ASP.NET application cannot access network share even with "Everyone" granted access

asp.net windows file iis ntfs
10,359

Solution 1

It has been long time ago but maybe it could be useful for someone.

Try and use the class NetworkConnection to access to the shared folder. You'll need to specify the path and credentials.

More reference about the class here:

https://gist.github.com/AlanBarber/92db36339a129b94b7dd#file-networkconnection-cs-L15

Solution 2

You seem to be using all Local Identities and I think that will not work on a network share despite what permissions you give. You need to make a domain user and run the app pool with that user and you should be good to go.

Also please do verify if the path is reachable or its access denied. Sometimes we go get the access denied message even though the path was not reachable.

Solution 3

You may need to edit settings in the Group Policy Editor on the machine where the share is hosted.

Open the Group Policy Editor via Start → Run → gpedit.msc. Set the following under Local Computer Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:

  • Network access: Shares that can be accessed anonymously - Enter the name of the network share folder (files in your question above) in the text field. (Don't include the hostname.)
  • Network access: Let Everyone permissions apply to anonymous users - Set to Enabled. (For me, this was necessary for write access to be granted.)

When done making changes in gpedit.msc, from an admin-elevated command prompt, run gpupdate /force to apply the Group Policy changes.

Obviously, you should consider the security implications in your specific situation before making these changes.

Share:
10,359
Shock
Author by

Shock

Updated on June 15, 2022

Comments

  • Shock
    Shock almost 2 years

    I have two servers: server A which is a web server running an ASP.NET application on IIS, and server B which is an SSIS server with a network share that contains a configuration file.

    I need server A to be able to write to the configuration file on server B. This seems fairly straight-forward, however I keep getting the error: "Access to the path \\ServerB\files\config.xml is denied." What I have done for testing, to make this perfectly clear:

    • I have set "Everyone" to have full control of the folder.
    • I have set "Everyone" to have read/write access on the share.
    • I have set "Everyone" to have full control of the file.
    • I have verified that the file is not read-only.

    I realize this isn't a good solution, I am just doing this for debugging so please don't comment to tell me not to do this.

    Anyhow, even with these things set, I still get "Access is denied." I have also explicitly given access to a number of users, including Network Service, IUSR, Anonymous Logon, and IUSRS group, and it has not fixed the problem.

    The application pool on Server A is using ApplictionPoolIdentity. I have Googled and Overflowed and found suggestions to give permissions to things like IIS AppPool\{Application Pool} or {MACHINE}\ASPNET, but I cannot access these resources from Server B so I do not understand how this would be possible.

    Finally, the perplexing thing is that developers running solutions on their local machines are able to access the file. So it is something to do with how something is configured with Server A, however I cannot figure out what.

    Edit: Truly wacky stuff going on here. I have figured out how to enable auditing and get the requests logged in the event viewer on Server B. When the developer runs the process from his local, I can see all the requests logged on Server B. Eg: "A network share object was checked to see whether client can be granted desired access."

    However! When attempting to connect from server A, nothing gets logged. Nothing is there at all. Server A throws an "access to the path is denied" error, but I don't even see the request from Server B. :(

    • Sico
      Sico about 10 years
      Have you tried NetworkService as the app pool identity?
    • Shock
      Shock about 10 years
      I really can't mess too much with the IIS set up as it is running a lot of production code and the part I am working on is a very minor piece, so I'd rather not make any major changes to the configuration just to suit my little thing. Know mean?
    • Sico
      Sico about 10 years
      Can you try it in UAT
    • Shock
      Shock about 10 years
      OK. I was able to verify that if I change the Application Pool to run under "NetworkService," that it then works. This is not going to happen in production though, so I need to figure out what account "ApplicationPoolIdentity" is using that I can grant access to. What a pain!
    • Shock
      Shock about 10 years
      It seems like I need to grant the access to "IIS APPPOOL\{ApplicationPool}", but how can I possibly do that when that's not a domain account? And why doesn't granting access to "Everyone" fix things?
    • Shock
      Shock about 10 years
      Sadly no. It confirms the above, that I "need to ACL your content based on this ephemeral ApplicationPoolIdentity account (IIS APPPOOL\ApplicationPool ) instead of the NTAuthority\Network Service." But of course "IIS APPPOOL\ApplicationPool" is just some local account so doesn't do me any good for remote files. At least Network Service could be set for any server. I even tried giving permissions to SERVERA$, but still no luck.
    • John Saunders
      John Saunders about 10 years
      Unlike forum sites, we don't use "Thanks", or "Any help appreciated", or signatures on Stack Overflow. See "Should 'Hi', 'thanks,' taglines, and salutations be removed from posts?.
  • matt_lethargic
    matt_lethargic about 10 years
    You should be able to use Local User accounts, create a user on Server B, give it access to the shares, then use that username and password, set the domain to the Server B's name. A look at the code you are using would be good or a bit more explanation on the mechanism you are using to connect, then we can supply code etc if needed
  • Shock
    Shock about 10 years
    The path is definitely reachable. I can RDP to Server A and browse to the file using the same path. The exact same code also works from developers' machines, just not from Server A.
  • matt_lethargic
    matt_lethargic about 10 years
    Have you checked the security logs in the event viewer on Server B?
  • Shock
    Shock about 10 years
    Yeah, there's nothing there.
  • Shock
    Shock about 10 years
    Following up, when accessed from a developers machine, I can see the requests logged in event viewer on Server B. However, nothing is logged at all when the request comes from Server A. It is like the request never makes it from A to B. Could it be something on Server A not allowing it as an outgoing? I have already checked windows firewall..
  • Jay Elston
    Jay Elston about 7 years
    The OP was struggling with permission issues, not the code for creating connections.
  • Jamo
    Jamo about 7 years
    I was having the same issues as Shock did. Trying to add the proper permissions but then I figured out this way and worked. Maybe it helps maybe not.
  • mxmissile
    mxmissile almost 6 years
    Not sure why MS makes this so confusing, but this is the only answer that helped me.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Programmatically adding security permissions to files in C#
How to disable port 80 on IIS while keeping port 443 open?
How do I increase the upload size in IIS?
Catching "request entity is too large" error
Access requires a username and password
How can I debug Windows server 2016 IIS "ERROR 404 - File or directory not found"
Changing IIS application pool identity to local system
Inetmgr.exe not recognized as command
Missing "Machine Key" in IIS manager
IIS7.5 App Pool recycles - .Net OutOfMemoryException