• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2152
  • Last Modified:

Access denied in production environment.

On a XP Pro IIS 5 (development) machine, no problem at all. The ASP.NET application is configured to allow only authenticatated users. But, on publishing the app, a network engineer says:

<<
 I have disabled Anonymous Access and made sure Integrated Windows Authentication is enabled, when I open IE I get the following error:

You are not authorized to view this page.

However when I enable Anonymous Access, I get the following:

Server Error in '/TestProject' Application.
----------------------------------------------------------------------------

Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: You do not have permission to view this directory or page using the credentials you supplied. Contact the Web server's administrator for help.

>>

Could someone please help?
Thank you very much indeed,
Peter.
0
sumo_the_cat
Asked:
sumo_the_cat
  • 12
  • 7
  • 6
  • +1
2 Solutions
 
sumo_the_catAuthor Commented:
NB. They can view a standard web page (non-ASP.NET) ok.
0
 
mmarinovCommented:
Hi,

how do you authorize users to your pages? if you use windows authentication you have to disable the Anonymous access

Regards,
B..M
0
 
sumo_the_catAuthor Commented:
Yes, it's Win auth, and he disabled anon access (see the top of q.).
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
crescendoCommented:
Have you set the permissions on the folders and files on the production server to give access to these users?
0
 
AerosSagaCommented:
do you have Identity Impersonate set to True in your web.config file?  If so then its definately a permissions issue of some sorts.

Regards,

Aeros
0
 
sumo_the_catAuthor Commented:
Aeros,
no - not using identity impersonation. Good suggestion tho.

crescendo,
 <<Have you set the permissions on the folders and files on the production server to give access to these users?>>
I think this is the problem, but I'm not in physical contact with the production envirnonment / server. Do you know what he needs to do? (they have a large windows domain network, this is a new server with clean install and nothing else on it; iis6 on winServer2003)
0
 
AerosSagaCommented:
With a 2003 machine the account that need to have elevated access rights is the NETWORK SERVICES Account.

Regards,

Aeros
0
 
sumo_the_catAuthor Commented:
Rights to what, aeros?

The app should display DOMAIN\username, (from User.Identity.Name ) but this is coming up blank. This is with Integrated Windows Authentication enabled, and anon access disabled.

Update:
If I select Digest Authentication for Windows Domain Servers (uses AD) it does show domain/username).
0
 
sumo_the_catAuthor Commented:
Aeros, do you mean read-rights to the application folder?
0
 
AerosSagaCommented:
yes, or at least to any folder/file in tne Virtual Directory that you wish to change, like yourdb or xml file if located in your virtual directory.

Regards,

Aeros
0
 
sumo_the_catAuthor Commented:
It's not a problem like that as far as I can see. Haven't got as far as db access yet - i know that I need to grant permission to "network services" to access the sql database, for example. The problem is this authentication issue. The username should be displayed, should it not? Are you sure "network services" needs explicit permission on the application folder?
0
 
AerosSagaCommented:
Not if there is nothing being written to the folders, did you try impersonating identity?

Regards,

Aeros
0
 
sumo_the_catAuthor Commented:
I think the problem is a IE browser setting. Hold that though though.....
0
 
AerosSagaCommented:
0
 
crescendoCommented:
Hi again

<<Do you know what he needs to do? >>

Your network admin needs to grant NTFS permissions for each of your web users to access the folders associated with the web or virtual directory. At this stage it need only be read permission. When your user logs on with Windows Authentication, his access rights are used. If he hasn't been given permission to read the pages, you'll get that error.

Juts tell your admin to go into Windows Explorer and give read permissions to each of the users. It might be easier to create a group in the domain, put your users in that, and just give access to the group. They'll need to log out and back in to the domain for that to take effect, though, so make sure you don't get fooled by a false error!
0
 
sumo_the_catAuthor Commented:
Thanks crescendo, I'll get him to try that tomorrow morning. Does this account for the digest/integrated difference?

Also, he's using the highest admin account on the domain, which already has permissions on everything...  ?
0
 
crescendoCommented:
It's usually a good idea to give the ASP user read access too. I see you are using Windows 2003, so the ASP.NET account is "NT AUTHORITY\NETWORK SERVICES".

<<Does this account for the digest/integrated difference?>>

Hmmm. I think it may be down to that logon/logoff issue. Have you set this site up today, after users logged in? Digest authentication does an immediate challenge/response to get a "token" identifying the user, whereas Windows authentication uses the token obtained when the user logged on to the domain. If you added a user to a group that had permission to access the web's files, then digest would work immediately, but windows authentication would start working after they logged off and on.

<<Also, he's using the highest admin account on the domain, which already has permissions on everything>>

This sounds like he needs to give "NT AUTHORITY\NETWORK SERVICES" the necessary permissions. It may be failing even before it tries to read the page. For example, ASP.NET has to read web.config to know which authentication method to use. If it doesn't have permission...
0
 
sumo_the_catAuthor Commented:
crescendo, it sounds like you know your stuff. Please keep with me on this; I'll ask the net admin to follow your advice tomorrow morning.
0
 
sumo_the_catAuthor Commented:
He says the NETWORK SERVICES account doesn't exist.
0
 
crescendoCommented:
If it's Windows 2003, it will exist. Note that it is "NT AUTHORITY\NETWORK SERVICES", not an account on the domain or on the local machine. If he types in the name just as given, in the permissions "Add" dialog, it will check out OK.
0
 
sumo_the_catAuthor Commented:
thanks, i'll forward that. But shouldn't this account automatically have permissions?
0
 
crescendoCommented:
Hi again,

I just checked out a 2003 box, it's "NETWORK SERVICE", singular, not plural. You can add it by selecting the local machine name in the "Location" box.

Sorry about that.
0
 
crescendoCommented:
<< shouldn't this account automatically have permissions?>>

Within the wwwroot folders, yes. Outside of that, no. It's a member of the IIS_WPG "worker process" group, which has permissions to read web content. Windows 2003 enables you to have application "pools" so that different webs can be isolated from each other for security.

Has your admin removed IIS_WPG from the security list? This is a valid action if you are trying to isolate different applications running on a single server, but you have to replace it with the account used to run that web.

The info below is from Technet's "Configuring Application Isolation on Windows 2003", which is online at:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx


Assigning an Account
When configuring an individual user account as the application pool identity, you must make the user account a member of the IIS_WPG local group. The IIS_WPG group is created to simplify the process of setting the necessary authorizations and rights on all of the system resources that a worker process must access to function properly, including launching application pools. When IIS is installed, or when new application pools are created, the IIS_WPG group is included in all ACLs of resources that the application pool must access. However, it is not necessary to add IIS_WPG to a site's content directories and files. In fact, if you require high isolation between users, but configure ACLs that grant access to IIS_WPG, you may decrease the degree of isolation because all applications whose user accounts are members of the IIS_WPG group would have access to each other's content. Consequently, you will want to add accounts you create for each application pool identity to the IIS_WPG local group, but you should not use the IIS_WPG group in ACLs on content files and directories.



0
 
sumo_the_catAuthor Commented:
He's logged in this morning and it seems to have fixed it. I guess it was a Token issue - not having logged off the domain after setting up the application. Thanks so much for your help though, and aeros too. It feels like we've trawled through every part of authentication...
0
 
crescendoCommented:
You're welcome.
0
 
AerosSagaCommented:
indeed ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 12
  • 7
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now