Best way to access the shared folder for a web application - iis

I have two machines, Machine A and Machine B in LAN connection. I have shared a folder on Machine A called "SharedFiles" by giving access to "IUSR" and "IIS USER "  and local user.
I have hosted a web application with IIS on machine B. From this hosted application , I want to access the "SharedFiles" folder.
What is the best way to access the shared folder for the web application ? I found below two options.
 1. By changing the Web application's pool identity. Set a custom account for this pool identity where credentials should be the same as the shared folder or vice versa.
 2. By setting up a virtual directory for this. I don't know how to use it. I have read the theory but never use it before.
If option 2 is correct then , do we need to access that folder using http/https?  How does this virtual directory work(Not looking for steps but logical flow)?

To add the virtual directory with the shred path under your site you could follow the below steps:
1)Open iis manager.
2)Right-click on your site ->slect add a virtual directory.
3)in add virtual directory box enter any name and your share folder path
Note: Make sure you have assigned the iis_iusrs and iusr permission to the shared folder.
After doing this go back again select site.
Double click authentication.
Select "Anonymous authentication"
Click edit from the action pane.
application pool identity. click ok.
now you can access your shared folder in browser with your site bindings/virtual directory name like shown below:
you could use the iis application pool identity to the administrator or local system account.

Related

File Table (SQL Server 2016) FILESTREAM permissions lost in IIS

I am trying to store images in a FileTable that is accessible from a website.
According to my understanding, the FileTable needs "SELECT" granted to the account running ApplicationPool that the website runs in.
Example of what I have:
IIS (6.2)
Application pool user : Domain\Bob.
SQL Server login Domain\Bob
Database has Domain\Bob in db_owner group. I explicitly granted Domain\Bob select on the file table also.
DB.dbo.FileStream_FileTable is \\DEV\FileStream_FileTable\
IIS has SiteA
SiteA has virtual directory Image targeting \\127.0.0.1\DEV\FileStream_FileTable\
If I look at the IIS authentication, IIS errors saying insufficient permission to access web.config - but there is no web.config.
On the server, running Internet Explorer, referencing an image as \\127.0.0.1\DEV\FileStream_FileTable\<...>\Image1.jpg it resolves to the jpg.
On the server, running Internet Explorer, referencing an image as HTTP://127.0.0.1/SiteA/Image/Image1.jpg, IE errors (same error as the authentication error)...
Config Error
Cannot read configuration file due to insufficient permissions
Config File
\?\UNC\127.0.0.1\dev\ItemImage\web.config
There IS no config file.
I have tried specifying the Windows user (Domain\Bob) context when accessing the virtual folder "Images" targetting \127.0.0.1\DEV\Filestream_FileTable
and also not specifying the windows credential...
I do not understand why the Image is visible using the UNC path in Internet Explorer (it must authenticate my context as having select on the filestream_filetable table) but not when using the context specifying a Windows context of a user who also has select on the table, in IIS.
NOTE: As an experiment, I modified the user, in IIS, used to access the share to Administrator. Then the IIS site resolved the image.
(Virtual directory targetting the \\servername\sql_instance_filestream_handle\directory\tablename)
The Windows User Domain\Bob has full rights on database - database owner.
There is another user's question, Access to SQL Server FileTable from IIS, that has servername in file share being a potential issue if the IIS and SQL server is on the same host, which I have taken into consideration.
I have added Domain\Bob to IIS_ISURS group...
What is Domain\Bob not a member of that grants access?
I can't very well make all my IIS shares accessing with Administrator accounts!
In some case, IIS will try to create web.config if the UNC path just return access denied error. If IIS failed to create web.config, It will also fail to access web.config with 500.19.
So please ensure your Application pool identity is set to a domain account who have read/write permission to access the folder.
Then please try to set Anonymous authentication->edit..->Application pool identity.
The Windows user Domain\Bob was not a login in the DEV sql instance.
Creating a sql login solved it. blush
Database level had the user, yes, but the SQL server didn't have a login.
facepalm

Create Virtual Directory to access shared network drive

I would like to create a virtual directory in my IIS application to be able to access from my web application to a shared directory.
My web server is on the A workstation and the directory share on B workstation.
From the file explorer of the A workstation I can access the shared directory of the B workstation but I can't when creating the virtual directory.
Let me explain:
I create a virtual directory like this :
but when i try to access to my directory :
I think this is because direct authentication is not configured on my server. So I followed this microsoft tutorial but I block at this step:
On the User Name and Password page, type the user name and password that has sufficient privileges to gain access to the remote folder.
Because I can't figure out which user to choose.. If it is a user of workstation A or workstation B.
I've tried both but nothing works.
Do you have any idea why?
Thank you very much for reading and for your potential future response :D

Local site within Dropbox using IIS

I am trying to have my local website within dropbox using IIS. When I add the dropbox directory I get the error: The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path.
I am admin and have allowed all access to the dropbox folder. What is wrong?
You should add IIS user account to the list of users who are allowed to view/read the files. IIS usually runs via separate user account for security reasons.
This is done the following way:
Right-click on your site folder in Dropbox
Select "Security"
Click "Add"
Find IUSR user and/or IIS_IUSRS group
Add them both (or one, if only one is present) and assign them read permissions
Try adding your site folder again.
This should fix the issue.

IIS Virtual Directory map to network drive (with drive letter) but fail to create file

I am using C#/ASP.NET, IIS6 on Windows Server 2003.
Map the data server shared folder to the WebServer with driver letter V:\
On the WebServer, IIS created a virtual directory and pointed to 'local location' with V:\ . Since there is no 'Connect As', not sure which USER will be used
In my WebMethod, I want to create file on the shared folder with FileStream.Write().
I got IO Exception on the action, any hint?
P.S. I have added ASPNET/NETWORK SERVICE on the data server shared folder.
thanks!
Gavin
Mapped network drives are specific to the user account that created them:
Using Mapped Drives with IIS - MS KB257174
The preferred method of accessing content for the Web server that exists on a remote computer is to use shares that follow the universal naming convention (UNC).
It's very likely that NETWORK SERVICE (or if you're running ASP.NET under impersonation, the site anonymous account) hasn't got this mapping.
To change the location where the virtual directory points to, browse to your site in IIS manager, right click on the virtual directory and select properties. You can then select "A share located on another computer":
The website in IIS has a corresponding app pool and this should tell you the user under which your code wil be running.
You'll the have to grant the appropriate permissions for that share for that user.

401.1 Error when accessing virtual directory pointing to network share

IIS5 is running on SERVER1.
One of the virtual directories in IIS, myfiles, is pointing to "A shared location on another computer", //SERVER2/myfilesshare
When I try to access the page:
http://SERVER1/myfiles
... I get the error:
You are not authorized to view this page
HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services
I have triple-checked the "Connect As..." settings in IIS. The credentials I'm using to access the share are correct-- they work when connect to the share in Windows Explorer, but not through the IIS virtual directory.
I've tried granting full permission to Everyone on the folder in SERVER2, but no luck.
Any thoughts?
This was how I solved my problem, might help you.
By default, IIS uses local user called IUSR for virtual directories when using anonymous authentication. It does not use application identity, which should be obvious, if you use procmon.
How can you force it to use application identity?
Easy, under IIS manager:
1) go to Authentication
2) Edit "Anonymous authentication"
3) Select "Application pool identity"
4) Restart IIS & it should work.
The same accomplished with PS: Set-WebConfigurationProperty -filter /system.WebServer/security/authentication/AnonymousAuthentication -name username -value ""
This link contains the pros/cons: http://blogs.technet.com/b/tristank/archive/2011/12/22/iusr-vs-application-pool-identity-why-use-either.aspx
Permission issues can be tricky. Try running filemon on the 'other computer' It can be downloaded over here: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
(it's not a big application just a tiny lightweight tool)
After you've started filemon, stop the monitor process (I believe it's turned on by default when you start the application), clear the logged data, create a filter for the folder you have trouble getting access to. Start the monitor process. Request your webpage. Stop the monitor process and look for "access denied" messages in filemon. When found, filemon will also mention the name of the actual user which is trying to get access. This might help you to get to a solution.
Btw when using Windows Server 2008 you will need processmon instead: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Imagine a scenario where for whatever reason you want to have your IIS Server access a Share on a File server and they are not on the same domain.
If you can follow and get this to work for you (I have done it Win2008-R1 32-bit File Server and Win2008-R2 64-bit with IIS 7), then you should be in good shape for any scenario.
Same name local account on both servers with same password
On IIS, use aspnet_regiis -ga MyAccount to give local account access to IIS guts
Now use that as the Application Pool Identity of the Website
Using Local Security Policy (Admin Tools) enable trust for delegation for local account
Restart IIS server
On File Server, use Local Security Policy to enable access from network for local account
Create Share granting desired permissions to local account (also Security tab permissions as needed)
Open up File & Print Sharing ports on both (as restrictive as possible) to point where it works for you when you are using Windows Explorer between the two
Back to IIS, create Virtual Directory using UNC path to Shared folder from File Server
Just use Pass-through authentication (which would use your local account)
You can tell Anonymous Authentication setting of the Virtual Directory to use Application Pool Identity as well
Use something that will test/verify. The key really is trust for delegation using a Service Account (domain or otherwise), and having IIS use the account you want it to use instead of Local Server or Network Service.
This took me all day to figure out. Various threads in StackOverflow and other Internet sources helped point me to various resources me but didn't find my exact answer anywhere. Hopefully next person stuck with this problem will get a speed boost on the path to resolving with my description of what worked for me.
try enabling windows authentication on the virtual directory security tab (in IIS).

Resources