sumo_the_cat
asked on
Access denied in production environment.
On a XP Pro IIS 5 (development) machine, no problem at all. The ASP.NET application is configured to allow only authenticatated users. But, on publishing the app, a network engineer says:
<<
I have disabled Anonymous Access and made sure Integrated Windows Authentication is enabled, when I open IE I get the following error:
You are not authorized to view this page.
However when I enable Anonymous Access, I get the following:
Server Error in '/TestProject' Application.
--------------------------
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: You do not have permission to view this directory or page using the credentials you supplied. Contact the Web server's administrator for help.
>>
Could someone please help?
Thank you very much indeed,
Peter.
<<
I have disabled Anonymous Access and made sure Integrated Windows Authentication is enabled, when I open IE I get the following error:
You are not authorized to view this page.
However when I enable Anonymous Access, I get the following:
Server Error in '/TestProject' Application.
--------------------------
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: You do not have permission to view this directory or page using the credentials you supplied. Contact the Web server's administrator for help.
>>
Could someone please help?
Thank you very much indeed,
Peter.
Hi,
how do you authorize users to your pages? if you use windows authentication you have to disable the Anonymous access
Regards,
B..M
how do you authorize users to your pages? if you use windows authentication you have to disable the Anonymous access
Regards,
B..M
ASKER
Yes, it's Win auth, and he disabled anon access (see the top of q.).
Have you set the permissions on the folders and files on the production server to give access to these users?
do you have Identity Impersonate set to True in your web.config file? If so then its definately a permissions issue of some sorts.
Regards,
Aeros
Regards,
Aeros
ASKER
Aeros,
no - not using identity impersonation. Good suggestion tho.
crescendo,
<<Have you set the permissions on the folders and files on the production server to give access to these users?>>
I think this is the problem, but I'm not in physical contact with the production envirnonment / server. Do you know what he needs to do? (they have a large windows domain network, this is a new server with clean install and nothing else on it; iis6 on winServer2003)
no - not using identity impersonation. Good suggestion tho.
crescendo,
<<Have you set the permissions on the folders and files on the production server to give access to these users?>>
I think this is the problem, but I'm not in physical contact with the production envirnonment / server. Do you know what he needs to do? (they have a large windows domain network, this is a new server with clean install and nothing else on it; iis6 on winServer2003)
With a 2003 machine the account that need to have elevated access rights is the NETWORK SERVICES Account.
Regards,
Aeros
Regards,
Aeros
ASKER
Rights to what, aeros?
The app should display DOMAIN\username, (from User.Identity.Name ) but this is coming up blank. This is with Integrated Windows Authentication enabled, and anon access disabled.
Update:
If I select Digest Authentication for Windows Domain Servers (uses AD) it does show domain/username).
The app should display DOMAIN\username, (from User.Identity.Name ) but this is coming up blank. This is with Integrated Windows Authentication enabled, and anon access disabled.
Update:
If I select Digest Authentication for Windows Domain Servers (uses AD) it does show domain/username).
ASKER
Aeros, do you mean read-rights to the application folder?
yes, or at least to any folder/file in tne Virtual Directory that you wish to change, like yourdb or xml file if located in your virtual directory.
Regards,
Aeros
Regards,
Aeros
ASKER
It's not a problem like that as far as I can see. Haven't got as far as db access yet - i know that I need to grant permission to "network services" to access the sql database, for example. The problem is this authentication issue. The username should be displayed, should it not? Are you sure "network services" needs explicit permission on the application folder?
Not if there is nothing being written to the folders, did you try impersonating identity?
Regards,
Aeros
Regards,
Aeros
ASKER
I think the problem is a IE browser setting. Hold that though though.....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi again
<<Do you know what he needs to do? >>
Your network admin needs to grant NTFS permissions for each of your web users to access the folders associated with the web or virtual directory. At this stage it need only be read permission. When your user logs on with Windows Authentication, his access rights are used. If he hasn't been given permission to read the pages, you'll get that error.
Juts tell your admin to go into Windows Explorer and give read permissions to each of the users. It might be easier to create a group in the domain, put your users in that, and just give access to the group. They'll need to log out and back in to the domain for that to take effect, though, so make sure you don't get fooled by a false error!
<<Do you know what he needs to do? >>
Your network admin needs to grant NTFS permissions for each of your web users to access the folders associated with the web or virtual directory. At this stage it need only be read permission. When your user logs on with Windows Authentication, his access rights are used. If he hasn't been given permission to read the pages, you'll get that error.
Juts tell your admin to go into Windows Explorer and give read permissions to each of the users. It might be easier to create a group in the domain, put your users in that, and just give access to the group. They'll need to log out and back in to the domain for that to take effect, though, so make sure you don't get fooled by a false error!
ASKER
Thanks crescendo, I'll get him to try that tomorrow morning. Does this account for the digest/integrated difference?
Also, he's using the highest admin account on the domain, which already has permissions on everything... ?
Also, he's using the highest admin account on the domain, which already has permissions on everything... ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
crescendo, it sounds like you know your stuff. Please keep with me on this; I'll ask the net admin to follow your advice tomorrow morning.
ASKER
He says the NETWORK SERVICES account doesn't exist.
If it's Windows 2003, it will exist. Note that it is "NT AUTHORITY\NETWORK SERVICES", not an account on the domain or on the local machine. If he types in the name just as given, in the permissions "Add" dialog, it will check out OK.
ASKER
thanks, i'll forward that. But shouldn't this account automatically have permissions?
Hi again,
I just checked out a 2003 box, it's "NETWORK SERVICE", singular, not plural. You can add it by selecting the local machine name in the "Location" box.
Sorry about that.
I just checked out a 2003 box, it's "NETWORK SERVICE", singular, not plural. You can add it by selecting the local machine name in the "Location" box.
Sorry about that.
<< shouldn't this account automatically have permissions?>>
Within the wwwroot folders, yes. Outside of that, no. It's a member of the IIS_WPG "worker process" group, which has permissions to read web content. Windows 2003 enables you to have application "pools" so that different webs can be isolated from each other for security.
Has your admin removed IIS_WPG from the security list? This is a valid action if you are trying to isolate different applications running on a single server, but you have to replace it with the account used to run that web.
The info below is from Technet's "Configuring Application Isolation on Windows 2003", which is online at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
Assigning an Account
When configuring an individual user account as the application pool identity, you must make the user account a member of the IIS_WPG local group. The IIS_WPG group is created to simplify the process of setting the necessary authorizations and rights on all of the system resources that a worker process must access to function properly, including launching application pools. When IIS is installed, or when new application pools are created, the IIS_WPG group is included in all ACLs of resources that the application pool must access. However, it is not necessary to add IIS_WPG to a site's content directories and files. In fact, if you require high isolation between users, but configure ACLs that grant access to IIS_WPG, you may decrease the degree of isolation because all applications whose user accounts are members of the IIS_WPG group would have access to each other's content. Consequently, you will want to add accounts you create for each application pool identity to the IIS_WPG local group, but you should not use the IIS_WPG group in ACLs on content files and directories.
Within the wwwroot folders, yes. Outside of that, no. It's a member of the IIS_WPG "worker process" group, which has permissions to read web content. Windows 2003 enables you to have application "pools" so that different webs can be isolated from each other for security.
Has your admin removed IIS_WPG from the security list? This is a valid action if you are trying to isolate different applications running on a single server, but you have to replace it with the account used to run that web.
The info below is from Technet's "Configuring Application Isolation on Windows 2003", which is online at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
Assigning an Account
When configuring an individual user account as the application pool identity, you must make the user account a member of the IIS_WPG local group. The IIS_WPG group is created to simplify the process of setting the necessary authorizations and rights on all of the system resources that a worker process must access to function properly, including launching application pools. When IIS is installed, or when new application pools are created, the IIS_WPG group is included in all ACLs of resources that the application pool must access. However, it is not necessary to add IIS_WPG to a site's content directories and files. In fact, if you require high isolation between users, but configure ACLs that grant access to IIS_WPG, you may decrease the degree of isolation because all applications whose user accounts are members of the IIS_WPG group would have access to each other's content. Consequently, you will want to add accounts you create for each application pool identity to the IIS_WPG local group, but you should not use the IIS_WPG group in ACLs on content files and directories.
ASKER
He's logged in this morning and it seems to have fixed it. I guess it was a Token issue - not having logged off the domain after setting up the application. Thanks so much for your help though, and aeros too. It feels like we've trawled through every part of authentication...
You're welcome.
indeed ;)
ASKER