Link to home
Start Free TrialLog in
Avatar of kmaynard
kmaynardFlag for New Zealand

asked on

How do I fix Shared folder access denied for IIS7.5 32-bit ISAPI on Server 2008 R2

I am moving a once-working ISAPI written in Delphi 7 from Server 2003 to a Server 2008 R2 named KAKA. It runs in a 32-bit pool as NetworkService. KAKA is a domain controller. Most of the ISAPI works, except for where it should search a folder using findfirst, findnext on a share on the other DC (\\KEA\MPE). Findfirst returns 5 (access denied). I have tested it with a local folder which works fine. The share has 'Everyone full' for protection, and the NTFS permissions are Read/Execute/list/Read for Dom\KAKA$. which I am told is how NetworkService presents itself to the other machine. I looked at it with windows explorer 'effective permissions' from an XP client, and it shows OK read etc access for Dom\KAKA$. If I use ISAPIFWD (from Eggcentric) on KAKA to debug the ISAPI DLL on my XP machine, it works fine (probably because the debug user has domain-wide admin permissions).

What am I missing? I am all for enhanced security, but when it stops the app working completely, it is somewhat frustrating.
Avatar of Ephraim Wangoya
Ephraim Wangoya
Flag of United States of America image


Try starting the service with a different administrative logon user.
Avatar of kmaynard

ASKER

Do you mean the main WWW Publishing Service (which is currently running as LocalSystem)? The Application Pool which hosts the ISAPI is running under NetworkService.
WS2008 R2 won't let me change the service logon credentials. I tried changing the App Pool credentials to administrator, but that made no difference. I set security logging on the share on the file server, but no access was logged. I then did security logging, and I could see that the Web server logged on to the file server with anonymous access, not Dom\WebServer$ as I expected.

I then altered the access to the webserver Scripts dir (where the ISAPI is) to use Basic Authentication, rather than anonymous. As expected I got a userid/pass dialog, and when these were entered the problem disappeared. So - it seems that the ISAPI App Pool used authentication inherited from me, as web page viewer, rather than have permissions in its own right. (Or something!)

Does this provide a better clue as to what is going wrong?
ASKER CERTIFIED SOLUTION
Avatar of kmaynard
kmaynard
Flag of New Zealand image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It was the only complete solution offered. Worth a C because it took a long.