Re: Writing to a network share

From: Prodip Saha (psaha_at_bear.com)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 09:16:47 -0500

Using domain account to run the aspnet_wp is risky. Compromizing one domain
account is amount to compromizing the whole domain.

Local Machine\ASPNET mirrored account on the remote server with same
password as that of webserver machine is sufficient to access remote
resource.

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%230sduLbKEHA.2712@TK2MSFTNGP10.phx.gbl...
> Hi
>
> Machine\ASPNET is a local account - it can't be assigned permissions to
> remote resources
> LocalSystem is also a local account.
>
> Try using a *domain* account that has permissions to the remote resource.
>
> Cheers
> Ken
>
> "Tyler Davey" <anonymous@discussions.microsoft.com> wrote in message
> news:715EB9C1-2DD9-4E52-B902-284DA7833F6D@microsoft.com...
> : I posted this message in dotnet.framework.security, and was told to
repost
> it here
> :
> : Alright, I've been trying to figure out the solution to this problem for
a
> few days and I'm officially stumped.
> :
> : My web app server, Machine A, needs the ability to create a file(xml) on
> my db server, Machine B. The application performs this task after a user
> invokes a business object through an ASP.net page. Now, if I do this on
the
> app server (ie, log on locally), it works fine. However, if i do this
from
> another client machine, Machine C, I get the beautiful error message:
> :
> : Access to path \\machineb\log\log.xml is denied.
> :
> : <code>
> : Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
> :
> : Exception Details: System.UnauthorizedAccessException: Access to the
path
> "\\orchard\Log\test.xml" is denied.
> :
> : ASP.NET is not authorized to access the requested resource. Consider
> granting access rights to the resource to the ASP.NET request identity.
> ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
or
> Network Service on IIS 6) that is used if the application is not
> impersonating. If the application is impersonating via <identity
> impersonate="true"/>, the identity will be the anonymous user (typically
> IUSR_MACHINENAME) or the authenticated request user.
> :
> : To grant ASP.NET write access to a file, right-click the file in
Explorer,
> choose "Properties" and select the Security tab. Click "Add" to add the
> appropriate user or group. Highlight the ASP.NET account, and check the
> boxes for the desired access.
> :
> : </code>
> :
> : Now, here is what I've done:
> :
> : I've given full control to the directory on the network share to
everyone
> : I've changed machine.config process model to the SYSTEM account. When
> that didn't work, I changed it to my network account, which has local
admin
> rights on the network.
> : I've tried mucking around with the Internet zone permissions and
Intranet
> zone permissions through the .net tools, giving both full trust
priviledges,
> no luck
> : We've set the asp.net service to log on as a local system account,
network
> system account, my domain account, and finally, the domains admin account,
> still no luck
> :
> : My code is very simple:
> :
> : <code>
> : private void Button1_Click(object sender, System.EventArgs e)
> : {
> : XmlTextWriter writer = new XmlTextWriter(@"\\machinea\Log\log.xml",
> Encoding.UTF8);
> : writer.WriteStartDocument();
> : writer.WriteStartElement("DATA");
> : writer.WriteElementString("TEST", "Is this going to work");
> : writer.WriteEndElement();
> : writer.WriteEndDocument();
> : writer.Close();
> : }
> : </code>
> :
> : So, what am I missing?
> :
> :
>
>