite used to test server security after applying the permissions outlined in this article:
Index Services
Terminal Services
Script Debugger
IIS
Common Files
Documentation
FrontPage Server Extensions 2000
Internet Services Manager (HTML)
WWW
FTP
back to the top
Grant Ownership and Permission to Administrators and System
To assign permissions to the system:
Open Windows Explorer. To do this, click Start, click Programs, and then click Windows Explorer.
Expand My Computer.
Right-click the system drive (this is typically drive C), and then click Properties.
Click the Security tab, and then click Advanced to open the Access Control Settings for Local Disk dialog box.
Click the Owner tab, click to select the Replace Owner on Sub containers and Objects check box, and then click Apply.

If you receive the following error message, click Continue:

An error has occurred applying security information to %systemroot%:\Pagefile.sys
If you receive the following error message, click Yes:

You do not have permission to read the contents of directory %systemroot%:\System Volume Information - Do you want to replace the directory permission - All permission will be replaced granting you Full Control
Click OK to close the dialog box.
ClickAdd.
Add the following users, and then grant them the Full Control NTFS permission:
Administrator
System
Creator Owner
After you have added these NTFS permissions, click Advanced, click to select the Reset permission on all child objects and enable propagation of inheritable permissions check box, and then click Apply.
If you receive the following error message, click Continue:

An error has occurred applying security information to %systemroot%:\Pagefile.sys
After you have reset NTFS permissions, click OK.
Click the Everyone group, click Remove, and then click OK.
Open the properties for the %systemroot%\Program Files\Common Files folder, and then click the Security tab. Add the account that is used for anonymous access (by default, this is the IUSR_<MachineName> account) and the Users group, and then make sure that only the following are selected:
Read & Execute
List Folder Contents
Read
Open the properties for the root directory that holds your Web content (by default, this is the %systemroot%\Inetpub\Wwwroot folder). Click the Security tab, add the IUSR_<MachineName> account and the Users group, and then make sure that only the following are selected:
Read & Execute
List Folder Contents
Read
If you want to grant Write NTFS permission for Inetpub\FTProot or the directory path for your FTP site or sites, repeat step 15.

Note Microsoft does not recommend that you grant NTFS Write permissions to the anonymous account in any directories, including directories used by the FTP service uses. This can cause unnecessary data to be uploaded to your Web server.
back to the top
Disable Inheritance in System Directories
In the %systemroot%\winnt\System32 folder, select all folders except the following:
Inetsrv
Certsrv (if present)
COM
Right-click the remaining folders, click Properties, and then click the Security tab.
Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.
In the %systemroot%\winnt folder, select all folders except the following:
Assembly (if present)
Downloaded Program Files
Help
Microsoft.NET (if present)
Offline Web Pages
System32
Tasks
Temp
Web
Right-click the remaining folders, click Properties, and then click the Security tab.
Click to clear the Allow inheritable permissions check box, click Copy, and then click OK.
Apply permissions to the following:
Open the properties for the %systemroot%\Winnt folder, click the Security tab, add the IUSR_<MachineName> and IWAM_<MachineName> accounts and the Users group, and then make sure that only the following are selected:
Read & Execute
List Folder Contents
Read
Open the properties for the %systemroot%\Winnt\Temp folder, select the IUSR_<MachineName> account (this account is already present because it inherits from the Winnt folder), and then click to select the Modify check box. Repeat this step for the IWAM_<MachineName> account and the Users group.
If FrontPage Server Extension Clients such as FrontPage or Microsoft Visual InterDev are being used, open the properties for the %systemroot%\Inetpub\Wwwroot folder, select the Authenticated Users group, select the following, and then click OK:
Modify
Read & Execute
List Folder Contents
Read
Write
back to the top
NTFS Permissions
The following table lists the permissions that will be applied when you follow the steps in the Disable Inheritance in System Directories section. This table is for reference only.

To apply the permissions in the following table:
Open Windows Explorer. To do this, click Start, click Programs, click Accessories, and then click Windows Explorer.
Expand My Computer.
Right-click %systemroot%, and then click Properties.
Click the Security tab, and then click Advanced.
Double-click Permission, and then select the appropriate setting from the Apply Onto list.
Note In the “Apply To” column, the term Default refers to “This folder, subfolders, and files.” Directory  Users\Groups  Permissions Apply To
%systemroot%\ (c:\winnt) Administrator Full Control Default
 System Full Control Default
 Users Read, Execute Default
%systemroot%\system32 Administrators Full Control  Default
 System Full Control Default
 Users Read, Execute Default
%systemroot%\system32\inetsrv Administrators Full Control Default
 System Full Control  Default
 Users Read, Execute Default
Inetpub\adminscripts Administrators Full Control Default
Inetpub\urlscan (if present)  Administrators Full Control Default
 System Full Control Default
%systemroot%\system32\inetsrv\metaback Administrators Full Control Default
 System Full Control Default
%systemroot%\help\iishelp\common Administrators Full Control  This folder and files
 System Full Control This folder and files
 IWAM_<Machinename> Read, Execute This folder and files
 Network Full Control This folder and files
 Service  This folder and files
 Users Read, Execute This folder and files
Inetpub\wwwroot (or content directories) Administrators Full Control This folder and files
 System Full Control This folder and files
 IWAM_<MachineName> Read, Execute This folder and files
 Service Read, Execute This folder and files
 Network Read, Execute This folder and files
Optional**: Users Read, Execute This folder and files

** If you are using FrontPage Server Extensions, the Authenticated Users or the Users group must have the Change NTFS permission to create, rename, write, or provide the functionality that a developer might need from a FrontPage type of client, such as Visual InterDev 6.0 or FrontPage 2002.

back to the top
Grant Permissions in the Registry
Click Start, click Run, type regedt32, and then click OK. Do not use Regedit.exe because it does not permit you to change permissions in Windows 2000.
In Registry Editor, locate and select HKEY_LOCAL_MACHINE.
Expand System, expand CurrentControlSet, and then expand Services.
Select the IISADMIN key, click Security (or press ALT+S), and then select Permissions (or press P).
Click to clear the Allow inheritable permissions from parent to propagate to this object check box, click Copy, and then remove all users except:
Administrators (Allow Read and Full Control)
System (Allow Read and Full Control)
Click OK.
Perform these steps again for the MSFTPSVC key.
Select the W3SVC key, click Security, and then click Permissions.
Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then remove all entries except:
Administrators (Allow Read and Full Control)
System (Allow Read and Full Control)
Network (Read)
Service (Read)
IWAM_<MachineName> (Read)
Click OK.
back to the top
Registry
The following table lists the permissions that will be applied when you follow the steps in the Grant Permissions in the Registry section. This table is for reference only.

Note The acronym HKLM stands for HKEY_LOCAL_MACHINE. Location Users\Groups Permissions
HKLM\System\CurrentControlSet\Service\IISAdmin Administrators Full Control  
 System Full Control
HKLM\System\CurrentControlSet\Service\MsFtpSvc Administrators Full Control
 System Full Control
HKLM\System\CurrentControlSet\Service\w3svc Administrators Full Control
 System Full Control
 IWAM_<MachineName> Read
back to the top
Grant Rights in the Local Security Policy
Click Start, click Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Local Security Policy.
In the Local Security Settings dialog box, expand Local Policies, and then click User Rights Assignment.
Modify the appropriate policy:
Double-click the policy.
Select and then click Remove for any user who is not listed in the table.
Add any user who is not listed. To do this, click Add, and then select the user in the Select Users or Groups dialog box.
Note that because a domain controller policy overrides the local policy, you must make sure that Effective Policy Setting matches Local Policy Setting.

back to the top

The following table lists the permissions that will be applied when you follow the steps in the Grant Rights in the Local Security Policy section.
Policies
Policy Users
Log on Locally Administrators
 IUSR_<MachineName> (Anonymous)
 Users (authentication required)
Access this computer from the Network Administrators
 ASPNet (.NET Framework)
 IUSR_<MachineName> (Anonymous)
 IWAM_<MachineName>
 Users
Log on as a Batch Job ASPNet
 Network
 IUSR_<MachineName>
 IWAM_<MachineName>
 Service
Logon as a Service ASPNet
 Network
Bypass Transverse Checking Administrators
 IUSR_<MachineName> (Anonymous)
 Users (Basic, Integrated, Digest)
 IWAM_<MachineName>
back to the top
Required Services
For additional information about the services that you need for IIS 4.0, click the following article number to view the article in the Microsoft Knowledge Base:
189271 List of Services Needed to Run a Secure IIS Computer

back to the top
REFERENCES
For additional information about how to restore default NTFS permissions for Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
266118 How to Restore the Default NTFS Permissions for Windows 2000

260985 XIMS: Minimum NTFS Permissions Required to Use CDONTS

324068 HOW TO: Set IIS Permissions for Specific Objects

175121 PRB: Required Permissions on Commerce Directories

back to the top
The information in this article applies to:
Microsoft Internet Information Services 5.0
Last Reviewed: 4/2/2004 (9.0)  
Keywords: kbHOWTOmaster kbhowto kbpending kbprb KB271071 kbAudDeveloper

0
 
LVL 11

Expert Comment

by:calinutz
ID: 10827502
listening
0
 
LVL 4

Author Comment

by:Ashen_Shugar
ID: 10842038

We have a solution of sorts.

After taking the advice of sftweng I discovered that the server was now accessing the 403.3 and 403.1 htm error files when connecting (using FileMon). This suggested to me that anonymous access had somehow become disabled. I spoke to the IT people who set up the server and found out they had attached the server to a Domain Controller. The domain controller enforces its own policy on the server causing problems with the IUSR and IWAM accounts.

Microsoft KB275167 gives the full details. After making the changes in the knowledge base we could get the client-server application working, but not reliably. I have now reinstalled W2K Server and IIS 5 without putting it on the domain. It would appear the IT people here are not quite ready for Servers running Internet applications while on their Domain Controller.

I have given sftweng full points as his advice put me on the right path, and that is good enough for me.



Thx, Stephen
0
 
LVL 7

Expert Comment

by:sftweng
ID: 10842478
Thank you. I'm pleased to have been able to help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now