Home All Groups Group Topic Archive Search About

Permission Denied when writing text file from ASP Site

microsoft.public.inetserver.iis.security
Author
25 Apr 2005 2:59 PM
GregRoberts
We currently have a custom ASP front end application for our SQL 2000
database.  The ASP is running on a Windows 2000 Advanced Server with SP-4 and
IIS 5.  The ASP files are physically located on the IIS server. The export
files must be written to a file server in the domain.

Configuration:
Domain
|-    IIS Server
|        |-   ASP Web Site        (C:\wwwroot)
|
|-    File Server
         |-   Export Share

The application requires Anonymous Authentication be disabled, and ONLY
Window Intergated Authentication be enabled. The appliaction requires the NT
UserID for internal security and feature sets.  Different deparments have
different permissions and modules available.

Permissions on the export share allow Full Control to Authenticate Users. 
Everyone does not have permission to the share. (That's an issue to take up
with the network admin. :) )

When the user selects the export function the following error is displayed.

Error Type:
Microsoft VBScript runtime (0x800A0046)
Permission denied
/{ModuleDir}/{ExportModule}.asp, line 436

Author
25 Apr 2005 3:14 PM
GregRoberts
Additional Information:

The export file is a text file created and written using fso.

Show quoteHide quote
"GregRoberts" wrote:

> We currently have a custom ASP front end application for our SQL 2000
> database.  The ASP is running on a Windows 2000 Advanced Server with SP-4 and
> IIS 5.  The ASP files are physically located on the IIS server. The export
> files must be written to a file server in the domain.
>
> Configuration:
> Domain
> |-    IIS Server
> |        |-   ASP Web Site        (C:\wwwroot)
> |
> |-    File Server
>          |-   Export Share
>
> The application requires Anonymous Authentication be disabled, and ONLY
> Window Intergated Authentication be enabled. The appliaction requires the NT
> UserID for internal security and feature sets.  Different deparments have
> different permissions and modules available.
>
> Permissions on the export share allow Full Control to Authenticate Users. 
> Everyone does not have permission to the share. (That's an issue to take up
> with the network admin. :) )
>
> When the user selects the export function the following error is displayed.
>
> Error Type:
> Microsoft VBScript runtime (0x800A0046)
> Permission denied
> /{ModuleDir}/{ExportModule}.asp, line 436
>
>
>
>
Author
26 Apr 2005 6:49 AM
David Wang [Msft]
This is classic "double hop" scenario.

With IIS5, you must setup and configure Kerberos to be used everywhere as
well as configure delegation in order to do this. Otherwise, it is not
possible with Integrated Authentication. On IIS6, you do not need to use
Kerberos to authenticate with the client, but the servers must have Kerberos
configured and have delegation enabled.

This is for security reasons. Just because someone can use Integrated
Authentication to login to the web server, it does NOT mean the web server
can re-use that identity to write a file to another server. Why? Let me use
another example. Suppose you authenticate to a web server. Do you allow the
web server to use your credentials to withdraw money from your bank account?


For example, your scenario will work the way you want if you change
Integrated authentication to Basic authentication. This is because Basic
authentication is insecure and implicitly delegates authority. Integrated
authentication does not do this without explicit configuration.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"GregRoberts" <GregRobe***@discussions.microsoft.com> wrote in message
news:6E676429-99D0-427C-8D6F-DE06DAEF4275@microsoft.com...
Additional Information:

The export file is a text file created and written using fso.

Show quoteHide quote
"GregRoberts" wrote:

> We currently have a custom ASP front end application for our SQL 2000
> database.  The ASP is running on a Windows 2000 Advanced Server with SP-4
and
> IIS 5.  The ASP files are physically located on the IIS server. The export
> files must be written to a file server in the domain.
>
> Configuration:
> Domain
> |-    IIS Server
> |        |-   ASP Web Site        (C:\wwwroot)
> |
> |-    File Server
>          |-   Export Share
>
> The application requires Anonymous Authentication be disabled, and ONLY
> Window Intergated Authentication be enabled. The appliaction requires the
NT
> UserID for internal security and feature sets.  Different deparments have
> different permissions and modules available.
>
> Permissions on the export share allow Full Control to Authenticate Users.
> Everyone does not have permission to the share. (That's an issue to take
up
> with the network admin. :) )
>
> When the user selects the export function the following error is
displayed.
>
> Error Type:
> Microsoft VBScript runtime (0x800A0046)
> Permission denied
> /{ModuleDir}/{ExportModule}.asp, line 436
>
>
>
>



Post Other interesting topics
Administrator 401.1 after SP1
SharePoint password prompting
webdav prompts for second password
Why is iis6.log on an XP home machine?
FSO exploit
access only through Local groups
SSL doesn't work
IWA with multiple AD
Service Principal Name Confusion
SSL Setup