Upload File ( FileUpload1.SaveAs) "Access to the path denied"

Have a page that was working in IIS 6.  Upgraded from IIS 6 to IIS 8.5 and now this doesn't work.  Using .Net V4.0

Uploading file from web #2  to a different web #1. The document goes into a file folder.  Each one has it's own appPool.  (web1, web2)

I understand now the identity is in the application pool.  So I set the appPool on both webs (1 & 2) to NetworkService.  (Thru IIS -> Application Pools -> Right Click -> Advanced Settings -> Identity)

Then on the file folder where the docs are stored gave NetworkService all permissions.  Still have the error.  So then on the file folder I gave permissions to everyone for everything - still have "Access denied"

Any ideas?
JS ListAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Are these websites on the same server or are we talking about 2 separate servers?

JS ListAuthor Commented:
Same server just different web.  One is http://web1  and the other is http://web2
I do use a virtual directory to point to the specific folder where the file is being uploaded to.
There is a major difference between IIS6 and IIS8.
IIS6 is not capable to transfer a  identity to a subsequent service.
IIS8 is, based on Kerberos can delegate tickets.

Precondition for Kerberos is that the SPNs are registered in the right way. Also the authentication on the web site has to be set in the right way, there is NTLM or Negotiate.
If he web site is set to NTLM, the identity of the writing user in the AppPool account.
If the web server uses negotiate, Kerberos is tried first.

Also the everyone group is a bit different in later OS / DC functional level .
You may try to use "authenticated users".
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

chanderpal singh rathoreMicrosoft Exchange EngineerCommented:

You can try this thing for your solution as it mostly works :

Open IIS >> authentication >> anonymous >> edit >> chose application pool.
Give permissions to the folder of IUSR and IIS_ users
Change the app pool identity to application pool

Good Luck!!
Dan McFaddenSystems EngineerCommented:
My recommendation is to use a dedicated domain service account.  Reason being is that you have 2 separate servers running a web app which both need access to a file share.  The most effective method of doing this is with s service account.

Using the predefined AppPool identities for file share access is no recommended since is requires the share and NTFS permissions to be configured in a less than secure way.

I would create 1 service account in the domain.  Configure the website's AppPool on each server to run as the service account.  Then update both the share and NTFS permissions to grant modify permissions to this AppPool service account.

You can modify the AppPool identity by going into IIS Manager, right0-clicking the AppPool and selecting Advanced Settings.  The Identity setting in located under the Process Model section, called... Identity.  Go into the Identity setting, select Custom, click set and enter the requested info.

I recommend, at least, recycling the AppPool.  If you want, an IISRESET can be done.

For situations like this, I have used this configuration before.  I have also used in a Production environment.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JS ListAuthor Commented:
Dan -

I tried what you said only with a local server account instead of the domain.  It didn't work.  This is an intranet - that's held on 1 physical machine, 1 IIS Server.  The IIS server has 2 webs.  The files directory allows for IUSR and IIS_IUSRS.
It didn't work.  But it gave me an idea.  

There is a virtual directory "FilesDir" that points to the general files folder area.
When I did this it gives me an error Access Denied:
Dim thisSaveServer As String = Server.MapPath("~/FilesDir/")
tempPath = filePath.Value
 e.File.SaveAs(thisSaveServer + tempPath)

But when I did this - no error the file uploaded:
Dim thisSaveServer As String = "C:\IIS\Web1\Files"
tempPath = filePath.Value
e.File.SaveAs(thisSaveServer + tempPath)

The permissions for a virtual directory match what's on the "C:\IIS\Web1\Files" folder.
Any ideas?
JS ListAuthor Commented:
Well I take the last comment back - now it didn't work.
You have a Win2012R2 right?

It comes with .NET 4.x
Have you also installed .Net 3.x?

Have you tried to put this application back to ASP 2.0?
Dan McFaddenSystems EngineerCommented:
Ok, using local accounts and trying to access files across the network is a bad practice.  It makes for a headache trying to set & manage the ACLs on the share and in NTFS, its problematic at best.

Again, I will recommend using a domain account as a service account on both servers for the AppPools that support the websites in question.

What language have you written the app in?  ASP.NET (VB.NET) or Classic ASP?  The code you posted looks to be old ASP.

As a test only:  you may want to test your code with "Parent Paths" enabled.
** (It was enabled by default in IIS6, IIS7+ it is disabled by default)

MSDN reference:

Also, a IIS.NET article explaining the issue and a work-around.  IMO "Parent Paths" should never be enabled.


JS ListAuthor Commented:
Hi Dan,

I understand what you mean with the service account.  Had my server admin set up an account, but the application pool identity won't accept the password, in IIS manager.  For a test I used my own account and the file upload worked.  The server admin doesn't know which service to run it under.  

Thanks for the help.
Dan McFaddenSystems EngineerCommented:
I've never heard an AppPool not accepting a password before.  My guess is that the password was either incorrectly input or the password does not meet the domain strength requirements.

You don't run the account under a server... the service account is used only in IIS Manager under the AppPool advanced configuration.

SAMIR BHOGAYTATeam LeadCommented:
Hello, you can just give to read and write permision to that folder that you have used for save your files.
JS ListAuthor Commented:
Sorry office closed for 2 weeks. -  Here's an interesting thing I found.  If I am uploading a new file it uploads.  If I am uploading a new version of a file it blows up and says I don't have permissions.

Any ideas?
JS ListAuthor Commented:
Dan led me to investigating in the right area.  I set up the account and modified the appPool & sites.  Still did not resolve the problem.  After speaking to the network administrator, he identified that not all the shares were moved over when he set the server up.  The tool he used to do this did not do the complete job.  

Without Dan's contribution I would not have been able to solve the problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.