Link to home
Create AccountLog in
Avatar of JS List
JS ListFlag for United States of America

asked on

Asp.net Upload File ( FileUpload1.SaveAs) "Access to the path denied"

Have a page that was working in IIS 6.  Upgraded from IIS 6 to IIS 8.5 and now this doesn't work.  Using .Net V4.0

Uploading file from web #2  to a different web #1. The document goes into a file folder.  Each one has it's own appPool.  (web1, web2)

I understand now the identity is in the application pool.  So I set the appPool on both webs (1 & 2) to NetworkService.  (Thru IIS -> Application Pools -> Right Click -> Advanced Settings -> Identity)

Then on the file folder where the docs are stored gave NetworkService all permissions.  Still have the error.  So then on the file folder I gave permissions to everyone for everything - still have "Access denied"

Any ideas?
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Are these websites on the same server or are we talking about 2 separate servers?

Dan
Avatar of JS List

ASKER

Same server just different web.  One is http://web1  and the other is http://web2
I do use a virtual directory to point to the specific folder where the file is being uploaded to.
There is a major difference between IIS6 and IIS8.
IIS6 is not capable to transfer a  identity to a subsequent service.
IIS8 is, based on Kerberos can delegate tickets.

Precondition for Kerberos is that the SPNs are registered in the right way. Also the authentication on the web site has to be set in the right way, there is NTLM or Negotiate.
If he web site is set to NTLM, the identity of the writing user in the AppPool account.
If the web server uses negotiate, Kerberos is tried first.

Also the everyone group is a bit different in later OS / DC functional level .
You may try to use "authenticated users".
Hi,

You can try this thing for your solution as it mostly works :

Open IIS >> authentication >> anonymous >> edit >> chose application pool.
Give permissions to the folder of IUSR and IIS_ users
Change the app pool identity to application pool

Good Luck!!
ASKER CERTIFIED SOLUTION
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of JS List

ASKER

Dan -

I tried what you said only with a local server account instead of the domain.  It didn't work.  This is an intranet - that's held on 1 physical machine, 1 IIS Server.  The IIS server has 2 webs.  The files directory allows for IUSR and IIS_IUSRS.
It didn't work.  But it gave me an idea.  

There is a virtual directory "FilesDir" that points to the general files folder area.
When I did this it gives me an error Access Denied:
Dim thisSaveServer As String = Server.MapPath("~/FilesDir/")
tempPath = filePath.Value
 e.File.SaveAs(thisSaveServer + tempPath)

But when I did this - no error the file uploaded:
Dim thisSaveServer As String = "C:\IIS\Web1\Files"
tempPath = filePath.Value
e.File.SaveAs(thisSaveServer + tempPath)

The permissions for a virtual directory match what's on the "C:\IIS\Web1\Files" folder.
Any ideas?
JS
Avatar of JS List

ASKER

Well I take the last comment back - now it didn't work.
Ähm...
You have a Win2012R2 right?

It comes with .NET 4.x
Have you also installed .Net 3.x?

Have you tried to put this application back to ASP 2.0?
Ok, using local accounts and trying to access files across the network is a bad practice.  It makes for a headache trying to set & manage the ACLs on the share and in NTFS, its problematic at best.

Again, I will recommend using a domain account as a service account on both servers for the AppPools that support the websites in question.

What language have you written the app in?  ASP.NET (VB.NET) or Classic ASP?  The code you posted looks to be old ASP.

As a test only:  you may want to test your code with "Parent Paths" enabled.
** (It was enabled by default in IIS6, IIS7+ it is disabled by default)

MSDN reference:  https://msdn.microsoft.com/en-us/library/ms524632%28v=vs.90%29.aspx

Also, a IIS.NET article explaining the issue and a work-around.  IMO "Parent Paths" should never be enabled.

Reference:  http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

Dan
Avatar of JS List

ASKER

Hi Dan,

I understand what you mean with the service account.  Had my server admin set up an account, but the application pool identity won't accept the password, in IIS manager.  For a test I used my own account and the file upload worked.  The server admin doesn't know which service to run it under.  

Thanks for the help.
I've never heard an AppPool not accepting a password before.  My guess is that the password was either incorrectly input or the password does not meet the domain strength requirements.

You don't run the account under a server... the service account is used only in IIS Manager under the AppPool advanced configuration.

Dan
Hello, you can just give to read and write permision to that folder that you have used for save your files.
Avatar of JS List

ASKER

Sorry office closed for 2 weeks. -  Here's an interesting thing I found.  If I am uploading a new file it uploads.  If I am uploading a new version of a file it blows up and says I don't have permissions.

Any ideas?
Avatar of JS List

ASKER

Dan led me to investigating in the right area.  I set up the account and modified the appPool & sites.  Still did not resolve the problem.  After speaking to the network administrator, he identified that not all the shares were moved over when he set the server up.  The tool he used to do this did not do the complete job.  

Without Dan's contribution I would not have been able to solve the problem.