noooodlez
asked on
Classic ASP vs MS Access folder permissions. Microsoft OLE DB Provider for ODBC Drivers error '80004005'
Hi
On Friday I moved a legacy MSAccess mdb database to a new server. Monday morning I had a few gremlins that needed ironing out, but nothing too taxing.
My one remaining issue is some classic asp reports I wrote in the dark ages. I understand that my issue is folder permissions based. My IIS server (different box still running S2003, - being retired soon) doesn't have read/write permissions on the new database directory.
Incidentally, if I change the path in my connect string to \\servername\Blah\Blah\Bla
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open the file '(unknown)'. It is already opened exclusively by another user, or you need permission to view its data.
/intranet/reports/timelog/
I have copied the permissions from my old directory (I note I had added an IUSR account in there), and even gave Everyone full access to the new directory but still get the same error.
My inetinfo / IIS service runs on my server as 'Local Account'. I believe this is where my problem lies.
Just for info, here is an example of my connect string / connection.
DSN="Driver={Microsoft Access Driver (*.mdb)};Dbq=\\SERVERNAME\
Conn.Open DSN
Any ideas because I am running out of them!!
Many thanks
On Friday I moved a legacy MSAccess mdb database to a new server. Monday morning I had a few gremlins that needed ironing out, but nothing too taxing.
My one remaining issue is some classic asp reports I wrote in the dark ages. I understand that my issue is folder permissions based. My IIS server (different box still running S2003, - being retired soon) doesn't have read/write permissions on the new database directory.
Incidentally, if I change the path in my connect string to \\servername\Blah\Blah\Bla
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open the file '(unknown)'. It is already opened exclusively by another user, or you need permission to view its data.
/intranet/reports/timelog/
I have copied the permissions from my old directory (I note I had added an IUSR account in there), and even gave Everyone full access to the new directory but still get the same error.
My inetinfo / IIS service runs on my server as 'Local Account'. I believe this is where my problem lies.
Just for info, here is an example of my connect string / connection.
DSN="Driver={Microsoft Access Driver (*.mdb)};Dbq=\\SERVERNAME\
Conn.Open DSN
Any ideas because I am running out of them!!
Many thanks
Dave Baldwin
In another question, we found that you can't give IIS permissions on a folder on another computer using share name. It simply won't do it. The only thing that may have worked is to create a mapped drive so that you have a local drive letter that you can use. Even then you will probably have to give 'Everyone' read/write permissions so it is basically wide open to anyone.
Since you've likely tried numerous things and are running out of ideas...
I would try setting security auditing on the folder that the MDB file is in on the server. Set both Success and Failure auditing for Everyone. You may need to also turn on Auditing in Local Security Policy. Once you've done this, try accessing the ASP page that calls the database in question. After you receive the error message, open up the event viewer on the server and check the security log to see if you have either success or failure events for your MDB file. This would confirm that it is in fact a permissions issue and not some other oddity.
If you don't see any events in the security log related to the MDB file, do a quick sanity check by opening the database file locally on that machine just to confirm that you get a Success event in the log (to make sure auditing is working).
Once you're satisfied with the result, don't forget to return the auditing settings back to their previous configuration.
It's been awhile since I've dealt with IIS to Access over network issues, but I seem to recall some unusual behaviours in the past. My initial instinct when I read that error was "is the server even trying to hit that file?" so I feel like I've encountered this before... :D
I would try setting security auditing on the folder that the MDB file is in on the server. Set both Success and Failure auditing for Everyone. You may need to also turn on Auditing in Local Security Policy. Once you've done this, try accessing the ASP page that calls the database in question. After you receive the error message, open up the event viewer on the server and check the security log to see if you have either success or failure events for your MDB file. This would confirm that it is in fact a permissions issue and not some other oddity.
If you don't see any events in the security log related to the MDB file, do a quick sanity check by opening the database file locally on that machine just to confirm that you get a Success event in the log (to make sure auditing is working).
Once you're satisfied with the result, don't forget to return the auditing settings back to their previous configuration.
It's been awhile since I've dealt with IIS to Access over network issues, but I seem to recall some unusual behaviours in the past. My initial instinct when I read that error was "is the server even trying to hit that file?" so I feel like I've encountered this before... :D
To expand on Dave's suggestion, you can create a virtual folder from a network share, which you will then be able to access like any other folder within your site. You'll also need to set permissions to that virtual folder, assuming you use the default App Pools, give access to your IUSR account, as well as your NETWORK SERVICES account
Have you tried running your AppPool with a named domain account instead of the local account.
I would try the following:
1. create an account in the domain (user only, not an admin in domain or locally)
2. add this account to the local iis server's "IIS_IUSRS" group
3. configure your site's AppPool with this domain account
4. grant this domain account read/write access on the share
5. test site
I would also check that you can see the full details of the errors your page is returning:
link: http://www.dondraper.com/2011/01/500-internal-server-error-from-iis-7-5-on-windows-2008-r2/
The settings are the same for IIS7 onward.
Dan
I would try the following:
1. create an account in the domain (user only, not an admin in domain or locally)
2. add this account to the local iis server's "IIS_IUSRS" group
3. configure your site's AppPool with this domain account
4. grant this domain account read/write access on the share
5. test site
I would also check that you can see the full details of the errors your page is returning:
link: http://www.dondraper.com/2011/01/500-internal-server-error-from-iis-7-5-on-windows-2008-r2/
The settings are the same for IIS7 onward.
Dan
ASKER
Hi, sorry for delay.
This is what I have tried.
1) Mapped drive doesn't work.
2) Turned on Auditing and viewed the failed attempt hitting the file.
Not sure what useful information I can glean from this but at least I know it is hitting the file.
3) I have created a virtual folder. I don't profess to be an IIS expert but how did I not know about that?!! This seems to have got us the closest as I can now browse the network directory as though it were local (resolving my network security issues). The issue is that my connect string syntax does not like a http://virtualtDir/databases/db.mdb path.
I do get a different odbc error though. [Microsoft][ODBC Microsoft Access Driver] Not a valid file name.
Do you happen to know if I can use file://xxxxx in my connect string. I have tried various iterations and has failed on every attempt!
example connect string..... DSNtest="Driver={Microsoft
4) I tried Dan's method. Whilst I find this tidiest, I broke my production environment changing Application pool users and had to roll back my iis config due to time constraints.
I would like to progress the virtual folders method. This seems 99% there but I don't know if I can get my connect string to accept the datasource. I suppose SMB and http are fundamentally different!?
Thanks for all of your help,
This is what I have tried.
1) Mapped drive doesn't work.
2) Turned on Auditing and viewed the failed attempt hitting the file.
An account failed to log on.
Subject:
Security ID: DOMAIN\administrator
Account Name: administrator
Account Domain: DOMAIN
Logon ID: 0x126860
Logon Type: 3 (network)
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: AXSERVER
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
Process Information:
Caller Process ID: 0x5ac
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: AXSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requestedNot sure what useful information I can glean from this but at least I know it is hitting the file.
3) I have created a virtual folder. I don't profess to be an IIS expert but how did I not know about that?!! This seems to have got us the closest as I can now browse the network directory as though it were local (resolving my network security issues). The issue is that my connect string syntax does not like a http://virtualtDir/databases/db.mdb path.
I do get a different odbc error though. [Microsoft][ODBC Microsoft Access Driver] Not a valid file name.
Do you happen to know if I can use file://xxxxx in my connect string. I have tried various iterations and has failed on every attempt!
example connect string..... DSNtest="Driver={Microsoft
4) I tried Dan's method. Whilst I find this tidiest, I broke my production environment changing Application pool users and had to roll back my iis config due to time constraints.
I would like to progress the virtual folders method. This seems 99% there but I don't know if I can get my connect string to accept the datasource. I suppose SMB and http are fundamentally different!?
Thanks for all of your help,
treat your virtual folder like you would any other folder within your site, so try:
DSNtest="Driver={Microsoft
DSNtest="Driver={Microsoft
SMB and http are fundamentally differentYes. SMB can have read/write access which you need for an MDB. HTTP does not provide similar access. It is usually only read access which would not allow you to make change to the database.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
does the virtual folder idea not work for you?
ASKER
Hi All. Apologies, just spotted I missed closing this thread. Eventually, after much messing with folder redirects, junction points and permissions, I migrated my iis setup so it was local to the databases.
Never found a work around to the original problem, but as soon as the mdb was local all worked fine.
Never found a work around to the original problem, but as soon as the mdb was local all worked fine.