Solved

<identity impersonate="true" /> and local server

Posted on 2004-09-10
16
18,677 Views
Last Modified: 2011-08-18
I have a site that has an insert satement for an MS Access file and if i don't have the <identity impersonate="true" /> in the web.config file it runs ok on my local server but not on the production server, but if i add it it works fine on the production server but get an error on my local server.  Both machines have read/write/modify for the mdb file for everyone and IUSR.  

Am I missing something on the settings?  What's not set on my local server that needs to be for the <identity impersonate="true" /> statement?  
0
Comment
Question by:dougfosterNYC
  • 6
  • 4
  • 2
  • +2
16 Comments
 
LVL 7

Expert Comment

by:imsolost
ID: 12026680
Does the Access file reside on the web server?
Are you using windows Authentication?
0
 
LVL 33

Expert Comment

by:raterus
ID: 12026701
Can you give more info on this error?  Can you confirm it is directly related to the mdb file, or could it be an aspx page.  When you set <identity impersonate="true" /> your aspx pages themselves are going to need to have permission set for this impersonated user.
0
 

Author Comment

by:dougfosterNYC
ID: 12026761
Yes, the access file is on the web server.  It's just an MDB file in the same directory (or DB subdirectory) of the web site.  I wish I was more knowledgable about authentication, otherwise I probably wouldn't be so confused here.  on my local server I just set to read/write/modify in the file properties and gave it to Everyone, which also goes to IUSR.  

The question is, what does the <identity impersonate-"true" /> statement do?  With this statement the file is updateable on the production server but not when run it locally on my server.  When I don't have the statement in it runs fine on my local server and I can update the MDB file.  
0
 

Author Comment

by:dougfosterNYC
ID: 12026822
Ok, I"m not being clear here.  I have this site working on two servers, my own and a production server.  I can get the insert action working on both servers, but it works on the production server with the <identity impersonate="true"> in the web.config file and on my local machine when I don't have the statement in.  So it shouldn't be a problem with an aspx file.  

I don't understand authentication that well, so it should be a simple setting, or something, that i change on my local server.  Maybe it's because I come in on my local browser and the authentication is different because it's localserver.  
0
 

Author Comment

by:dougfosterNYC
ID: 12026853
To follow up.  I want to be able to have this run on both servers with the same environment.  I have more control over the local server, so i want to make the change on my machine, with the <identity> statement set as true.  
0
 
LVL 33

Expert Comment

by:raterus
ID: 12026895
<identity impersonate="true" /> will assume the identity of the authenticated user connected to IIS (usually replacing the ASPNET user).  Here is some more info on which permissions are set.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp
0
 
LVL 33

Expert Comment

by:raterus
ID: 12026916
What type of authentication are you using on IIS?  (it's under the directory security tab of the directory)  Anonymous/Integrated Windows/Basic/Digest?  If you can tell me this I can tell you who should have permissions where based on your impersonation.
0
 

Author Comment

by:dougfosterNYC
ID: 12027643
I'm using Anonymous authentication.  
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 7

Expert Comment

by:imsolost
ID: 12027841
If you are using anonymous authentication then IIS will ignore your windows auth.  If this is on an Active directory domain try turning off the Anon auth and just leave windows auth on.  If it is not on a win domain try using basic auth.  Basic auth is not very secure as it sends usernames and passwords in plain text but it will tell us if it is a rights issue.  My first thought was this is the IIS 2 hop issue where you lose credentials on the second hop but it looks like that is not the problem.
0
 
LVL 10

Accepted Solution

by:
jnhorst earned 250 total points
ID: 12028182
From your comments above it looks like the Access database is on the production server and when you try to access it from your dev machine you are trying to access it by way of a network filesystem share.  Am I right on this?  If this is the case, what is happening is that when you try to access it over the network, that attempt is being made in the security context of the IUSR_ account *on your dev box*.  Your production server knows nothing about the IUSR_ account on your dev box and is reejcting the attempt.  What you need to do is create a domain/Active Directory account specifically for authenticating anonymous requests.  Then on both your production server and dev box, set IIS to authentocate anonymoous requests with this account rather than the local IUSR_ accounts.  Of course you will need to give this new domain account the proper permissions to access the MDB file on the production server.

John
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12028215
Also, keep <identity impersonate="true" /> in web.config.

John
0
 

Author Comment

by:dougfosterNYC
ID: 12028470
I have the Access database on both machines.  I'm trying to have the two machines do the exact same thing.  The only difference is that I'm testing on my own machine so the browser (me, when I'm testing) is on the localserver, so that might be confusing things.  
0
 
LVL 33

Expert Comment

by:raterus
ID: 12029996
If you impersonate with anonymous authentication, both your aspx pages and the database will need to have permissions of the anonymous user configured in IIS.  Is this the case?
0
 
LVL 9

Expert Comment

by:hismightiness
ID: 12068925
Arrrggghhh!!!!  This got me for a long time before I figured out what was happening.  That's one of the a,azingly high number of reasons why I do not use Access for anything anymore.  However, jnhorst has this one right on the money.  This will forever be a sore spot for me.  

dougfosterNYC, the more I develop, the more I find that the Web.Config will almost never be the same in both environments.  However, the rest of the files (barring updates) will.  the reason for this is that on your development machine, you are running as yourself with what I assume is administrative (or close) priveledges.  Whenever you perform network requests, YOUR windows login credentials will always be used.  While developing with Visual Studio, a lot of that is so transparent now that it gets so easy to hit road blocks if you aren't paying attention.  It gets to where you oftentimes cannot tell if you are sending a request to IIS, or other way through the network and windows.

This opens another big can of worms where you can use aspnet_wp.exe to authenticate all request types by file extension...
0
 

Author Comment

by:dougfosterNYC
ID: 12069294
Thanks guys.  I basically got something running, although my web.config is different on each machine.  
0
 
LVL 9

Expert Comment

by:hismightiness
ID: 12069441
** Correction for me - aspnet_wp.exe should be aspnet_isapi.exe **
D'oh!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Code works but how can I download the file? 20 67
Adjust the position 3 49
Word Directory is not in the drop down list 4 25
Angular JS Route 3 54
I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
This article discusses the ASP.NET AJAX ModalPopupExtender control. In this article we will show how to use the ModalPopupExtender control, how to display/show/call the ASP.NET AJAX ModalPopupExtender control from javascript, how to show/display/cal…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now