Solved

Access denied in production environment.

Posted on 2004-08-24
26
2,135 Views
Last Modified: 2009-07-29
On a XP Pro IIS 5 (development) machine, no problem at all. The ASP.NET application is configured to allow only authenticatated users. But, on publishing the app, a network engineer says:

<<
 I have disabled Anonymous Access and made sure Integrated Windows Authentication is enabled, when I open IE I get the following error:

You are not authorized to view this page.

However when I enable Anonymous Access, I get the following:

Server Error in '/TestProject' Application.
----------------------------------------------------------------------------

Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: You do not have permission to view this directory or page using the credentials you supplied. Contact the Web server's administrator for help.

>>

Could someone please help?
Thank you very much indeed,
Peter.
0
Comment
Question by:sumo_the_cat
  • 12
  • 7
  • 6
  • +1
26 Comments
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11880727
NB. They can view a standard web page (non-ASP.NET) ok.
0
 
LVL 28

Expert Comment

by:mmarinov
ID: 11880813
Hi,

how do you authorize users to your pages? if you use windows authentication you have to disable the Anonymous access

Regards,
B..M
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11880883
Yes, it's Win auth, and he disabled anon access (see the top of q.).
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11881372
Have you set the permissions on the folders and files on the production server to give access to these users?
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11881401
do you have Identity Impersonate set to True in your web.config file?  If so then its definately a permissions issue of some sorts.

Regards,

Aeros
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11881449
Aeros,
no - not using identity impersonation. Good suggestion tho.

crescendo,
 <<Have you set the permissions on the folders and files on the production server to give access to these users?>>
I think this is the problem, but I'm not in physical contact with the production envirnonment / server. Do you know what he needs to do? (they have a large windows domain network, this is a new server with clean install and nothing else on it; iis6 on winServer2003)
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11881633
With a 2003 machine the account that need to have elevated access rights is the NETWORK SERVICES Account.

Regards,

Aeros
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11881929
Rights to what, aeros?

The app should display DOMAIN\username, (from User.Identity.Name ) but this is coming up blank. This is with Integrated Windows Authentication enabled, and anon access disabled.

Update:
If I select Digest Authentication for Windows Domain Servers (uses AD) it does show domain/username).
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11881962
Aeros, do you mean read-rights to the application folder?
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11882013
yes, or at least to any folder/file in tne Virtual Directory that you wish to change, like yourdb or xml file if located in your virtual directory.

Regards,

Aeros
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11882176
It's not a problem like that as far as I can see. Haven't got as far as db access yet - i know that I need to grant permission to "network services" to access the sql database, for example. The problem is this authentication issue. The username should be displayed, should it not? Are you sure "network services" needs explicit permission on the application folder?
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11882471
Not if there is nothing being written to the folders, did you try impersonating identity?

Regards,

Aeros
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11882517
I think the problem is a IE browser setting. Hold that though though.....
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 17

Assisted Solution

by:AerosSaga
AerosSaga earned 100 total points
ID: 11882832
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11883763
Hi again

<<Do you know what he needs to do? >>

Your network admin needs to grant NTFS permissions for each of your web users to access the folders associated with the web or virtual directory. At this stage it need only be read permission. When your user logs on with Windows Authentication, his access rights are used. If he hasn't been given permission to read the pages, you'll get that error.

Juts tell your admin to go into Windows Explorer and give read permissions to each of the users. It might be easier to create a group in the domain, put your users in that, and just give access to the group. They'll need to log out and back in to the domain for that to take effect, though, so make sure you don't get fooled by a false error!
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11883991
Thanks crescendo, I'll get him to try that tomorrow morning. Does this account for the digest/integrated difference?

Also, he's using the highest admin account on the domain, which already has permissions on everything...  ?
0
 
LVL 9

Accepted Solution

by:
crescendo earned 400 total points
ID: 11884140
It's usually a good idea to give the ASP user read access too. I see you are using Windows 2003, so the ASP.NET account is "NT AUTHORITY\NETWORK SERVICES".

<<Does this account for the digest/integrated difference?>>

Hmmm. I think it may be down to that logon/logoff issue. Have you set this site up today, after users logged in? Digest authentication does an immediate challenge/response to get a "token" identifying the user, whereas Windows authentication uses the token obtained when the user logged on to the domain. If you added a user to a group that had permission to access the web's files, then digest would work immediately, but windows authentication would start working after they logged off and on.

<<Also, he's using the highest admin account on the domain, which already has permissions on everything>>

This sounds like he needs to give "NT AUTHORITY\NETWORK SERVICES" the necessary permissions. It may be failing even before it tries to read the page. For example, ASP.NET has to read web.config to know which authentication method to use. If it doesn't have permission...
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11887389
crescendo, it sounds like you know your stuff. Please keep with me on this; I'll ask the net admin to follow your advice tomorrow morning.
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11890127
He says the NETWORK SERVICES account doesn't exist.
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11890169
If it's Windows 2003, it will exist. Note that it is "NT AUTHORITY\NETWORK SERVICES", not an account on the domain or on the local machine. If he types in the name just as given, in the permissions "Add" dialog, it will check out OK.
0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11890185
thanks, i'll forward that. But shouldn't this account automatically have permissions?
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11890220
Hi again,

I just checked out a 2003 box, it's "NETWORK SERVICE", singular, not plural. You can add it by selecting the local machine name in the "Location" box.

Sorry about that.
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11890420
<< shouldn't this account automatically have permissions?>>

Within the wwwroot folders, yes. Outside of that, no. It's a member of the IIS_WPG "worker process" group, which has permissions to read web content. Windows 2003 enables you to have application "pools" so that different webs can be isolated from each other for security.

Has your admin removed IIS_WPG from the security list? This is a valid action if you are trying to isolate different applications running on a single server, but you have to replace it with the account used to run that web.

The info below is from Technet's "Configuring Application Isolation on Windows 2003", which is online at:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx


Assigning an Account
When configuring an individual user account as the application pool identity, you must make the user account a member of the IIS_WPG local group. The IIS_WPG group is created to simplify the process of setting the necessary authorizations and rights on all of the system resources that a worker process must access to function properly, including launching application pools. When IIS is installed, or when new application pools are created, the IIS_WPG group is included in all ACLs of resources that the application pool must access. However, it is not necessary to add IIS_WPG to a site's content directories and files. In fact, if you require high isolation between users, but configure ACLs that grant access to IIS_WPG, you may decrease the degree of isolation because all applications whose user accounts are members of the IIS_WPG group would have access to each other's content. Consequently, you will want to add accounts you create for each application pool identity to the IIS_WPG local group, but you should not use the IIS_WPG group in ACLs on content files and directories.



0
 
LVL 2

Author Comment

by:sumo_the_cat
ID: 11890532
He's logged in this morning and it seems to have fixed it. I guess it was a Token issue - not having logged off the domain after setting up the application. Thanks so much for your help though, and aeros too. It feels like we've trawled through every part of authentication...
0
 
LVL 9

Expert Comment

by:crescendo
ID: 11890543
You're welcome.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 11891197
indeed ;)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now