| Author |
ACCESS DENIED NT AUTHORITY\NETWORK SERVICE
|
|
| Malcolm 2004-04-21, 4:34 am |
| Sorry for the double posting but just realised there's a specific news group for IIS
Security issues..
----------
I've recently upgraded from 2000 Server to 2003 Server and
I'm trying to track down why one particular application is
not working fully. It is not displaying one particular
web page properly and I suspect that the problem is
security related. I ran the app with FileMon in the
background and at the point that it fails I get the
following message in its log.
TIME: 22:44:01
PROCESS: w3wp.exe:308
REQUEST: IRP_MJ_CREATE
PATH: C:\Program Files\WorkgroupMail\Data\tmp\tmpF7F.tmp
REASON: ACCESS DENIED NT AUTHORITY\NETWORK SERVICE
To try to eliminate the problem I opened secrity right up
for the app user but I still have the problem. Can anyone
suggest what I should try next?
TIA
Malcolm
----------
| |
| Ken Schaefer 2004-04-21, 6:34 am |
| NT AUTHORITY\Network Service is the default process identity for the
w3wp.exe worker processes under IIS 6.0
To see if this is a permissions problem give the IIS_WPG group full control
over that folder (maybe from Data\ downwards)
Cheers
Ken
"Malcolm" <malcolm@*nospam*surgenor.net> wrote in message
news:27bc80l4eg09n6le6scd610e3s38b8rco9@
4ax.com...
: Sorry for the double posting but just realised there's a specific news
group for IIS
: Security issues..
:
: ----------
: I've recently upgraded from 2000 Server to 2003 Server and
: I'm trying to track down why one particular application is
: not working fully. It is not displaying one particular
: web page properly and I suspect that the problem is
: security related. I ran the app with FileMon in the
: background and at the point that it fails I get the
: following message in its log.
:
: TIME: 22:44:01
: PROCESS: w3wp.exe:308
: REQUEST: IRP_MJ_CREATE
: PATH: C:\Program Files\WorkgroupMail\Data\tmp\tmpF7F.tmp
: REASON: ACCESS DENIED NT AUTHORITY\NETWORK SERVICE
:
: To try to eliminate the problem I opened secrity right up
: for the app user but I still have the problem. Can anyone
: suggest what I should try next?
:
: TIA
:
: Malcolm
: ----------
| |
| Paul Lynch 2004-04-21, 6:34 am |
| On Wed, 21 Apr 2004 09:15:58 +0100, Malcolm
<malcolm@*nospam*surgenor.net> wrote:
>Sorry for the double posting but just realised there's a specific news group for IIS
>Security issues..
>
>----------
>I've recently upgraded from 2000 Server to 2003 Server and
>I'm trying to track down why one particular application is
>not working fully. It is not displaying one particular
>web page properly and I suspect that the problem is
>security related. I ran the app with FileMon in the
>background and at the point that it fails I get the
>following message in its log.
>
>TIME: 22:44:01
>PROCESS: w3wp.exe:308
>REQUEST: IRP_MJ_CREATE
>PATH: C:\Program Files\WorkgroupMail\Data\tmp\tmpF7F.tmp
>REASON: ACCESS DENIED NT AUTHORITY\NETWORK SERVICE
>
>To try to eliminate the problem I opened secrity right up
>for the app user but I still have the problem. Can anyone
>suggest what I should try next?
>
>TIA
>
>Malcolm
>----------
Malcolm,
I would suggest using Filemon to check that you really have resolved
your permissions issues :
http://www.sysinternals.com/ntw2k/source/filemon.shtml
Regards,
Paul Lynch
MCSE
| |
| Malcolm 2004-04-21, 9:36 am |
|
Thanks Ken. That seems to have worked - but what have I done and is that the final
solution? :-) Is it okay to leave it like that or should I narrow the permissions down?
Malcolm
On Wed, 21 Apr 2004 20:18:59 +1000, "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote:
>NT AUTHORITY\Network Service is the default process identity for the
>w3wp.exe worker processes under IIS 6.0
>
>To see if this is a permissions problem give the IIS_WPG group full control
>over that folder (maybe from Data\ downwards)
>
>Cheers
>Ken
| |
| Ken Schaefer 2004-04-21, 10:36 am |
| I'm not sure what your application does - so I don't know exactly what
folders you need to give permissions to. I just based it on the fact that
the "data" folder contained a "tmp" folder, which implies that's where
temporary working files should go.
You may not need Full Control - maybe only "Change" or similar. However, I
would give this right to the IIS_WPG group. All user accounts that can be
used as process identities for Web App Pools are/should be placed into this
group (that's why it's called the IIS_WPG for Worker Process Group). So
LocalSystem, Network Service, Local Service etc are in there.
Cheers
Ken
"Malcolm" <malcolm@*nospam*surgenor.net> wrote in message
news:91tc801o14mufttedpic180rfi4oibuss3@
4ax.com...
:
: Thanks Ken. That seems to have worked - but what have I done and is that
the final
: solution? :-) Is it okay to leave it like that or should I narrow the
permissions down?
:
: Malcolm
:
: On Wed, 21 Apr 2004 20:18:59 +1000, "Ken Schaefer"
<kenREMOVE@THISadOpenStatic.com> wrote:
:
: >NT AUTHORITY\Network Service is the default process identity for the
: >w3wp.exe worker processes under IIS 6.0
: >
: >To see if this is a permissions problem give the IIS_WPG group full
control
: >over that folder (maybe from Data\ downwards)
: >
: >Cheers
: >Ken
:
|
|
|
|