Senario, Google Shared drive full of documents, shared with the IIS server, server has a virtual directory pointed to a folder that is available locally on the IIS server.
Using Dropbox, I can set Security options on the folder and the IIS server has access to the folder, works great. Company wants to move to Google Drive, when I attempt this, the Google drive folder has not Security Tab option.
I have scoured around for answers but everything is about the API, this has nothing to do with the API.
I also created an account on the IIS server, gave the account Administration privilege's and I get this error: "Specified user cannot access path (d:\Shared\GoogleDrive).
Also, I setup d:\Shared because I can apply Security settings to the folder and was hoping it would propagate down but it does not.
I finally figured out how to do this:
On the server itself backup/sync the folder desired. This allows you to manage the security on the folder, which is lost with other approaches.
From the google drive web interface, select computers, select the desired folder and using the more options from the menu, "Add shortcut to Drive".
You can then share it across the companies established share structure as a shortcut and sync files easily to the webserver.
In my case these are forms and pdf files but the webserver needs security access to the folder and using the base line Google shares did not work for me. This way did.
Related
I'm trying to simply run a local website which has sime basic HTML files using IIS.
Through the IIS Manager I have created a new website and have set the physical path to the directory with the HTML files.
However when I input the physical path I get the following warning:
The server is configured to use pass-through authentication with a
built-in account to access the specified physical path. However, IIS
Manager cannot verify whether the built-in account has access. Make
sure that the application pool identity has Read access to the
physical path. If this server is joined to a domain, and the
application pool identity is NetworkService or LocalSystem, verify
that \$ has Read access to the physical path.
Then test these settings again.
Now, when I navigate to the site through localhost I get the following Unauthorized error:
You do not have permission to view this directory or page because of
the access control list (ACL) configuration or encryption settings for
this resource on the Web server.
What's going on here? When I right click my folder I seem to have given access to everyone. I haven't made any specific IIS changes so what could be the issue here?
EDIT:
MAN I cannot believe this. My case is so simple (I just wanna display some HTML files on localhost) which should require ZERO configuration at all. Yet IIS fails to meet the demand.
EDIT: I think everyone should have permission to my folder. Here's a picture of the permissions screen for the folder:
Working with a set of server protocols is different than adding files to a share. In this case, you're going to want to open IIS and navigate to the website you added it as.
There, you'll see a variety of icons, some under the heading of ASP.NET, some under IIS. The first heading you'll see under IIS is Authentication. That's the one you want. If this is strictly internal/for learning, go ahead and enable Anonymous Authentication. It's not safe, but it'll get you in the right place to start googling around.
I am using C#/ASP.NET, IIS6 on Windows Server 2003.
Map the data server shared folder to the WebServer with driver letter V:\
On the WebServer, IIS created a virtual directory and pointed to 'local location' with V:\ . Since there is no 'Connect As', not sure which USER will be used
In my WebMethod, I want to create file on the shared folder with FileStream.Write().
I got IO Exception on the action, any hint?
P.S. I have added ASPNET/NETWORK SERVICE on the data server shared folder.
thanks!
Gavin
Mapped network drives are specific to the user account that created them:
Using Mapped Drives with IIS - MS KB257174
The preferred method of accessing content for the Web server that exists on a remote computer is to use shares that follow the universal naming convention (UNC).
It's very likely that NETWORK SERVICE (or if you're running ASP.NET under impersonation, the site anonymous account) hasn't got this mapping.
To change the location where the virtual directory points to, browse to your site in IIS manager, right click on the virtual directory and select properties. You can then select "A share located on another computer":
The website in IIS has a corresponding app pool and this should tell you the user under which your code wil be running.
You'll the have to grant the appropriate permissions for that share for that user.
I have a file share on a machine. On another machine I have IIS and a webapp running. Through the webapp, I want to be able to offer files from the share for download. On the IIS machine, how can I persistently map the fileshare drive to say drive Z:?
If I map the drive with a regular user, the mapping disappears when the user session ends, right? Is it possible to map the drive persistently so that IIS can access the files on it regardless of whether someone is logged in or not?
You can't use mapped drives like Z:. Use UNC paths (\\someserver\someshare\) to access content on the network, instead. You have to create a Virtual Directory in your web which points to the UNC path. You will also be asked some questions whether you want to use a static username or not and what access permissions you want to allow.
We have an instance of IIS6 running an intranet website with Windows Authentication and Impersonate = true so that it uses the NT credentials passed in by the clients browser.
The AppPool is set to run as a network service user: serviceAcctX so that we can undo impersonation in rare cases (to read or write a resource that the client user does not have access to)
It works perfectly when the source of the virtual directory is on a local drive. The logged in user is authenticated and page content is customized based on authorization settings.
Our infrastructure team is trying to move the virtual directory source to a file share on a remote server. We have already gotten past the issue with changing the .Net security policy by adding a full trust for that specific file share path. We have set the Connect As property to the same serviceAcctX, the same one that the AppPool is running as.
The site starts fine. However, the client user is not impersonated. The request is processed using the default serviceAcctX credentials instead of with the client's NT credentials as before.
Is there a way to have the client impersonation still work as before and still have the virtual directory on a file share? Any pointers are greatly appreciated.
I'd put this in the category of Not A Good Idea.
There are a number of potential problems that crop up and you are introducing a lot of dependent complexity.
Instead, I'd go for something a little more "offline" than this. Use File Replication to keep the files in sync between your web server(s) and remote server.
Although slightly complex, it increases the survivability of your application. Meaning, if the remote server reboots, goes down, or there is a network problem between the two, your app is still functional. Further, you are still able to have the files on the remote server.
You may have to check the "trust this computer for delegation" check box in Active Directory for the web server in order for the user's token to be passed on.
IIS5 is running on SERVER1.
One of the virtual directories in IIS, myfiles, is pointing to "A shared location on another computer", //SERVER2/myfilesshare
When I try to access the page:
http://SERVER1/myfiles
... I get the error:
You are not authorized to view this page
HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services
I have triple-checked the "Connect As..." settings in IIS. The credentials I'm using to access the share are correct-- they work when connect to the share in Windows Explorer, but not through the IIS virtual directory.
I've tried granting full permission to Everyone on the folder in SERVER2, but no luck.
Any thoughts?
This was how I solved my problem, might help you.
By default, IIS uses local user called IUSR for virtual directories when using anonymous authentication. It does not use application identity, which should be obvious, if you use procmon.
How can you force it to use application identity?
Easy, under IIS manager:
1) go to Authentication
2) Edit "Anonymous authentication"
3) Select "Application pool identity"
4) Restart IIS & it should work.
The same accomplished with PS: Set-WebConfigurationProperty -filter /system.WebServer/security/authentication/AnonymousAuthentication -name username -value ""
This link contains the pros/cons: http://blogs.technet.com/b/tristank/archive/2011/12/22/iusr-vs-application-pool-identity-why-use-either.aspx
Permission issues can be tricky. Try running filemon on the 'other computer' It can be downloaded over here: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
(it's not a big application just a tiny lightweight tool)
After you've started filemon, stop the monitor process (I believe it's turned on by default when you start the application), clear the logged data, create a filter for the folder you have trouble getting access to. Start the monitor process. Request your webpage. Stop the monitor process and look for "access denied" messages in filemon. When found, filemon will also mention the name of the actual user which is trying to get access. This might help you to get to a solution.
Btw when using Windows Server 2008 you will need processmon instead: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Imagine a scenario where for whatever reason you want to have your IIS Server access a Share on a File server and they are not on the same domain.
If you can follow and get this to work for you (I have done it Win2008-R1 32-bit File Server and Win2008-R2 64-bit with IIS 7), then you should be in good shape for any scenario.
Same name local account on both servers with same password
On IIS, use aspnet_regiis -ga MyAccount to give local account access to IIS guts
Now use that as the Application Pool Identity of the Website
Using Local Security Policy (Admin Tools) enable trust for delegation for local account
Restart IIS server
On File Server, use Local Security Policy to enable access from network for local account
Create Share granting desired permissions to local account (also Security tab permissions as needed)
Open up File & Print Sharing ports on both (as restrictive as possible) to point where it works for you when you are using Windows Explorer between the two
Back to IIS, create Virtual Directory using UNC path to Shared folder from File Server
Just use Pass-through authentication (which would use your local account)
You can tell Anonymous Authentication setting of the Virtual Directory to use Application Pool Identity as well
Use something that will test/verify. The key really is trust for delegation using a Service Account (domain or otherwise), and having IIS use the account you want it to use instead of Local Server or Network Service.
This took me all day to figure out. Various threads in StackOverflow and other Internet sources helped point me to various resources me but didn't find my exact answer anywhere. Hopefully next person stuck with this problem will get a speed boost on the path to resolving with my description of what worked for me.
try enabling windows authentication on the virtual directory security tab (in IIS).