|
Home > Archive > IIS Server Security > April 2005 > Permission Denied when writing text file from ASP Site
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Permission Denied when writing text file from ASP Site
|
|
| GregRoberts 2005-04-25, 5:53 pm |
| We currently have a custom ASP front end application for our SQL 2000
database. The ASP is running on a Windows 2000 Advanced Server with SP-4 and
IIS 5. The ASP files are physically located on the IIS server. The export
files must be written to a file server in the domain.
Configuration:
Domain
|- IIS Server
| |- ASP Web Site (C:\wwwroot)
|
|- File Server
|- Export Share
The application requires Anonymous Authentication be disabled, and ONLY
Window Intergated Authentication be enabled. The appliaction requires the NT
UserID for internal security and feature sets. Different deparments have
different permissions and modules available.
Permissions on the export share allow Full Control to Authenticate Users.
Everyone does not have permission to the share. (That's an issue to take up
with the network admin.  )
When the user selects the export function the following error is displayed.
Error Type:
Microsoft VBScript runtime (0x800A0046)
Permission denied
/{ModuleDir}/{ExportModule}.asp, line 436
| |
| GregRoberts 2005-04-25, 5:53 pm |
| Additional Information:
The export file is a text file created and written using fso.
"GregRoberts" wrote:
> We currently have a custom ASP front end application for our SQL 2000
> database. The ASP is running on a Windows 2000 Advanced Server with SP-4 and
> IIS 5. The ASP files are physically located on the IIS server. The export
> files must be written to a file server in the domain.
>
> Configuration:
> Domain
> |- IIS Server
> | |- ASP Web Site (C:\wwwroot)
> |
> |- File Server
> |- Export Share
>
> The application requires Anonymous Authentication be disabled, and ONLY
> Window Intergated Authentication be enabled. The appliaction requires the NT
> UserID for internal security and feature sets. Different deparments have
> different permissions and modules available.
>
> Permissions on the export share allow Full Control to Authenticate Users.
> Everyone does not have permission to the share. (That's an issue to take up
> with the network admin. )
>
> When the user selects the export function the following error is displayed.
>
> Error Type:
> Microsoft VBScript runtime (0x800A0046)
> Permission denied
> /{ModuleDir}/{ExportModule}.asp, line 436
>
>
>
>
| |
| David Wang [Msft] 2005-04-26, 2:49 am |
| This is classic "double hop" scenario.
With IIS5, you must setup and configure Kerberos to be used everywhere as
well as configure delegation in order to do this. Otherwise, it is not
possible with Integrated Authentication. On IIS6, you do not need to use
Kerberos to authenticate with the client, but the servers must have Kerberos
configured and have delegation enabled.
This is for security reasons. Just because someone can use Integrated
Authentication to login to the web server, it does NOT mean the web server
can re-use that identity to write a file to another server. Why? Let me use
another example. Suppose you authenticate to a web server. Do you allow the
web server to use your credentials to withdraw money from your bank account?
For example, your scenario will work the way you want if you change
Integrated authentication to Basic authentication. This is because Basic
authentication is insecure and implicitly delegates authority. Integrated
authentication does not do this without explicit configuration.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"GregRoberts" <GregRoberts@discussions.microsoft.com> wrote in message
news:6E676429-99D0-427C-8D6F-DE06DAEF4275@microsoft.com...
Additional Information:
The export file is a text file created and written using fso.
"GregRoberts" wrote:
> We currently have a custom ASP front end application for our SQL 2000
> database. The ASP is running on a Windows 2000 Advanced Server with SP-4
and
> IIS 5. The ASP files are physically located on the IIS server. The export
> files must be written to a file server in the domain.
>
> Configuration:
> Domain
> |- IIS Server
> | |- ASP Web Site (C:\wwwroot)
> |
> |- File Server
> |- Export Share
>
> The application requires Anonymous Authentication be disabled, and ONLY
> Window Intergated Authentication be enabled. The appliaction requires the
NT
> UserID for internal security and feature sets. Different deparments have
> different permissions and modules available.
>
> Permissions on the export share allow Full Control to Authenticate Users.
> Everyone does not have permission to the share. (That's an issue to take
up
> with the network admin. )
>
> When the user selects the export function the following error is
displayed.
>
> Error Type:
> Microsoft VBScript runtime (0x800A0046)
> Permission denied
> /{ModuleDir}/{ExportModule}.asp, line 436
>
>
>
>
|
|
|
|
|