PHP File Operations using UNC Paths on IIS7

swannpor
swannpor used Ask the Experts™
on
Hi folks

I'm having some trouble with a PHP script I've written to write some directories to the file system using IIS7.5.

I'm using Windows Authentication with Anonymous Authentication disabled (thus current user credentials are passed through to IE). The script would run and write files to the same server and worked fine.

The directory being written to definitely has the correct permissions. When writing to the directory on FS1, I was originally using the local disk drive:

$basepath = D:\\Data;

Open in new window


This worked. I've made sure the user logged in (thus running the script) also has Full Control to the directory.

Because this folder is shared out to users as "Data", I then changed this to a UNC path:
$basepath = \\\\FS1\\Data;

Open in new window


This also worked.

However, I've moved the website to an alternative server (to seperate roles). The previous server (FS1) is now just a file server, with the second (WEB1) hosting the website. Both are Win2k8 R2 VMs using IIS7.5.

If I use the same UNC path on WEB1, I get a permission denied PHP error when running mkdir. I've tried writing back the other way as well (run the script from FS1 to a folder on WEB1) and get the same result.

I have Kernel-mode authentication turned OFF, extended protection turned OFF and Kerberos as the only authentication provider.

So I'm not sure why if I write to a UNC path on the same server all is fine, but if i write to a UNC path on a different server (same NTFS permissions) I get "permission denied".
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Its probably because the account used doesn't allow network access. Check the account used for the application pool and for the web site.
Most Valuable Expert 2011
Top Expert 2016

Commented:
Sometimes the PHP predefined constants are helpful.  You might try using DIRECTORY_SEPARATOR in your file paths.

Commented:
I am pretty sure this is due to permissons problems as I've mentioned before and not an issue with directory separators. Otherwise local unc path wouldn't work.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Author

Commented:
Yeah you're right kmalte the local UNC path is working, just not when calling the UNC path to a remote server.

I've got the directory running as Windows Authentication (we're in an AD environment). I'm running the script in the browser logged in with my own account and the directory on the remote server also has Full Control NTFS permissions for my account (just the same as when testing a local server directory with the same NTFS permissions and it works).

So, the NTFS permissions are identical on both the remote and the local directory, but only fails if running the script against the remote UNC path.

Commented:
But what account is used for the application pool?

Author

Commented:
Okay just checked what user was being used when running the script using Process Monitor, it's "IIS APPPOOL\DefaultAppPool"

So, as you suggest kmalte, it seems an issue with the app pool user? I've gone into Advanced Settings for the DefaultAppPool and the Identity is set to "ApplicationPoolIdentity". Is this the right spot to change the setting or is there somewhere else to set the user cred to be passed through?

Commented:
Youre in the right place. What you need now is either an AD account (if the servers are in the same AD) or setup the same local account with the same password on both servers.

Author

Commented:
Hmm I'd prefer to not specify the user. Given the application web site is using "Application user (pass-through authentication)", I'm guessing this is sent to the App Pool for use? So not sure why I would need to specify a single user?

Also, just to try it, I changed the Identity for the App Pool from ApplicationPoolIdentity to my own AD account as a custom account. After cycling IIS I was then unable to browse to the website in the browser using my AD account and got a 401 unauthorised error.
Commented:
Your user account lacks permissions either on the site itself or any other folder that the application pool uses (temp etc.).

I know there's a hitch with pass-through authentication and accessing unc-paths but I cant remember what it is. Its 6:30 in the morning here so Im not quite awake yet. I'll get back later with more info. Some links to check out:
http://bugs.php.net/bug.php?id=52376
http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx

You can check what account the php_cgi.exe (or whatever php exe/dll you use) is started with using Sysinternals process monitor.

Author

Commented:
Awesome, solved it using php bug #52376 as posted.
"The correct solution is to actually set the "Physical Path Credentials"
This however raises an IIS bug that the credentials of the Application Pool don't get passed to the path correctly, although it's set to take over the App Pool credentials"
Annoying bug, doesn't seem definite if it is a problem with PHP or IIS7, but alas a workaround. I'm using the latest version of PHP 5.3.3 so I guess the bug still isn't fixed.
Hope I didn't break your sleep in :) 3pm here in Aust. Thanks so much for your help!

Author

Commented:
Solved.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial