Re: Permission Denied when writing text file from ASP Site
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 04/26/05
- Next message: David Wang [Msft]: "Re: 401 Unauthorized trying to read SPList Attachment - owssrv.dll"
- Previous message: David Wang [Msft]: "Re: access only through Local groups"
- In reply to: GregRoberts: "RE: Permission Denied when writing text file from ASP Site"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Apr 2005 23:49:00 -0700
This is classic "double hop" scenario.
With IIS5, you must setup and configure Kerberos to be used everywhere as
well as configure delegation in order to do this. Otherwise, it is not
possible with Integrated Authentication. On IIS6, you do not need to use
Kerberos to authenticate with the client, but the servers must have Kerberos
configured and have delegation enabled.
This is for security reasons. Just because someone can use Integrated
Authentication to login to the web server, it does NOT mean the web server
can re-use that identity to write a file to another server. Why? Let me use
another example. Suppose you authenticate to a web server. Do you allow the
web server to use your credentials to withdraw money from your bank account?
For example, your scenario will work the way you want if you change
Integrated authentication to Basic authentication. This is because Basic
authentication is insecure and implicitly delegates authority. Integrated
authentication does not do this without explicit configuration.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "GregRoberts" <GregRoberts@discussions.microsoft.com> wrote in message news:6E676429-99D0-427C-8D6F-DE06DAEF4275@microsoft.com... Additional Information: The export file is a text file created and written using fso. "GregRoberts" wrote: > We currently have a custom ASP front end application for our SQL 2000 > database. The ASP is running on a Windows 2000 Advanced Server with SP-4 and > IIS 5. The ASP files are physically located on the IIS server. The export > files must be written to a file server in the domain. > > Configuration: > Domain > |- IIS Server > | |- ASP Web Site (C:\wwwroot) > | > |- File Server > |- Export Share > > The application requires Anonymous Authentication be disabled, and ONLY > Window Intergated Authentication be enabled. The appliaction requires the NT > UserID for internal security and feature sets. Different deparments have > different permissions and modules available. > > Permissions on the export share allow Full Control to Authenticate Users. > Everyone does not have permission to the share. (That's an issue to take up > with the network admin. :) ) > > When the user selects the export function the following error is displayed. > > Error Type: > Microsoft VBScript runtime (0x800A0046) > Permission denied > /{ModuleDir}/{ExportModule}.asp, line 436 > > > >
- Next message: David Wang [Msft]: "Re: 401 Unauthorized trying to read SPList Attachment - owssrv.dll"
- Previous message: David Wang [Msft]: "Re: access only through Local groups"
- In reply to: GregRoberts: "RE: Permission Denied when writing text file from ASP Site"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
