Solved

Classic ASP vs MS Access folder permissions. Microsoft OLE DB Provider for ODBC Drivers error '80004005'

Posted on 2015-02-03
10
71 Views
Last Modified: 2015-08-04
Hi

On Friday I moved a legacy MSAccess mdb database to a new server. Monday morning I had a few gremlins that needed ironing out, but nothing too taxing.

My one remaining issue is some classic asp reports I wrote in the dark ages. I understand that my issue is folder permissions based. My IIS server (different box still running S2003, - being retired soon) doesn't have read/write permissions on the new database directory.

Incidentally, if I change the path in my connect string to \\servername\Blah\Blah\Blah\Any\Old\Rubbish.mdb I get the exact same error.


Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open the file '(unknown)'. It is already opened exclusively by another user, or you need permission to view its data.

/intranet/reports/timelog/default2.asp, line 45


I have copied the permissions from my old directory (I note I had added an IUSR account in there), and even gave Everyone full access to the new directory but still get the same error.

My inetinfo / IIS service runs on my server as 'Local Account'. I believe this is where my problem lies.

Just for info, here is an example of my connect string / connection.

     DSN="Driver={Microsoft Access Driver (*.mdb)};Dbq=\\SERVERNAME\ShareName$\Databases\dbname.mdb;"
      Conn.Open DSN


Any ideas because I am running out of them!!

Many thanks
0
Comment
Question by:noooodlez
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40585916
In another question, we found that you can't give IIS permissions on a folder on another computer using share name.  It simply won't do it.  The only thing that may have worked is to create a mapped drive so that you have a local drive letter that you can use.  Even then you will probably have to give 'Everyone' read/write permissions so it is basically wide open to anyone.
0
 
LVL 7

Expert Comment

by:Robert Sherman
ID: 40586035
Since you've likely tried numerous things and are running out of ideas...

I would try setting security auditing on the folder that the MDB file is in on the server.   Set both Success and Failure auditing for Everyone.  You may need to also turn on Auditing in Local Security Policy.   Once you've done this, try accessing the ASP page that calls the database in question.  After you receive the error message, open up the event viewer on the server and check the security log to see if you have either success or failure events for your MDB file.  This would confirm that it is in fact a permissions issue and not some other oddity.

If you don't see any events in the security log related to the MDB file, do a quick sanity check by opening the database file locally on that machine just to confirm that you get a Success event in the log (to make sure auditing is working).  

Once you're satisfied with the result, don't forget to return the auditing settings back to their previous configuration.

It's been awhile since I've dealt with IIS to Access over network issues, but I seem to recall some unusual behaviours in the past.  My initial instinct when I read that error was "is the server even trying to hit that file?" so I feel like I've encountered this before... :D
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40586667
To expand on Dave's suggestion, you can create a virtual folder from a network share, which you will then be able to access like any other folder within your site. You'll also need to set permissions to that virtual folder, assuming you use the default App Pools, give access to your IUSR account, as well as your NETWORK SERVICES account
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40586676
Have you tried running your AppPool with a named domain account instead of the local account.

I would try the following:

1. create an account in the domain (user only, not an admin in domain or locally)
2. add this account to the local iis server's "IIS_IUSRS" group
3. configure your site's AppPool with this domain account
4. grant this domain account read/write access on the share
5. test site

I would also check that you can see the full details of the errors your page is returning:

link:  http://www.dondraper.com/2011/01/500-internal-server-error-from-iis-7-5-on-windows-2008-r2/

The settings are the same for IIS7 onward.

Dan
0
 

Author Comment

by:noooodlez
ID: 40628449
Hi, sorry for delay.
This is what I have tried.

1) Mapped drive doesn't work.

2) Turned on Auditing and viewed the failed attempt hitting the file.

An account failed to log on.

Subject:
	Security ID:		DOMAIN\administrator
	Account Name:		administrator
	Account Domain:		DOMAIN
	Logon ID:		0x126860

Logon Type:			3 (network)

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		Guest
	Account Domain:		AXSERVER

Failure Information:
	Failure Reason:		Account currently disabled.
	Status:			0xc000006e
	Sub Status:		0xc0000072

Process Information:
	Caller Process ID:	0x5ac
	Caller Process Name:	C:\Windows\explorer.exe

Network Information:
	Workstation Name:	AXSERVER
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Advapi  
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested

Open in new window


Not sure what useful information I can glean from this but at least I know it is hitting the file.

3) I have created a virtual folder. I don't profess to be an IIS expert but how did I not know about that?!! This seems to have got us the closest as I can now browse the network directory as though it were local (resolving my network security issues). The issue is that my connect string syntax does not like a http://virtualtDir/databases/db.mdb path.

I do get a different odbc error though. [Microsoft][ODBC Microsoft Access Driver] Not a valid file name.

Do you happen to know if I can use file://xxxxx in my connect string. I have tried various iterations and has failed on every attempt!

example connect string..... DSNtest="Driver={Microsoft Access Driver (*.mdb)};Dbq=http://webserver/databases/db.mdb;"

4) I tried Dan's method. Whilst I find this tidiest, I broke my production environment changing Application pool users and had to roll back my iis config due to time constraints.


I would like to progress the virtual folders method. This seems 99% there but I don't know if I can get my connect string to accept the datasource. I suppose SMB and http are fundamentally different!?

Thanks for all of your help,
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 32

Expert Comment

by:Big Monty
ID: 40628455
treat your virtual folder like you would any other folder within your site, so try:

DSNtest="Driver={Microsoft Access Driver (*.mdb)};Dbq=/databases/db.mdb;"
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40628892
SMB and http are fundamentally different
Yes.  SMB can have read/write access which you need for an MDB.  HTTP does not provide similar access.  It is usually only read access which would not allow you to make change to the database.
0
 

Accepted Solution

by:
noooodlez earned 0 total points
ID: 40646370
I think the simest solution this is to move my web server.

I may try setting a junction point first but don't think these will work on network locations.
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40647773
does the virtual folder idea not work for you?
0
 

Author Closing Comment

by:noooodlez
ID: 40913059
Hi All. Apologies, just spotted I missed closing this thread. Eventually, after much messing with folder redirects, junction points and permissions, I migrated my iis setup so it was local to the databases.

Never found a work around to the original problem, but as soon as the mdb was local all worked fine.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The first two articles in this short series — Using a Criteria Form to Filter Records (http://www.experts-exchange.com/A_6069.html) and Building a Custom Filter (http://www.experts-exchange.com/A_6070.html) — discuss in some detail how a form can be…
In a multiple monitor setup, if you don't want to use AutoCenter to position your popup forms, you have a problem: where will they appear?  Sometimes you may have an additional problem: where the devil did they go?  If you last had a popup form open…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
In Microsoft Access, learn the trick to repeating sub-report headings at the top of each page. The problem with sub-reports and headings: Add a dummy group to the sub report using the expression =1: Set the “Repeat Section” property of the dummy…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now