I've got a website in a DMZ that available on the internet. There is an admin site in our LAN that is used to maintain the DMZ site. One of the functions is to add files that need to be accessible on the DMZ site. There is a section of the site on the LAN site where a user can upload a file, that file needs to get saved to the site on the DMZ I have a share created on the DMZ server and have it mapped to a drive on the LAN computer and I can copy, move, and update files directly on the share from the LAN in windows explorer. However, everytime I try to save a file there from within the website on the LAN server I get a permissions error.
I assume I need to use a different identity for the application pool but I can't figure out what to use. There is a local user on the DMZ computer that has read/write access to the share, I used that user to map the drive from the LAN machine. I tried to set that user as the identity in the app pool but that didn't work. I also tried to create a local user on the LAN machine with the same name and password and use that as the identity, but that also didn't work.
They're both windows 2012 machines.
I figured this out .. it wasn't the application pool identity that had to be changed. I had to change the anonymous user identity associated with the anonymous authentication on the site.
Create a local user on both servers with the same name and password.
On the target (DMZ) server make sure that user has permission to do what it needs to do in the directories.
On the source (LAN) server go into IIS and select the site. Double click the "Authentication" feature then right click "Anonymous Authentication" and select edit.
Chose the "Specific user" option and set it to be the user you created that matches the one on the DMZ server.
There is no need to actually map the drive on the LAN server you can just access it with the UNC path (\server\share).
Related
I have two machines, Machine A and Machine B in LAN connection. I have shared a folder on Machine A called "SharedFiles" by giving access to "IUSR" and "IIS USER " and local user.
I have hosted a web application with IIS on machine B. From this hosted application , I want to access the "SharedFiles" folder.
What is the best way to access the shared folder for the web application ? I found below two options.
1. By changing the Web application's pool identity. Set a custom account for this pool identity where credentials should be the same as the shared folder or vice versa.
2. By setting up a virtual directory for this. I don't know how to use it. I have read the theory but never use it before.
If option 2 is correct then , do we need to access that folder using http/https? How does this virtual directory work(Not looking for steps but logical flow)?
To add the virtual directory with the shred path under your site you could follow the below steps:
1)Open iis manager.
2)Right-click on your site ->slect add a virtual directory.
3)in add virtual directory box enter any name and your share folder path
Note: Make sure you have assigned the iis_iusrs and iusr permission to the shared folder.
After doing this go back again select site.
Double click authentication.
Select "Anonymous authentication"
Click edit from the action pane.
application pool identity. click ok.
now you can access your shared folder in browser with your site bindings/virtual directory name like shown below:
you could use the iis application pool identity to the administrator or local system account.
I am a student and for my dissertation I need to configure a Windows Server to be a file server which uses FTP over SSL for file sharing so a user can download a file from the server.
What do I need to do that in terms of setting up the service and calling it from another machine later on?
Thanks in advance.
Step 1. Install an SSL certificate on the server.
You can buy the SSL certificate from your webhost
Your webhost should also have instructions for installing the certificate
If you can't find instructions, try this: GoDaddy SSL Instructions
Step 2. Set up an FTP server on your Windows server
You can set up an FTP server using IIS (Internet Information Services) which is installed by default on every Windows Server.
Once you open IIS, right click on the Server name and select add FTP Site.
Give it a name and a location where you want to save the files that you'll be uploading
You can leave the IP on All Unassigned and port on 21
Select Require SSL and use the Select button to navigate to your certificate
Enable basic authentication, leave anonymous disabled
Step 3. Grant user permissions
Open Computer Management and navigate to "Users" under System Tools / Local Users and Groups.
If there is no user called ftpuser, create one.
In File Explorer, right click on the folder where you'll be storing your files, select Properties and go to the Security tab.
Click the Edit button, then Add
Enter in the name of your ftp user, click Check Names, then OK.
Your ftp user should now be listed in the security tab. Select this user and then grant Modify, Read & execute, List folder contents, Read, Write. Click OK.
In IIS, select your ftp site and then double click "FTP Authorization Rules". Add a new rule for a specific user (ftpuser) and select Read and Write.
Step 4. Connect to your FTP server from your local machine
There are many ways to connect to your ftp server including a browser or file explorer, but arguably the best way to do this is to use an FTP client.
A good free FTP client is Cute FTP. I recommend it, but there are many others.
After you've installed an ftp client, enter in your host name (domain or server ip), user (ftp user you created), password and port number (should be 21).
Now you can drag and drop from and to your server.
Bob's your uncle.
We're currently having an issue where when someone tries to access our TFS server via Visual Studio, they're hit with an Error TF30063: You are not authorized to access
The TFS server is on a different domain to what the client machines trying to connect are on. There is a domain trust between the two and other shared resources work fine.
I have found that it does temporarily work if you open up an RDP (remote) connection to the server in the background and login using your local domain credentials. After leaving your remote session connected and trying to connect again via Visual Studio, it works fine.
Another thing to point out which indeed would be related is, looking at the Administrator group permissions on the TFS server it does not resolve the usernames of the users in the list until they initiate an RDP connection atleast once after a reboot has occurred. Instead it shows their SID.
Things I’ve tried so far are;
Adding Windows and Generic Credentials to the Credential Manager on the TFS server for their domain accounts. I thought it might be an issue with the server not caching their credentials which meant an RDP connection needed to exist each time.
Enabling Windows Authentication in IIS
Adding the path to Trusted Sites in Internet Options
Enabling Network access: Allow anonymous SID/Name translation in Group Policy for the machine.
Creating a registry key under HKLM\System\CurrentControlSet\Control\Lsa called TurnOffAnonymouseBlock and set to 1 which essential is what the GP above does.
None of these however have seemed to fix the issue.
Any suggestions would be greatly appreciated!
If there is a domain trust in place, you should just add the users AD account that they log into their machine with, as a valid user in TFS.
For example, if TFS is in Domain A, and the user's laptop is in domain B (and they login to their laptop with a domain B account), then you need to ensure that Domain A trusts Domain B (either a two-way trust, or one way with A trusting B). Then you just need to make sure to add the user's domain B account as a TFS Contributor for example, and they should be able to access TFS without doing anything special.
I am trying to have my local website within dropbox using IIS. When I add the dropbox directory I get the error: The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path.
I am admin and have allowed all access to the dropbox folder. What is wrong?
You should add IIS user account to the list of users who are allowed to view/read the files. IIS usually runs via separate user account for security reasons.
This is done the following way:
Right-click on your site folder in Dropbox
Select "Security"
Click "Add"
Find IUSR user and/or IIS_IUSRS group
Add them both (or one, if only one is present) and assign them read permissions
Try adding your site folder again.
This should fix the issue.
I am using C#/ASP.NET, IIS6 on Windows Server 2003.
Map the data server shared folder to the WebServer with driver letter V:\
On the WebServer, IIS created a virtual directory and pointed to 'local location' with V:\ . Since there is no 'Connect As', not sure which USER will be used
In my WebMethod, I want to create file on the shared folder with FileStream.Write().
I got IO Exception on the action, any hint?
P.S. I have added ASPNET/NETWORK SERVICE on the data server shared folder.
thanks!
Gavin
Mapped network drives are specific to the user account that created them:
Using Mapped Drives with IIS - MS KB257174
The preferred method of accessing content for the Web server that exists on a remote computer is to use shares that follow the universal naming convention (UNC).
It's very likely that NETWORK SERVICE (or if you're running ASP.NET under impersonation, the site anonymous account) hasn't got this mapping.
To change the location where the virtual directory points to, browse to your site in IIS manager, right click on the virtual directory and select properties. You can then select "A share located on another computer":
The website in IIS has a corresponding app pool and this should tell you the user under which your code wil be running.
You'll the have to grant the appropriate permissions for that share for that user.