Solved

<identity impersonate="true" /> and local server

Posted on 2004-09-10
16
18,671 Views
Last Modified: 2011-08-18
I have a site that has an insert satement for an MS Access file and if i don't have the <identity impersonate="true" /> in the web.config file it runs ok on my local server but not on the production server, but if i add it it works fine on the production server but get an error on my local server.  Both machines have read/write/modify for the mdb file for everyone and IUSR.  

Am I missing something on the settings?  What's not set on my local server that needs to be for the <identity impersonate="true" /> statement?  
0
Comment
Question by:dougfosterNYC
  • 6
  • 4
  • 2
  • +2
16 Comments
 
LVL 7

Expert Comment

by:imsolost
Comment Utility
Does the Access file reside on the web server?
Are you using windows Authentication?
0
 
LVL 33

Expert Comment

by:raterus
Comment Utility
Can you give more info on this error?  Can you confirm it is directly related to the mdb file, or could it be an aspx page.  When you set <identity impersonate="true" /> your aspx pages themselves are going to need to have permission set for this impersonated user.
0
 

Author Comment

by:dougfosterNYC
Comment Utility
Yes, the access file is on the web server.  It's just an MDB file in the same directory (or DB subdirectory) of the web site.  I wish I was more knowledgable about authentication, otherwise I probably wouldn't be so confused here.  on my local server I just set to read/write/modify in the file properties and gave it to Everyone, which also goes to IUSR.  

The question is, what does the <identity impersonate-"true" /> statement do?  With this statement the file is updateable on the production server but not when run it locally on my server.  When I don't have the statement in it runs fine on my local server and I can update the MDB file.  
0
 

Author Comment

by:dougfosterNYC
Comment Utility
Ok, I"m not being clear here.  I have this site working on two servers, my own and a production server.  I can get the insert action working on both servers, but it works on the production server with the <identity impersonate="true"> in the web.config file and on my local machine when I don't have the statement in.  So it shouldn't be a problem with an aspx file.  

I don't understand authentication that well, so it should be a simple setting, or something, that i change on my local server.  Maybe it's because I come in on my local browser and the authentication is different because it's localserver.  
0
 

Author Comment

by:dougfosterNYC
Comment Utility
To follow up.  I want to be able to have this run on both servers with the same environment.  I have more control over the local server, so i want to make the change on my machine, with the <identity> statement set as true.  
0
 
LVL 33

Expert Comment

by:raterus
Comment Utility
<identity impersonate="true" /> will assume the identity of the authenticated user connected to IIS (usually replacing the ASPNET user).  Here is some more info on which permissions are set.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp
0
 
LVL 33

Expert Comment

by:raterus
Comment Utility
What type of authentication are you using on IIS?  (it's under the directory security tab of the directory)  Anonymous/Integrated Windows/Basic/Digest?  If you can tell me this I can tell you who should have permissions where based on your impersonation.
0
 

Author Comment

by:dougfosterNYC
Comment Utility
I'm using Anonymous authentication.  
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:imsolost
Comment Utility
If you are using anonymous authentication then IIS will ignore your windows auth.  If this is on an Active directory domain try turning off the Anon auth and just leave windows auth on.  If it is not on a win domain try using basic auth.  Basic auth is not very secure as it sends usernames and passwords in plain text but it will tell us if it is a rights issue.  My first thought was this is the IIS 2 hop issue where you lose credentials on the second hop but it looks like that is not the problem.
0
 
LVL 10

Accepted Solution

by:
jnhorst earned 250 total points
Comment Utility
From your comments above it looks like the Access database is on the production server and when you try to access it from your dev machine you are trying to access it by way of a network filesystem share.  Am I right on this?  If this is the case, what is happening is that when you try to access it over the network, that attempt is being made in the security context of the IUSR_ account *on your dev box*.  Your production server knows nothing about the IUSR_ account on your dev box and is reejcting the attempt.  What you need to do is create a domain/Active Directory account specifically for authenticating anonymous requests.  Then on both your production server and dev box, set IIS to authentocate anonymoous requests with this account rather than the local IUSR_ accounts.  Of course you will need to give this new domain account the proper permissions to access the MDB file on the production server.

John
0
 
LVL 10

Expert Comment

by:jnhorst
Comment Utility
Also, keep <identity impersonate="true" /> in web.config.

John
0
 

Author Comment

by:dougfosterNYC
Comment Utility
I have the Access database on both machines.  I'm trying to have the two machines do the exact same thing.  The only difference is that I'm testing on my own machine so the browser (me, when I'm testing) is on the localserver, so that might be confusing things.  
0
 
LVL 33

Expert Comment

by:raterus
Comment Utility
If you impersonate with anonymous authentication, both your aspx pages and the database will need to have permissions of the anonymous user configured in IIS.  Is this the case?
0
 
LVL 9

Expert Comment

by:hismightiness
Comment Utility
Arrrggghhh!!!!  This got me for a long time before I figured out what was happening.  That's one of the a,azingly high number of reasons why I do not use Access for anything anymore.  However, jnhorst has this one right on the money.  This will forever be a sore spot for me.  

dougfosterNYC, the more I develop, the more I find that the Web.Config will almost never be the same in both environments.  However, the rest of the files (barring updates) will.  the reason for this is that on your development machine, you are running as yourself with what I assume is administrative (or close) priveledges.  Whenever you perform network requests, YOUR windows login credentials will always be used.  While developing with Visual Studio, a lot of that is so transparent now that it gets so easy to hit road blocks if you aren't paying attention.  It gets to where you oftentimes cannot tell if you are sending a request to IIS, or other way through the network and windows.

This opens another big can of worms where you can use aspnet_wp.exe to authenticate all request types by file extension...
0
 

Author Comment

by:dougfosterNYC
Comment Utility
Thanks guys.  I basically got something running, although my web.config is different on each machine.  
0
 
LVL 9

Expert Comment

by:hismightiness
Comment Utility
** Correction for me - aspnet_wp.exe should be aspnet_isapi.exe **
D'oh!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now