Link to home
Start Free TrialLog in
Avatar of zc2
zc2Flag for United States of America

asked on

"LOGON FAILURE" to access a network drive from IIS 0x8007052E

We've got an issue, an IIS web application can't access a file on a shared drive.
The app pool credentials are the same as the desktop user credentials we are logged in to the server's console. The account is a domain user account and also an administrator on this web server (it's an intranet server). The anonymous authentication is set to "application pool credentials".
From the windows UI the shared path is fully accessible both via an UNC path and mapped drive, but running from the web app we are getting an "LOGON FAILURE"  in the Process Monitor log.
I tried to create a virtual directory pointing to that shared drive, but IIS can't access the web.config neither, displaying a 500.19 server error with a error code 0x8007052E

I don't understand, what could prevent a domain account to access a shared folder on another machine in the same domain just because it is being running from an IIS process?
Avatar of Jason Zondag
Jason Zondag
Flag of Canada image

Try giving permissions to IIS_IUSRS on the folder.

You have to consider which account is being used to run the application pool and web processes.
Avatar of zc2

ASKER

Jason Zondag,
Why do you assume that IIS_IUSRS is somewhat involved since the app pool works as the same domain account as the desktop user, not as "ApplicationPoolIdentity" or some service.
The Process Monitor event also states that the process was running using the domain account.

Since this is an intranet server we don't care much running w3wp as a real user account.
Well, I introduced the idea because it sounds like the IUSR or IIS_IUSRS does not have read access to the folder, which often resolves issues like this.  

However, I did a little bit of digging and found a reference where someone else expressed a similar issue.  IIS AppPool is a local entity, not a domain entity, even if the authorized user providing credentials is a domain user.  The suggestion therefore is to add the IIS AppPool\AppPoolName to the shared folder with permissions.
Avatar of zc2

ASKER

Sorry, I don't understand your suggestion. Did you mean to go to the file sharing server and add a shared folder permission to AppPool\AppPoolName ? But like you stated yourself, an app pool is a local entity and the file sharing server has nothing to do with it. I won't just let me do add a permission to an entity it can not see. It would allow to add permissions only to domain entities or filesharing server's local entities.
I tried to simulate a similar setup in our own domain and can easily access a shared folder from an app pool running as a domain user. The failed setup is at our client's domain and unfortunately, we don't have much ability to play with its security settings.
I'm sorry but I didn't find it self-evident that the folder path was not on the same server as the web server.  Share could mean shared from the web server.

https://stackoverflow.com/questions/14934006/iis-iusrs-and-iusr-permissions-in-iis8

This is one resource that suggests you can in fact add IIS AppPool\mydomain.com in the security of the site.  I tested in my own lab and could not make it work.

https://support.microsoft.com/en-ca/help/308150/how-to-create-a-virtual-directory-on-an-existing-web-site-to-a-folder

This site from Microsoft demonstrations setting up a Virtual Directory on a Remote Network Share by using the UNC path.  Your original post suggests you tried this, but did you try to create a new virtual directory in a new share for testing purposes?

Clearly it is a permissions issue, but it's hard to know where the permission issue is originating from.  My instincts tell me it's the process running the web server.  You've as much as stated that the user account has no issues accessing the files from UNC, which suggests that it's the webserver that's unable to pass through the credential barrier to pass the user credentials that do work, through.  

Whenever I run into these types of situations where it looks like it should work but just doesn't, I use whatever resources I can find, usually on the same server if I don't think it's going to impact production use, to replicate the issue by going through all the steps to recreate the problem.

I apologize, I am not an IIS expert by any means, and perhaps I shouldn't have responded to your query.

I will try mocking this up in my lab environment to see if I can replicate it.
Avatar of zc2

ASKER

According to this article the domain account set to use in the anonymous authentication should access network resources...
ASKER CERTIFIED SOLUTION
Avatar of zc2
zc2
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial