Asp.net Upload File ( FileUpload1.SaveAs) "Access to the path denied"

JS List
JS List used Ask the Experts™
on
Have a page that was working in IIS 6.  Upgraded from IIS 6 to IIS 8.5 and now this doesn't work.  Using .Net V4.0

Uploading file from web #2  to a different web #1. The document goes into a file folder.  Each one has it's own appPool.  (web1, web2)

I understand now the identity is in the application pool.  So I set the appPool on both webs (1 & 2) to NetworkService.  (Thru IIS -> Application Pools -> Right Click -> Advanced Settings -> Identity)

Then on the file folder where the docs are stored gave NetworkService all permissions.  Still have the error.  So then on the file folder I gave permissions to everyone for everything - still have "Access denied"

Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dan McFaddenSystems Engineer

Commented:
Are these websites on the same server or are we talking about 2 separate servers?

Dan

Author

Commented:
Same server just different web.  One is http://web1  and the other is http://web2
I do use a virtual directory to point to the specific folder where the file is being uploaded to.
There is a major difference between IIS6 and IIS8.
IIS6 is not capable to transfer a  identity to a subsequent service.
IIS8 is, based on Kerberos can delegate tickets.

Precondition for Kerberos is that the SPNs are registered in the right way. Also the authentication on the web site has to be set in the right way, there is NTLM or Negotiate.
If he web site is set to NTLM, the identity of the writing user in the AppPool account.
If the web server uses negotiate, Kerberos is tried first.

Also the everyone group is a bit different in later OS / DC functional level .
You may try to use "authenticated users".
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

chanderpal singh rathoreMicrosoft Exchange Engineer

Commented:
Hi,

You can try this thing for your solution as it mostly works :

Open IIS >> authentication >> anonymous >> edit >> chose application pool.
Give permissions to the folder of IUSR and IIS_ users
Change the app pool identity to application pool

Good Luck!!
Systems Engineer
Commented:
My recommendation is to use a dedicated domain service account.  Reason being is that you have 2 separate servers running a web app which both need access to a file share.  The most effective method of doing this is with s service account.

Using the predefined AppPool identities for file share access is no recommended since is requires the share and NTFS permissions to be configured in a less than secure way.

I would create 1 service account in the domain.  Configure the website's AppPool on each server to run as the service account.  Then update both the share and NTFS permissions to grant modify permissions to this AppPool service account.

You can modify the AppPool identity by going into IIS Manager, right0-clicking the AppPool and selecting Advanced Settings.  The Identity setting in located under the Process Model section, called... Identity.  Go into the Identity setting, select Custom, click set and enter the requested info.

I recommend, at least, recycling the AppPool.  If you want, an IISRESET can be done.

For situations like this, I have used this configuration before.  I have also used in a Production environment.

Dan

Author

Commented:
Dan -

I tried what you said only with a local server account instead of the domain.  It didn't work.  This is an intranet - that's held on 1 physical machine, 1 IIS Server.  The IIS server has 2 webs.  The files directory allows for IUSR and IIS_IUSRS.
It didn't work.  But it gave me an idea.  

There is a virtual directory "FilesDir" that points to the general files folder area.
When I did this it gives me an error Access Denied:
Dim thisSaveServer As String = Server.MapPath("~/FilesDir/")
tempPath = filePath.Value
 e.File.SaveAs(thisSaveServer + tempPath)

But when I did this - no error the file uploaded:
Dim thisSaveServer As String = "C:\IIS\Web1\Files"
tempPath = filePath.Value
e.File.SaveAs(thisSaveServer + tempPath)

The permissions for a virtual directory match what's on the "C:\IIS\Web1\Files" folder.
Any ideas?
JS

Author

Commented:
Well I take the last comment back - now it didn't work.
Ähm...
You have a Win2012R2 right?

It comes with .NET 4.x
Have you also installed .Net 3.x?

Have you tried to put this application back to ASP 2.0?
Dan McFaddenSystems Engineer

Commented:
Ok, using local accounts and trying to access files across the network is a bad practice.  It makes for a headache trying to set & manage the ACLs on the share and in NTFS, its problematic at best.

Again, I will recommend using a domain account as a service account on both servers for the AppPools that support the websites in question.

What language have you written the app in?  ASP.NET (VB.NET) or Classic ASP?  The code you posted looks to be old ASP.

As a test only:  you may want to test your code with "Parent Paths" enabled.
** (It was enabled by default in IIS6, IIS7+ it is disabled by default)

MSDN reference:  https://msdn.microsoft.com/en-us/library/ms524632%28v=vs.90%29.aspx

Also, a IIS.NET article explaining the issue and a work-around.  IMO "Parent Paths" should never be enabled.

Reference:  http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

Dan

Author

Commented:
Hi Dan,

I understand what you mean with the service account.  Had my server admin set up an account, but the application pool identity won't accept the password, in IIS manager.  For a test I used my own account and the file upload worked.  The server admin doesn't know which service to run it under.  

Thanks for the help.
Dan McFaddenSystems Engineer

Commented:
I've never heard an AppPool not accepting a password before.  My guess is that the password was either incorrectly input or the password does not meet the domain strength requirements.

You don't run the account under a server... the service account is used only in IIS Manager under the AppPool advanced configuration.

Dan
Hello, you can just give to read and write permision to that folder that you have used for save your files.

Author

Commented:
Sorry office closed for 2 weeks. -  Here's an interesting thing I found.  If I am uploading a new file it uploads.  If I am uploading a new version of a file it blows up and says I don't have permissions.

Any ideas?

Author

Commented:
Dan led me to investigating in the right area.  I set up the account and modified the appPool & sites.  Still did not resolve the problem.  After speaking to the network administrator, he identified that not all the shares were moved over when he set the server up.  The tool he used to do this did not do the complete job.  

Without Dan's contribution I would not have been able to solve the problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial