|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Problems with authenticated users accessing asp'ssite uses Integrated Security with the server on a 2003 server domain. Clients are on a different domain and enter login information in the browser pop-up. The behaviour I get is as follows …. - All domain users can access html files. - A user I’ve added to the Administrators group on the web server can use the site without trouble – all other users are given a 500 response to attempts to access asp’s and in the log file I get a permission denied error. 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002 500 0 0 409 - If I drop the site back to anonymous login all works fine. There is obviously a simple setting I’m missing, and am hopping someone will be able to point me at it. I’ve tried adding ‘telem\Domain Users’ (where telem is the webserver’s domain)to a number of the local security settings (including ‘Access this computer from the network’). Is there a definitive list of which are required – I’ve added ‘telem\Domain Users’ to all entries that have ‘IUSR_servername’ and even ‘IIS_WPG’ out of desperation. Any other thoughts? Regards Gavin Gavin,
The next thing I might check would be the NTFS permissions to the directory that houses the asp pages. Make sure that the domain users group (or whichever group your users are apart of) has access to that directory. Anonymous access uses very special credentials that may have rights on that directory (as do administrators) by default so that may be why admins work and anonymous works. But when you use the users context then you run into issues. Hope this helps. If not just post and we'll see what we can do :) -- Show quoteHide quoteDuane Laflotte MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I dlaflo***@criticalsites.com http://www.criticalsites.com/dlaflotte "Gavin" <gavin@dont.spam.me.com> wrote in message news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com... > > I have IIS serving static content and asp's from IIS6 on Win2003 Server. The > site uses Integrated Security with the server on a 2003 server domain. > Clients are on a different domain and enter login information in the browser > pop-up. > The behaviour I get is as follows .. > > - All domain users can access html files. > - A user I've added to the Administrators group on the web server can use > the site without trouble - all other users are given a 500 response to > attempts to access asp's and in the log file I get a permission denied error. > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 HTTP/1.1 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002 > 500 0 0 409 > > - If I drop the site back to anonymous login all works fine. > > There is obviously a simple setting I'm missing, and am hopping someone will > be able to point me at it. > I've tried adding 'telem\Domain Users' (where telem is the webserver's > domain)to a number of the local security settings (including 'Access this > computer from the network'). Is there a definitive list of which are required > - I've added 'telem\Domain Users' to all entries that have 'IUSR_servername' > and even 'IIS_WPG' out of desperation. Any other thoughts? > > Regards > Gavin > Gavin,
The other thing I would do is to make sure you turn off "Show Friendly HTTP Errors" in your browser so you get the full error and not just the 500 code. That may help point us in the right direction too. P.S. this is a great link for troubleshooting too http://www.aspfaq.com/show.asp?id=2109 -- Show quoteHide quoteDuane Laflotte MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I dlaflo***@criticalsites.com http://www.criticalsites.com/dlaflotte "Gavin" <gavin@dont.spam.me.com> wrote in message news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com... > > I have IIS serving static content and asp's from IIS6 on Win2003 Server. The > site uses Integrated Security with the server on a 2003 server domain. > Clients are on a different domain and enter login information in the browser > pop-up. > The behaviour I get is as follows .. > > - All domain users can access html files. > - A user I've added to the Administrators group on the web server can use > the site without trouble - all other users are given a 500 response to > attempts to access asp's and in the log file I get a permission denied error. > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 HTTP/1.1 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002 > 500 0 0 409 > > - If I drop the site back to anonymous login all works fine. > > There is obviously a simple setting I'm missing, and am hopping someone will > be able to point me at it. > I've tried adding 'telem\Domain Users' (where telem is the webserver's > domain)to a number of the local security settings (including 'Access this > computer from the network'). Is there a definitive list of which are required > - I've added 'telem\Domain Users' to all entries that have 'IUSR_servername' > and even 'IIS_WPG' out of desperation. Any other thoughts? > > Regards > Gavin > Oh how I wish I’d tried that option sooner – I never expected the client to
have more information than the server on the problem – well I don’t suppose it did, I was just looking in the wrong place for it. Thanks for the help. My client received this Permission denied /LM/W3SVC/25858248/Root/global.asa, line 34 And when I look in the global.asa at line 34 I have Set ferrs = fs.CreateTextFile(ERR_FILE, True) So it is write permissions that I haven’t granted to my web directory. This begs an important question... I’m porting this app from NT to Server 2003. Currently the ERR_FILE is written to the applications root directory. On 2003, is global.asa executed as the authenticated user? If so does this mean I would need to grant write access to the application root to maintain current functionality? This doesn’t sound very safe to me. Regards Gavin Show quoteHide quote "Gavin" wrote: > > I have IIS serving static content and asp’s from IIS6 on Win2003 Server. The > site uses Integrated Security with the server on a 2003 server domain. > Clients are on a different domain and enter login information in the browser > pop-up. > The behaviour I get is as follows …. > > - All domain users can access html files. > - A user I’ve added to the Administrators group on the web server can use > the site without trouble – all other users are given a 500 response to > attempts to access asp’s and in the log file I get a permission denied error. > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 HTTP/1.1 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002 > 500 0 0 409 > > - If I drop the site back to anonymous login all works fine. > > There is obviously a simple setting I’m missing, and am hopping someone will > be able to point me at it. > I’ve tried adding ‘telem\Domain Users’ (where telem is the webserver’s > domain)to a number of the local security settings (including ‘Access this > computer from the network’). Is there a definitive list of which are required > – I’ve added ‘telem\Domain Users’ to all entries that have ‘IUSR_servername’ > and even ‘IIS_WPG’ out of desperation. Any other thoughts? > > Regards > Gavin > Good question. So unless impersonation is turned on in the web.config
then if you are doing any external IO from .Net (read/write files etc) as the ASPNET user (or more accurately as the user that is running the ASPNET worker process). So even if the site is NT auth and the user logs in, the actual file access for read and write is as the aspnet account. (Its always a neat demo to deny a user access to a file that is being read with the System.IO classes and then see that user log into the web application and still get access to that file proving this point.) However, there is a difference in the account that runs the processes between Windows 2003 and the rest of the .Net running OS's. 2003 actually uses a lower privilege no net access account where as windows 2000 would use the normal ASPNET account. So this may be where you are seeing the difference. Hope this Helps, -- Show quoteHide quoteDuane Laflotte MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I dlaflo***@criticalsites.com http://www.criticalsites.com/dlaflotte "Gavin" <gavin@dont.spam.me.com> wrote in message news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com... > > I have IIS serving static content and asp's from IIS6 on Win2003 Server. The > site uses Integrated Security with the server on a 2003 server domain. > Clients are on a different domain and enter login information in the browser > pop-up. > The behaviour I get is as follows .. > > - All domain users can access html files. > - A user I've added to the Administrators group on the web server can use > the site without trouble - all other users are given a 500 response to > attempts to access asp's and in the log file I get a permission denied error. > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 HTTP/1.1 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002 > 500 0 0 409 > > - If I drop the site back to anonymous login all works fine. > > There is obviously a simple setting I'm missing, and am hopping someone will > be able to point me at it. > I've tried adding 'telem\Domain Users' (where telem is the webserver's > domain)to a number of the local security settings (including 'Access this > computer from the network'). Is there a definitive list of which are required > - I've added 'telem\Domain Users' to all entries that have 'IUSR_servername' > and even 'IIS_WPG' out of desperation. Any other thoughts? > > Regards > Gavin > As far as I can tell, I don’t have a web.config, so I would guess I don’t
have impersonation turned on. As a test, I’ve granted write access on the file and directory to ‘telem\domain users’ and it all springs to life, so it would seem as if the write is being executed as the authenticated user. The simplest solution seems to be to move the log file to a directory where I don’t mind granting write access. Is this the best solution? Any risks? Regards Gavin Show quoteHide quote "Duane Laflotte" wrote: > Good question. So unless impersonation is turned on in the web.config > then if you are doing any external IO from .Net (read/write files etc) as > the ASPNET user (or more accurately as the user that is running the ASPNET > worker process). So even if the site is NT auth and the user logs in, the > actual file access for read and write is as the aspnet account. > (Its always a neat demo to deny a user access to a file that is being read > with the System.IO classes and then see that user log into the web > application and still get access to that file proving this point.) > > However, there is a difference in the account that runs the processes > between Windows 2003 and the rest of the .Net running OS's. 2003 actually > uses a lower privilege no net access account where as windows 2000 would use > the normal ASPNET account. So this may be where you are seeing the > difference. > > Hope this Helps, > > -- > Duane Laflotte > MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I > dlaflo***@criticalsites.com > http://www.criticalsites.com/dlaflotte > > "Gavin" <gavin@dont.spam.me.com> wrote in message > news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com... > > > > I have IIS serving static content and asp's from IIS6 on Win2003 Server. > The > > site uses Integrated Security with the server on a 2003 server domain. > > Clients are on a different domain and enter login information in the > browser > > pop-up. > > The behaviour I get is as follows .. > > > > - All domain users can access html files. > > - A user I've added to the Administrators group on the web server can use > > the site without trouble - all other users are given a 500 response to > > attempts to access asp's and in the log file I get a permission denied > error. > > > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 HTTP/1.1 > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002 > > 500 0 0 409 > > > > - If I drop the site back to anonymous login all works fine. > > > > There is obviously a simple setting I'm missing, and am hopping someone > will > > be able to point me at it. > > I've tried adding 'telem\Domain Users' (where telem is the webserver's > > domain)to a number of the local security settings (including 'Access this > > computer from the network'). Is there a definitive list of which are > required > > - I've added 'telem\Domain Users' to all entries that have > 'IUSR_servername' > > and even 'IIS_WPG' out of desperation. Any other thoughts? > > > > Regards > > Gavin > > > > > We have a separate directory for log files. The asp user account has ntfs
modify permissions. But in IIS we have disabled anonymous access to this directory, so the asp user cannot browse there. Only administrative users can log in and view log files. We also have directory browsing enabled in IIS for this directory. Show quoteHide quote "Gavin" <gavin@dont.spam.me.com> wrote in message HTTP/1.1news:00A48739-6B05-4D77-9068-1E83ED19CDA5@microsoft.com... > As far as I can tell, I don't have a web.config, so I would guess I don't > have impersonation turned on. > > As a test, I've granted write access on the file and directory to > 'telem\domain users' and it all springs to life, so it would seem as if the > write is being executed as the authenticated user. The simplest solution > seems to be to move the log file to a directory where I don't mind granting > write access. Is this the best solution? Any risks? > > Regards > Gavin > > > "Duane Laflotte" wrote: > > > Good question. So unless impersonation is turned on in the web.config > > then if you are doing any external IO from .Net (read/write files etc) as > > the ASPNET user (or more accurately as the user that is running the ASPNET > > worker process). So even if the site is NT auth and the user logs in, the > > actual file access for read and write is as the aspnet account. > > (Its always a neat demo to deny a user access to a file that is being read > > with the System.IO classes and then see that user log into the web > > application and still get access to that file proving this point.) > > > > However, there is a difference in the account that runs the processes > > between Windows 2003 and the rest of the .Net running OS's. 2003 actually > > uses a lower privilege no net access account where as windows 2000 would use > > the normal ASPNET account. So this may be where you are seeing the > > difference. > > > > Hope this Helps, > > > > -- > > Duane Laflotte > > MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I > > dlaflo***@criticalsites.com > > http://www.criticalsites.com/dlaflotte > > > > "Gavin" <gavin@dont.spam.me.com> wrote in message > > news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com... > > > > > > I have IIS serving static content and asp's from IIS6 on Win2003 Server. > > The > > > site uses Integrated Security with the server on a 2003 server domain. > > > Clients are on a different domain and enter login information in the > > browser > > > pop-up. > > > The behaviour I get is as follows .. > > > > > > - All domain users can access html files. > > > - A user I've added to the Administrators group on the web server can use > > > the site without trouble - all other users are given a 500 response to > > > attempts to access asp's and in the log file I get a permission denied > > error. > > > > > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > > > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 > > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002Show quoteHide quote > > > 500 0 0 409 > > > > > > - If I drop the site back to anonymous login all works fine. > > > > > > There is obviously a simple setting I'm missing, and am hopping someone > > will > > > be able to point me at it. > > > I've tried adding 'telem\Domain Users' (where telem is the webserver's > > > domain)to a number of the local security settings (including 'Access this > > > computer from the network'). Is there a definitive list of which are > > required > > > - I've added 'telem\Domain Users' to all entries that have > > 'IUSR_servername' > > > and even 'IIS_WPG' out of desperation. Any other thoughts? > > > > > > Regards > > > Gavin > > > > > > > > > That is a good sloutions. The only thing I would warn you against is DO NOT
give script access to that virtual directory in IIS. There are TONS of really good hacks that could give anyone over the internet full administrative rights to your web server if you turn that on. But just putting it in a subdirectory with changed ntfs rights should work. P.S. My head is stuck in ASP.Net that is where the Web.config stuff came from :) Forgot you were doing ASP. -- Show quoteHide quoteDuane Laflotte MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I dlaflo***@criticalsites.com http://www.criticalsites.com/dlaflotte "Gavin" <gavin@dont.spam.me.com> wrote in message HTTP/1.1news:00A48739-6B05-4D77-9068-1E83ED19CDA5@microsoft.com... > As far as I can tell, I don't have a web.config, so I would guess I don't > have impersonation turned on. > > As a test, I've granted write access on the file and directory to > 'telem\domain users' and it all springs to life, so it would seem as if the > write is being executed as the authenticated user. The simplest solution > seems to be to move the log file to a directory where I don't mind granting > write access. Is this the best solution? Any risks? > > Regards > Gavin > > > "Duane Laflotte" wrote: > > > Good question. So unless impersonation is turned on in the web.config > > then if you are doing any external IO from .Net (read/write files etc) as > > the ASPNET user (or more accurately as the user that is running the ASPNET > > worker process). So even if the site is NT auth and the user logs in, the > > actual file access for read and write is as the aspnet account. > > (Its always a neat demo to deny a user access to a file that is being read > > with the System.IO classes and then see that user log into the web > > application and still get access to that file proving this point.) > > > > However, there is a difference in the account that runs the processes > > between Windows 2003 and the rest of the .Net running OS's. 2003 actually > > uses a lower privilege no net access account where as windows 2000 would use > > the normal ASPNET account. So this may be where you are seeing the > > difference. > > > > Hope this Helps, > > > > -- > > Duane Laflotte > > MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I > > dlaflo***@criticalsites.com > > http://www.criticalsites.com/dlaflotte > > > > "Gavin" <gavin@dont.spam.me.com> wrote in message > > news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com... > > > > > > I have IIS serving static content and asp's from IIS6 on Win2003 Server. > > The > > > site uses Integrated Security with the server on a 2003 server domain. > > > Clients are on a different domain and enter login information in the > > browser > > > pop-up. > > > The behaviour I get is as follows .. > > > > > > - All domain users can access html files. > > > - A user I've added to the Administrators group on the web server can use > > > the site without trouble - all other users are given a 500 response to > > > attempts to access asp's and in the log file I get a permission denied > > error. > > > > > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > > > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 > > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002Show quoteHide quote > > > 500 0 0 409 > > > > > > - If I drop the site back to anonymous login all works fine. > > > > > > There is obviously a simple setting I'm missing, and am hopping someone > > will > > > be able to point me at it. > > > I've tried adding 'telem\Domain Users' (where telem is the webserver's > > > domain)to a number of the local security settings (including 'Access this > > > computer from the network'). Is there a definitive list of which are > > required > > > - I've added 'telem\Domain Users' to all entries that have > > 'IUSR_servername' > > > and even 'IIS_WPG' out of desperation. Any other thoughts? > > > > > > Regards > > > Gavin > > > > > > > > > make sure your seeing the real error
http://www.powerasp.com/content/hintstips/common_sense.asp Show quoteHide quote "Gavin" <gavin@dont.spam.me.com> wrote in message news:79605EC8-5B01-42BC-83FC-ECEB63CBCF48@microsoft.com... > > I have IIS serving static content and asp's from IIS6 on Win2003 Server. > The > site uses Integrated Security with the server on a 2003 server domain. > Clients are on a different domain and enter login information in the > browser > pop-up. > The behaviour I get is as follows .. > > - All domain users can access html files. > - A user I've added to the Administrators group on the web server can use > the site without trouble - all other users are given a 500 response to > attempts to access asp's and in the log file I get a permission denied > error. > > 2005-05-25 09:56:56 W3SVC25858248 xxx.xxx.19.25 GET /Default.asp > |34|800a0046|Permission_denied 2002 telem\holland xxx.xxx.244.109 HTTP/1.1 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) xxx.xxx.19.25:2002 > 500 0 0 409 > > - If I drop the site back to anonymous login all works fine. > > There is obviously a simple setting I'm missing, and am hopping someone > will > be able to point me at it. > I've tried adding 'telem\Domain Users' (where telem is the webserver's > domain)to a number of the local security settings (including 'Access this > computer from the network'). Is there a definitive list of which are > required > - I've added 'telem\Domain Users' to all entries that have > 'IUSR_servername' > and even 'IIS_WPG' out of desperation. Any other thoughts? > > Regards > Gavin >  
Other interesting topics
SetSPN.Exe
Exchange relay for Exchange total newb can't access susadmin page SMTP Relaying Help Cannot Create new VS Web Project Custom Errors Wilcard Cert and Site Identifier number IIS 401 - Unauthorized to access the document anonymous user does not work IIS6 and Authentication across Servers and Domains |
|||||||||||||||||||||||
