Solved

How to save upload on second server?

Posted on 2004-10-11
26
419 Views
Last Modified: 2008-01-09
Hi all!

I have two upload scripts. One selfmade with uploading by filesystemobject and one by using COM (ASPPW.Upload). They both work fine, until I want to save on antoher server / a network path.

I have two webservers running for load balancing and I configured IIS to load all pictures from Server A (www...). So if a user is on Server B (www2...), the virtual directory "/images" is pointing to a network path "//ServerB/inetpub/wwwroot/images/". This works fine. Uploading pictures to Server A is no problem cause pics are uploaded to local folder, but if I use the same scripts for Server B there are permission issues and I can not upload anything.

Folder images on Server A has full access for everyone, so it should work I think. The path is configured by using Server.MapPath("/images") on Server B and the path seems to be right. If I try to map the directory as drive on Server B it also does not work (Server.MapPath("I:\")).

What can I do to get the upload running? Any more information needed?
0
Comment
Question by:Sven
  • 13
  • 11
  • 2
26 Comments
 
LVL 11

Expert Comment

by:coopzz
ID: 12275503
it will most probably be either the IWAM_Usr which is the account that lauchs out of process objects or which ever is you iis log in user (which by default is you IUSR_Machinename in anonymous authentication),

So you need to give the directorys you want to be able to upload to premisson to those accounts.  If your on a cross domain it gets a bit tricker again.

Good Luck

CooPzZ
0
 
LVL 11

Author Comment

by:Sven
ID: 12275614
I allready tried given IWAM_ServerB and IUSR_ServerB user full access to the image folder of Server A, without success. Also "everyone" has full access. I get an "access denied" error everytime. Strange is that if I choose an non existing folder the same error occurs, but only if it is on network path.

example:

\\ServerA\inetpub\wwwroot\images --> Exists, but "access denied"

\\ServerA\inetpub\wwwroot\images2 --> Does not exist, and also error "access denied"
0
 
LVL 11

Author Comment

by:Sven
ID: 12275657
I have to add some information:

- Server A and Server B are within the same windows domain.
- Server B is Domain Controller
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12275718
Well one way that I have solved these problems for sure is to put an object into the COM+ server that wraps a copy file function make it a Server Application and change the user that creates the object to you admin user and you should defenately get access to copy because you will know the user that is running the object.

So after you've done that you upload the file to your server A copy with com+ object then delete from server A or what ever.

The other thing I can think of is to add the computer account to the serverB folder with permissions.
0
 
LVL 11

Author Comment

by:Sven
ID: 12275746
Problem is, that Content Manager will get randomly to www. or www2. and if they run the upload scripts on www2. they have no permission to save to the virtual folder. I can not redirect them to www. cause I do not know the IPs of these users, they have dynamic ones. So I have to get the upload scripts to work :(
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12275837
Actually have you tried changin the anonymous authentication to an admin user(you domain Admin) and see if you get the same error?
0
 
LVL 11

Author Comment

by:Sven
ID: 12275856
I did not try that and I do not want to change this option cause I can not oversee the whole reaction of the system, COM+ and scripts if I do that.
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12275893
Just add another area that you can play around with (make a virtual directory, modifiy a script to upload a file to your directory and change the authentication only on that virtual directory and you won't touch a thing) I'm only asking this way to rule out that it's a front in IIS problem.
0
 
LVL 11

Author Comment

by:Sven
ID: 12275982
Changing authentication was not successfull too :(
Maybe it is not even possible to save files cross server!?
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12276060
yer it can be a pain sercurity some days.

it can be done via the com+ object way I describe above for I use it every day. you could even probably put the upload object in it to impersonate as well but I wouldn't recommend that..

Arr what can it be.?? Have you checked your Event Logs

Whats your server OS's and IIS version..

See from memory the biggest problem is that your running iis processes from a local account on the machine and it does that in the background, you can tell this by watching you task manager on the web server and watch the IWAN_Usr process get used in the upload.  I think you have to find a way to impersonte the IWAN_Usr in the COM+(CompontServices in Admin Tools) servers,  I trying to find out how.
0
 
LVL 11

Author Comment

by:Sven
ID: 12276142
Eventlog tells nothing.
DLLHost3g.exe is running under IWAM account.

Server is Windows Advanced Server with IIS 5.
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12276286
http://support.microsoft.com/default.aspx?scid=kb;EN-US;184566
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q197964

Have a look at those, from what i'm thinking this may help solve the problem..

--Extract--  Active Server Pages (ASP) pages are often run under the security context of the Internet Guest Account (or, by default, the IUSR_<ComputerName> account). Within these ASP pages, when you reference files or databases on a computer other than the Web server, you must often duplicate this user (the Anonymous user account) on the remote computer. This is because, by default, the Internet Guest Account is a local computer account on the Web server and is not recognized by any other computer on the network. If you duplicate the Internet Guest Account on another computer, you can enable that remote computer to authenticate the account and allow access to resources on that computer.
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12276386
and I'm reconing that it's probably the a policy thats's giving the permission denied

-- extract -- Grant New Anonymous Account "Log on Locally" Rights

before you start playing with adding users try looking at your Local Security Policy and find the Log On locally key and check some of these.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 6

Expert Comment

by:masirof
ID: 12277765
Hmm, can user IWAM_Usr of one computer can access another computer and if there is Active Directory active. Looks like you should authenticate with some other user maybe. I am not sure but if you try to access \\ServerB directly from your computer when loggen let's say with IWAM_Usr, can you access it? Or you have to authenticate via some other user, like a user from AD or ServerB's administrator user..
0
 
LVL 6

Expert Comment

by:masirof
ID: 12277777
@coopzz,
Sorry didnt see your messege :))
0
 
LVL 11

Author Comment

by:Sven
ID: 12284527
I added IUSR and IWAM to Server A local users and guest group. I also unchecked IIS control of anonymous password on Server B for IUSR but nothing helped me out :(

I still get the error "permission denied".
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12285589
OK it's funny I had the same problem at work today basically, I've got a win2k3 server that I store all the files I upload and 2k web server that dishes it.  And no I couldn't copy throught the upload object I was using [HUGEAsp].

How I fixed it similar to what I was describing above but I can tell you what worked for me now.

On your serverB that you copying to open up your Admin Tools | Local Security Policy.
Drill down Security Settings | Local Policys | User Rights assignment
Find 'Access Computer From Network' and Add your server A to the list (you will most probably have to check the box in types to look for)
Find 'Log On Locally' and add the computer again.
Rebooted the iis, but recommend rebooting the server
     And wammo it worked
#Note: the folder it was coping to had everyone full control.

Cheers Hope it works for you

CooPzZ
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12294589
?¿ did you get it going ¿?
0
 
LVL 11

Author Comment

by:Sven
ID: 12295175
I can not add the "computer" to the local security policy. I only can add users and groups. I added IWAM and IUSR for the server but this did not work. The server I am copying from is the domain controller. Maybe there is s.th. about this!?
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12295516
Well I just thought Of hopefully the last place that you can change.

I take it your on win 2k servers then.

in you component Services MMC Console if you drill down to.
Computers | ComputerName | IIS Out-Of-Process Pooled Applications
 go propertys on this, goto Identity you should notice that this is IWAM_MachineName

So this is where the objects are being created (You should be able to change this to you privledged/domain account) and off ya go.
0
 
LVL 11

Author Comment

by:Sven
ID: 12295817
First: No success :(

Second: I do not even know why to change "Out-Of-Process Pooled" identity!? Can you explain? The COM+ package was not even running before or after the changes, so we do not need them at all I think.

As I wrote before, we are using two W2k Advanced Server machines. One of them is the domain controller.
0
 
LVL 11

Accepted Solution

by:
coopzz earned 500 total points
ID: 12297013
Did you reboot IIS & the reboot the Component better yet the server?

The reason I said to look into this is because this is where the behind the scenes objects get created and used depening on you configuration in IIS. I can only guess from some of the info you have given ie:" DLLHost3g.exe is running under IWAM account. " And I gather that was what the User was when you looked at it.

Heres a couple of articles that go into it a bit.
http://support.sas.com/rnd/itech/doc9/admin_oma/sasserver/comdcom/aspdcom.html
http://www.win2000mag.com/Web/Article/ArticleID/20426/20426.html

There is an important not in the first one that may help in configuring yours ie: make it a high isolated app in IIS and configue the com+ process with the user you want.
0
 
LVL 11

Author Comment

by:Sven
ID: 12297211
Problem is, I can not reboot the machine and rebooting IIS is also not the best way, cause the two servers I am speaking of are in production and there is an online shop running and it would cost us real money to reboot the server :(

Also we do not want to run IIS in high isolated cause of performance. So this is not an option, even if it would be the only one.
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12297256
Well theres your answer then you cann't do it the way you want to do it.

Sorry but thats all I've got, happy coding

0
 
LVL 11

Author Comment

by:Sven
ID: 12297289
okay, thx. will give you points for your effort to help!
0
 
LVL 11

Expert Comment

by:coopzz
ID: 12297300
Thx I think we explored as much of IIS as you can get.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now