IIS 7 and Above
Impersonated user cannot create a file (Access denied)
Last post Jun 12, 2008 06:05 AM by GerhardTemper
Jun 10, 2008 03:18 PM|GerhardTemper|LINK
I have a simple ASP.Net application which has windows impersonation activated (in the web.config i have setted <identity impersonate="true"/> and <authentication mode="Windows"/>; in iis manager i have windows authentication enabled and anomyous disabled;
asp.net impersonation is also enabled)
In my web application i create a file in an existing folder (c:\test). The file creation works when i start my web app in IE as Administrator but fails when i start the application as "normal" user (get an access denied error). The normal user has the privileges
to create the file in this folder. when i log in interactive with the normal user i can create the file but it fails when i want to create the file via the web application. (access denied)
In the process monitor i see the following information:
Class: File System
Result: ACCESS DENIED
Desired Access: Generic Read/Write
Options: Synchronous IO Non-Alert, Non-Directory File, Open No Recall
any ideas what is wrong in my configuration? i use windows server 2008 with iis7. i am using the DefaultAppPool without any changes. is this an iis7 issue or windows server 2008?
many thanks in advance!!!
Jun 10, 2008 04:12 PM|HostingASPNet|LINK
Have you used some COM component in your app?
Jun 10, 2008 04:38 PM|GerhardTemper|LINK
no, i don't use COM.
I created a new Visual Studio ASP.Net Web Application (C#), added three lines of code for creating a file, added one line in the web.config (identity impersonate = true) and then i published my app via the visual studio menu.
Jun 10, 2008 06:36 PM|anilr|LINK
What is the ACL on c:\test and/or c:\test\test.txt?
Jun 11, 2008 06:03 AM|GerhardTemper|LINK
i created the folder test with owner "testuser" and the testuser is able to create files when i do it manually in windows. but in the context of my app it doesn't work. the effective permissions of the "test"-folder show that the testuser has all permissions
Jun 11, 2008 07:30 AM|GerhardTemper|LINK
disabling user account control (UAC) seems to fix the problem. any ideas how to fix the problem without disabling uac?
Jun 11, 2008 04:19 PM|anilr|LINK
Can you provide exact ACL on the folder/file (using cacls or icacls) - my guess is that testuser is member of admins group and admins group has access to the folder/file but not testuser itself - you can add explicit ACL for testuser or run your browser
Jun 11, 2008 04:50 PM|GerhardTemper|LINK
"testuser" isn't a member of the admin group. there is an explizit ACL for testuser on the "test"-folder. (i created that folder as testuser) for testing purpose i added "testuser" to the admin group and then it worked when i started IE as administrator,
but it failed also when i started IE normally.
Jun 11, 2008 07:12 PM|anilr|LINK
You have still not provided the exact ACL on the folder/file.
Jun 12, 2008 06:05 AM|GerhardTemper|LINK
here is the ACL result from the test folder