Classic ASP Impersonation | Windows authentication | File Access Denied IIS 7

I have a classic ASP/VBScript website (landing page - default.asp) that writes the website user access (LOGON_USER) activity to a simple txt file via the Scripting.FileSystemObject.

VBScript creates an FSO to open/create a new file under the folder 'logs'

Windows 2008 R2 64 bit environment

IIS 7.5 -

• Authentication - Windows Authetication enabled. All other authentication disabled.
• AppPool running in Classic PipeLine mode;
• Enable 32 bit applications set to true;
• Identity is NetworkService.
• Load User Profile set to false
• ASP: executeInMta set to false

ACL for logs folder

• Users group - Read and Execute;
• SYSTEM - Full Control (Inherited);
• Administrators - Full Control (Inherited);
• IIS_IUSRS - Full Control;
• Network Service - Full Control.

This setting yields me a '800A0046 - Permission Denied'. Please note that windows authentication is enabled. And I map the LOGON_USER value to a value in DB to permit a user access my website. AppPool is set to NT Authority\NetworkService. Though the apppool identity is set to NetworkService, after a user autheticates, the files are accesses via the authenticated user (impersonated). Sample Process monitor activity below.

Process Monitor File System Activity

• default.asp - Desired Access - SUCCESS - Impersonation: domainname\username
• logs\log3011.txt - Desired Access - DENIED - Impersonation: domainname\username

Now, this puts me in a situation where I have to go to the security properties of 'logs' folder and grant every permissible user Read/Write permission. What I am looking for is, since my apppool runs as NetworkService(logs folder is given full control for NetworkService), I want the logs folder to be accessed via Network Service and not the user authenticated via windows authentication. I understand that this is the expected result when using Windows authentication. However, I use windows autnetication just to verify if the user is allowed to access the website. I need all other website actitivities to use NT Authority\NetworkService. (I am asking for a solution to stop Classic ASP impersonating the windows authenticated user, and rather use the appool identity - networkservice in my case - to access the resources)

Is that too much to ask for? Please guide me with appropriate explanations. Thx.

executeinMTA set to false. I believe false is the default for executeinMTA. I have updated my question too. Thanks.

Yes false is the default, setting it to true is a common issue that could cause this

ok. anything else that strikes you Jim?

the only other thing I can think of that might be (but shouldn't) affect this is ensuring the apppool framework as no manged code. You might try changing to digest authentication

I didnt quite understand what you meant by "ensuring the apppool framework as no manged code". The apppool does not contain any managed (.Net) code. but my classic asp calls a COM+ for some other operation. I am yet to try digest autnentication. I am eploring options to get rid of the log file by all means :)

I agree with that COM+ option with it's own identity. matter of fact I already have a couple of COM+ and they work seamlessly. your suggesstions are good, I gonna consider using a ASP.net page wth impersonation set to false or a DB table instead.