Avatar of JS List
JS List
Flag for United States of America asked on

Asp.net Upload File ( FileUpload1.SaveAs) "Access to the path denied"

Have a page that was working in IIS 6.  Upgraded from IIS 6 to IIS 8.5 and now this doesn't work.  Using .Net V4.0

Uploading file from web #2  to a different web #1. The document goes into a file folder.  Each one has it's own appPool.  (web1, web2)

I understand now the identity is in the application pool.  So I set the appPool on both webs (1 & 2) to NetworkService.  (Thru IIS -> Application Pools -> Right Click -> Advanced Settings -> Identity)

Then on the file folder where the docs are stored gave NetworkService all permissions.  Still have the error.  So then on the file folder I gave permissions to everyone for everything - still have "Access denied"

Any ideas?
Microsoft IIS Web ServerASP.NET

Avatar of undefined
Last Comment
JS List

8/22/2022 - Mon
Dan McFadden

Are these websites on the same server or are we talking about 2 separate servers?

Dan
JS List

ASKER
Same server just different web.  One is http://web1  and the other is http://web2
I do use a virtual directory to point to the specific folder where the file is being uploaded to.
Bembi

There is a major difference between IIS6 and IIS8.
IIS6 is not capable to transfer a  identity to a subsequent service.
IIS8 is, based on Kerberos can delegate tickets.

Precondition for Kerberos is that the SPNs are registered in the right way. Also the authentication on the web site has to be set in the right way, there is NTLM or Negotiate.
If he web site is set to NTLM, the identity of the writing user in the AppPool account.
If the web server uses negotiate, Kerberos is tried first.

Also the everyone group is a bit different in later OS / DC functional level .
You may try to use "authenticated users".
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
chanderpal singh rathore

Hi,

You can try this thing for your solution as it mostly works :

Open IIS >> authentication >> anonymous >> edit >> chose application pool.
Give permissions to the folder of IUSR and IIS_ users
Change the app pool identity to application pool

Good Luck!!
ASKER CERTIFIED SOLUTION
Dan McFadden

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
JS List

ASKER
Dan -

I tried what you said only with a local server account instead of the domain.  It didn't work.  This is an intranet - that's held on 1 physical machine, 1 IIS Server.  The IIS server has 2 webs.  The files directory allows for IUSR and IIS_IUSRS.
It didn't work.  But it gave me an idea.  

There is a virtual directory "FilesDir" that points to the general files folder area.
When I did this it gives me an error Access Denied:
Dim thisSaveServer As String = Server.MapPath("~/FilesDir/")
tempPath = filePath.Value
 e.File.SaveAs(thisSaveServer + tempPath)

But when I did this - no error the file uploaded:
Dim thisSaveServer As String = "C:\IIS\Web1\Files"
tempPath = filePath.Value
e.File.SaveAs(thisSaveServer + tempPath)

The permissions for a virtual directory match what's on the "C:\IIS\Web1\Files" folder.
Any ideas?
JS
JS List

ASKER
Well I take the last comment back - now it didn't work.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Bembi

Ähm...
You have a Win2012R2 right?

It comes with .NET 4.x
Have you also installed .Net 3.x?

Have you tried to put this application back to ASP 2.0?
Dan McFadden

Ok, using local accounts and trying to access files across the network is a bad practice.  It makes for a headache trying to set & manage the ACLs on the share and in NTFS, its problematic at best.

Again, I will recommend using a domain account as a service account on both servers for the AppPools that support the websites in question.

What language have you written the app in?  ASP.NET (VB.NET) or Classic ASP?  The code you posted looks to be old ASP.

As a test only:  you may want to test your code with "Parent Paths" enabled.
** (It was enabled by default in IIS6, IIS7+ it is disabled by default)

MSDN reference:  https://msdn.microsoft.com/en-us/library/ms524632%28v=vs.90%29.aspx

Also, a IIS.NET article explaining the issue and a work-around.  IMO "Parent Paths" should never be enabled.

Reference:  http://www.iis.net/learn/application-frameworks/running-classic-asp-applications-on-iis-7-and-iis-8/classic-asp-parent-paths-are-disabled-by-default

Dan
JS List

ASKER
Hi Dan,

I understand what you mean with the service account.  Had my server admin set up an account, but the application pool identity won't accept the password, in IIS manager.  For a test I used my own account and the file upload worked.  The server admin doesn't know which service to run it under.  

Thanks for the help.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Dan McFadden

I've never heard an AppPool not accepting a password before.  My guess is that the password was either incorrectly input or the password does not meet the domain strength requirements.

You don't run the account under a server... the service account is used only in IIS Manager under the AppPool advanced configuration.

Dan
SAMIR BHOGAYTA

Hello, you can just give to read and write permision to that folder that you have used for save your files.
JS List

ASKER
Sorry office closed for 2 weeks. -  Here's an interesting thing I found.  If I am uploading a new file it uploads.  If I am uploading a new version of a file it blows up and says I don't have permissions.

Any ideas?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
JS List

ASKER
Dan led me to investigating in the right area.  I set up the account and modified the appPool & sites.  Still did not resolve the problem.  After speaking to the network administrator, he identified that not all the shares were moved over when he set the server up.  The tool he used to do this did not do the complete job.  

Without Dan's contribution I would not have been able to solve the problem.