« Previous Next »

• 11-06-2009, 2:08 PM

  roguecoolman Joined on 09-22-2009, 5:41 PM Posts 12

  IIS setup for ASP.NET write access Reply Contact I've setup IIS 7 on server 2008 R2. So far so good I can run aspx files but the problem comes with a aspx application that needs to write. So I figure ok, must be permission issue.   So my folder setup is:  c:\web\  <-- root of web folders c:\web\testuser01 <-- simulated user account folders c:\web\testuser02 <-- simulated user account folders  permissions on c:\web is: domain users  - read/execute Administrators - full control permissions on c:\web\testuser01 is: testuser01 - full control administrator - full control webx - read/execute (webx is just a sample account name, but i use a similiar account name to map anonymous connections to a domain account)  testuser02 is the same as above except "testuser02 replaces testuser01". Now the reason why i have a "webx" domain account in there because in our production environment, we're going to move the web folders to a network storage drive.  So i need a domain account to map anonymous connections to a domain account that can access the network share and have read/execute perm. Ok, so now i have a sample guestbook application that when i run it, says permission denied on a specific file. Ok, I go and check and sure enough, I realize because webx is mapped for anonymous connections and only has read/execute it can't write. I tested and make sure that was the case, I gave webx write access just to that file and no more problems. My question then is how can i map anonymous connections to each of the user's folders domain user account?  I'm thinking it must be something to do with a web.config file that i can dump in each of the user's folder, but i am unsure if this is the way to do it? The idea is we want to setup a environemnt for students to learn asp .NET programming. It won't be for a business website so the structure will not be the same. We want to be able to do allow students to just dump their files in their own folders and not have to worry about permissions.    can anyone shed some light as to which direction i should be heading?    other settings I have is:  impersonation is OFF anonymous authentication is enabled Application pool is set to integrated v2.0 applilcation pool process model is set to a domain identity webx (needed because when we move the folders to a unc path we need an account to access the share that will map to anonymous)   Thanks in advance!

• 11-06-2009, 10:19 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,964	Re: IIS setup for ASP.NET write access Reply Contact Have you tried setting the 'connect as' option on the vdir to your static user? http://technet.microsoft.com/en-us/library/cc771804(WS.10).aspx Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-10-2009, 1:16 PM

  In reply to

  roguecoolman Joined on 09-22-2009, 5:41 PM Posts 12

  Re: IIS setup for ASP.NET write access Reply Contact  Hello Steve,  Thanks for the reply and i did look into the "connect as" setting in vdir, but the problem is I would have to know each user's password to specifically set them up. Because our students will be managing their websites via their domain account. they use their domain account from everything to logging into workstations to accessing e-mail.  Sometimes students forget their passwords and have to reset it. This will cause a problem as students will have to contact me to update their password on the IIS "connect as" dialog box. Is there any way I can just map anonymous users (public) to a user's domain account without needing their password? Just purely relying on NTFS permissions? If for example,  my asp .net app writes to folder \\web\guest01\box, As long as domain user "guest01" owns it's own folder and has modify permissions for folder "guest01" and all subfolders, can anonymous user being mapped to guest01 (who is the owner and has modify permissions) be granted write access when they access a asp.net app that is writing to folder "box"?   Is this possible in IIS?

• 11-10-2009, 1:37 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343

  Re: IIS setup for ASP.NET write access Reply Contact Seems like you would need to set up authentication/authorization so that student1 does not muck with student2's file location - so the best way would be to enable authentication )windows integrated auth for example) and set ACL on each folder give the respective student permission to write to the folder (and turn on impersonation in asp.net) - you would not need to store any of the student's domain password - they will just login with their domain credentials when connecting to the machine. Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-10-2009, 2:36 PM

  In reply to

  roguecoolman Joined on 09-22-2009, 5:41 PM Posts 12

  Re: IIS setup for ASP.NET write access Reply Contact Hello Anir, I've installed the Windows Authentication role service. I've enabled Windows authentication and ASP.NET impersonation. Anonymous Authentication is enbled and forms disabled (we aren't using forms yet).  When turning on ASP.NET impersonation I had initially set the website's application pool to integrated, but changing it  to classic fixed the error when browsing the page.  So now I can view the website, but when I run the specific aspx page that writes to the a file i get a access denied message.  even though, the permissions is that the owner of the folder and files have write access.   now you did write in your previous e-mail that: "they will just login with their domain credentials when connecting to the machine."?  So turning on windows authentication on, gives them a login prompt when they go to their own webspace "http://www.domain.con/guest01"  This is not what I was hoping for. Their projects will need to be exposed to the public (anonymous connections) and they can't be giving out their credentials to people just to view their pages.    So far the only way I can achieve what i want is create a domain account (in my example above "webx"). Grant that read/execute access to web document root and have that inherited to all sub folders. Now my test aspx application is a guestbook program that writes to a guestbook.xml where it stores guestbook entries. The only way so far to get what I want is to grant "webx" write perm to that file.  So I would have to instruct students that while they can dump their web projects to their web folder \\docroot\guest01 , if their code needs write access to a folder or file they would have to grant "webx" write access.  Is this  the only way or is there a better way? My concern is security since one account pretty much overseas all the write access, I was hoping to the write access can be isolated to just the individual owners. If say "webx" gets compromised, while domain wise, it's a low level account, but on the web server it may have write access to various student folders and files. If I could map write acccess to each individual owners then the damage is just to the owners account which is very isolated. Also the application pool also connects as "webx" as i beleive it needs those credentials to spawn the worker process since I am using that to connect to the docroot (which is on the network and not local to the server). Am I correct to assume, if a student mis writes their code and crashes the appool assigned to the website and run by webx, all websites using that appool is compromised?

• 11-10-2009, 3:35 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343

  Re: IIS setup for ASP.NET write access Reply Contact With windows authentication, there is no login page, the user's browser will be prompted for credentials and will either send the credentials automatically or prompt the user for them based on the browser settings - can you also disable anonymous authentication to be sure that is not getting used?  Also, can you use collect failed request tracing log which should make it clear whether authentication is happening and where exactly access is failing. Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-10-2009, 4:53 PM

  In reply to

  roguecoolman Joined on 09-22-2009, 5:41 PM Posts 12

  Re: IIS setup for ASP.NET write access Reply Contact  Hello Anir,  When I enabled windows authentication and disable anonymouse access, When I browse to the user's website http://www.domain.com/guest01/index.aspx i get a domain login box. This is not what I wanted as I don't want the public to be prompted with login boxes just to visit the user's web page. Of course when I present credentials that matches ACL's in the folder, I am allowed access. This of course is not what I was intending. I was hoping that public can view my users pages without any login or credential exchange from the end user end.

• 11-11-2009, 1:13 AM

  In reply to

  Leo Tang - MSFT Joined on 12-11-2008, 9:47 PM Posts 939

  Re: IIS setup for ASP.NET write access Reply Contact Hi, Integrated Windows authentication does not work over HTTP proxy connections. Hence, Windows authentication is best suited for an intranet environment, where both user and Web server computers are in the same domain. In this case, the requested URL contains periods, Internet Explorer assumes that the requested address exists on the Internet and does not pass any credentials. You can include it in the Intranet zone, then try again. For more detailed information, please refer to: Internet Explorer May Prompt You for a Password http://support.microsoft.com/default.aspx/kb/258063 Leo Tang Microsoft Online Community Support Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• 11-11-2009, 1:26 AM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343	Re: IIS setup for ASP.NET write access Reply Contact Do you really want anonymous users to have unrestricted write access to the unc share?  Why do you even want to setup separate account for each share though - you could just configure one account with write access to all the shares. Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-11-2009, 2:34 PM

  In reply to

  roguecoolman Joined on 09-22-2009, 5:41 PM Posts 12

  Re: IIS setup for ASP.NET write access Reply Contact  Thanks Leo and Anir for your replies.  Anir, I definately don't want to get anon write access to students folders. I don't mean they would use it as a storage drive. But is there the best scenario way that I can allow my students to write their aspx projects and allow them to run properly for public visitors? For example say a student writes a aspx project that when a public visitor visits their page, fills out a form and when clicking on submit, the program would generate a text file and stores it in the student's web folder. So write access for the program is definately needed. So are you saying that I should create a low access domain account, give that the necessary access to the shares and when students programs require it to write to it's own folder or a file, students should grant that account modify access?  example:  student: jbob owns folder "jbob" on the docroot share "web" so \\web\jbob  has the following perms: domain administrators: full control user "jbob" has: full control low level domain account "webaxs" has read/execute IIS connect as is mapped with "webaxs" to the share. so under normal circumstances where web files and programs only need read/execute permissions there is no issue. If student writes a program that requires program to write to it's own folder or edit a file, student must grant "webaxs" proper permissions which he/she can do since they own their own web folder?  in the above scenario, should I also map "anonymous  authentication" to "webaxs" then? Right now it's set to ISUR which is the default I believe. But since the docroot share is a network storage, ISUR is not available on the network storage, so I beleive I would have to use webaxs in anonymous authentication then?

• 11-12-2009, 11:57 AM

  In reply to

  roguecoolman Joined on 09-22-2009, 5:41 PM Posts 12	Re: IIS setup for ASP.NET write access Reply Contact I think what I am looking for is a function like suEXEC in apache. Does IIS have something like this?

• 11-13-2009, 4:35 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343	Re: IIS setup for ASP.NET write access Reply Contact That should work - and then the student can give jbob write access to only the portion of their share reserved for writing. Running a site as some other user requires you to configure username/password on IIS and the password maintainence issue is the one you are trying to avoid. Anil Ruia Senior Software Design Engineer IIS Core Server

• 11-13-2009, 7:45 PM

  In reply to

  roguecoolman Joined on 09-22-2009, 5:41 PM Posts 12	Re: IIS setup for ASP.NET write access Reply Contact  Thanks Anir, I've pretty much set up the way you suggested and my tests so far has been good.   Thanks for all the help everyone.