 |
BOOK: Beginning ASP.NET 1.1
 | This is the forum to discuss the Wrox book Beginning ASP.NET 1.1 with Visual C#.NET 2003 by Chris Ullman, John Kauffman, Chris Hart, Dave Sussman, Daniel Maharry; ISBN: 9780764557088 |
|
Welcome to the p2p.wrox.com Forums.
You are currently viewing the BOOK: Beginning ASP.NET 1.1 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|
|
August 15th, 2005, 11:20 PM
|
|
Authorized User
|
|
Join Date: Jun 2004
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Queston For Imar re: IIS Permissions
Hi Imar,
Your article on IIS permissions relating to the Chapter 9 scripts was very informative. However, Iâd like to throw another wrinkle into it.
In addition to testing my scripts on my local machine via WebMatrix, Iâm also testing them on my Win2k3 server, running IIS 6.0. Iâm experiencing errors when I try to execute UpdateDatabase.aspx and CommandExecute.aspx. They both work fine when I run them on the local ASP.NET server.
The default web site on the Win2k3/IIS 6 server is set to enable anonymous access, the account is IUSR_myservername, and the password was set by default when I installed IIS. I believe the errors are probably due to a similar IIS permissions issue, but I am not entirely sure what settings to change. So far, Iâve gone to the folder where the database resides, and added the IUSR_account to the security settings, and added the Write permission to that account, but it still doesnât seem to be working.
Do I need to provide the User ID and Password arguments in the connection string, or am I missing something else?
|
|
August 17th, 2005, 10:49 PM
|
|
Authorized User
|
|
Join Date: Jun 2004
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Hi Imar,
Thanks for the extra boost. I got it working. I'd already added the IUSR_account to the folder where the database was located and given it the write permission, but adding the <identity impersonate="true" /> tag to my web.config file is what finally fixed it.
A few observations, which you're probably already aware of, but others may find of interest:
1. In Server2K3 with .NET Framework 1.1, the .config files are located in:
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4xxx\CONFI G
Your "4xxx" may vary. On my system, it's "4322".
2. Among other files in this directory, there is a machine.config, a security.config, and four web.configs, called web_hightrust, web_lowtrust, web_mediumtrust, and web_minimaltrust, each of which has an accompanying .config.default file.
3. In machine.config there is a <system.web> tag, within a <location> tag, where security policy is set, which looks like this:
<location allowOveride="true">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="web_mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
</securityPolicy>
<trust level="Full" originUrl="" />
</system.web>
</location>
There is not a setting in Windows Explorer | Tools | Folder Options | View which allows Simple File Sharing to be turned on or off. I suspect this is because the server is set up to run file services, which means that I must turn sharing on or off for specific directories. Therefore the machine.config file appears to be the only place where I can set the trust level for Application Protection. For the time being I've left it at the default setting "Full" just because I'd rather not monkey with it if I don't have to.
4. The machine.config file has another <system.web> tag with an <identity> tag, where impersonate="False" is set by default. I originally edited this to change it to "True" and that's what got my apps to finally update the database. Ultimately, however, I changed this back to "False" and simply created the following web.config file:
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
</configuration>
For the purposes of working through this book, I created a subdirectory inside my Default Web Site called WROXASP, and inside that directory are separate directories called, CH01, CH02, etc., which is where I load the .aspx files. Placing my custom web.config file in the WROXASP directory appears to make the setting apply to all folders and files within this directory. Note that allowOveride is set to "true" back in the machine.config file.
PS Too bad you have to get all the way up to Chapter 15 to read about how .config files really work on the server! And there doesn't appear to be anything I've seen in the book so far that addresses the issue in this posted topic.
In any event, thanks again for the help and I hope this additional information is of some use to someone.
|
|
August 18th, 2005, 12:38 AM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
On a Server 2003 machine, ASP.NET runs under the Network Service account. You should have given that account the required permissions.
By using the impersonate="true" option, your application runs under an impersonated user. This is not always what you want. For example, if you access the site in IIS on your local machine, chances are you have "Auto logon to Intranet Zone" on by default. This means the browser runs as you, which in turn means the entire application runs as you.
When your website is configured for anonymous access you don't log in, but IIS will use the IUSR account to run the application.
The ASPNET (Win 2K and XP) and Network Service (Win 2003) are designed specifically for running ASP.NET applications.
IMO, it's often easier / better to set the security permissions for the Network Service account and not use impersonation.
I think it makes sense that simple sharing is not available on Win 2003. This feature allows Windows XP users to quickly share stuff with relaxed security settings. This options doesn't make sense on Win 2003 as it's supposed to be a secure server OS. Therefore, if you have NTFS disks, the Security tab is always there. Not sure where you were referring to (e.g. the book or my article), but the article mentions XP specifically.
Cheers,
Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
|
|
August 18th, 2005, 09:27 AM
|
|
Authorized User
|
|
Join Date: Jun 2004
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Quote:
quote:Originally posted by Imar
On a Server 2003 machine, ASP.NET runs under the Network Service account. You should have given that account the required permissions.
[snip]
IMO, it's often easier / better to set the security permissions for the Network Service account and not use impersonation.
|
Hmmm...I'm pretty sure I tried this solution first and it didn't work, but I'll try it again just to be sure and report back.
|
|
August 18th, 2005, 07:19 PM
|
|
Authorized User
|
|
Join Date: Jun 2004
Posts: 18
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Quote:
quote:Originally posted by bonehead
Quote:
|
quote:Originally posted by Imar
|
Quote:
On a Server 2003 machine, ASP.NET runs under the Network Service account. You should have given that account the required permissions.
[snip]
IMO, it's often easier / better to set the security permissions for the Network Service account and not use impersonation.
|
Hmmm...I'm pretty sure I tried this solution first and it didn't work, but I'll try it again just to be sure and report back.
|
Thanks again! Got it working!
|
|
August 19th, 2005, 12:51 AM
|
|
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Great. Glad it all worked out...
Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
|
|
|
