Wrox Programmer Forums
Go Back   Wrox Programmer Forums > .NET > .NET 2.0 and Visual Studio. 2005 > .NET Framework 2.0
|
.NET Framework 2.0 For discussion of the Microsoft .NET Framework 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the .NET Framework 2.0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old April 11th, 2008, 03:28 AM
Authorized User
 
Join Date: Oct 2007
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default 401.3 Access denied due to Access Control List

Hi All,

I can't figure this out.

Here's the setup:

Windows 2003 Server IIS 6
IIS is set up for integrated windows authentication only
Separate Application Pool running under "Network Service" account
The following settings are set up in the web.config for the app:

Code:
    <authentication mode="Windows"  />
    <identity impersonate="false" userName="" password="" />
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
    <customErrors mode="Off"/>

    <authorization>
      <allow users="*"/>
      <deny users="?"/>
    </authorization>


I browse to the site in IE7. IE7 prompts 3 times for me to authenticate. I do, each time with a network user account and it's correct password.

Then IE7 gives me this error after the third time:
Quote:
quote:Access is denied.
Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.

Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\Inetpub\CFTest\default.aspx'.
However, the "Network Service" account has Read & Execute on the folder where the .aspx is installed.

I thought that the app would be requesting files as "Network Service" account not as the logged in user. (due to the identity impersonate="false" and all)

Am I wrong?

How do I set it up so I only need to set ACL's for Network Service account (or whatever account the process is running under) instead of the actual authenticated user?

Or perhaps I don't have adequate permissions for the "Network Service" account? What permissions do I need and where do I need them (if it's other than the web application's main folder and it's contents)

Thanks for any help/clarification...

-Charles


 
Old April 11th, 2008, 04:03 AM
samjudson's Avatar
Friend of Wrox
 
Join Date: Aug 2007
Posts: 2,128
Thanks: 1
Thanked 189 Times in 188 Posts
Default

The best solution for this problem would be to create a Windows Security Group, and assign all the users who should have access to the web site to this group. Then you simply assign access to the files to this group. If you somehow got ASP.Net to impersonate the Network Service user this would be a terrible security risk, as any user who could authenticate to your server (even guest users) would then have the elevated privilege of the Network Service user.

/- Sam Judson : Wrox Technical Editor -/
 
Old April 11th, 2008, 06:54 AM
planoie's Avatar
Friend of Wrox
 
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

If you have this:

<allow users="*"/>

Doesn't that allow all users? Isn't any authentication setting irrelevant then?

Is your goal to allow anonymous access to the site? If not, please tell us what it is. I can't get a clear understanding of the overall objective from what has been provided.

Regarding the failed login: is the server part of the domain that owns the login you were trying?

-Peter
peterlanoie.blog
 
Old April 11th, 2008, 04:23 PM
Authorized User
 
Join Date: Oct 2007
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for your posts guys.

Maybe I’m misreading something?
Quote:
quote:Windows authentication without impersonation. This is the default setting. [u]ASP.NET performs operations and accesses resources by using your application's process identity</u>, which by default is the Network Service account on Windows Server 2003.
Source: http://msdn2.microsoft.com/en-us/library/ms998358.aspx

The Network Service account has read & execute permissions on the folder and aspx page.

Yet, non-administrative users still receive the following error:

401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists)


I am using Windows Server 2003

The site is configured for “Integrated Windows Authentication” only (in IIS).


The web.config file contains this line…

<authentication mode="Windows" />

See: http://msdn2.microsoft.com/en-us/library/aa291347.aspx


The web.config file contains this line…

<identity impersonate="false" />

Which, I am assuming explicitly disables impersonation (even though that is the default behavior)

See: http://msdn2.microsoft.com/en-us/lib...c5(VS.71).aspx


In the authorization section of the web.config I have this:

<authorization>
   <allow users="*"/>
   <deny users="?"/>
</authorization>

See: http://msdn2.microsoft.com/en-us/lib...cd(VS.80).aspx
Quote:
quote:“A question mark (?) denies anonymous users and an asterisk (*) indicates that all user accounts are denied access.”
So, I am assuming by adding that I am allowing all AUTHENTICATED users but no anonymous, or “guest” users.

Furthermore, I wrote code to output the current windows identity being used by the application…

Code:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
When I run that code as an administrator, it returns the following value: “NT AUTHORITY\NETWORK SERVICE”

So, why am I seeing behavior that contradicts what has been stated by Microsoft?



 
Old April 12th, 2008, 03:30 PM
samjudson's Avatar
Friend of Wrox
 
Join Date: Aug 2007
Posts: 2,128
Thanks: 1
Thanked 189 Times in 188 Posts
Default

IIS verifies that the user has permission to run the file (e.g. WebPage.aspx) before the actual processing of that web page is run over to the ASP.Net worker process.

So you will need to do like I said. Either give everyone access to those files (read only should do) or create a security group and manually restrict access to the files that way.

/- Sam Judson : Wrox Technical Editor -/
 
Old April 13th, 2008, 01:32 AM
Authorized User
 
Join Date: Oct 2007
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you very much for the straight answer.

They really need to make that very important fact known in all those Microsoft Articles I read on the subject of authentication and authorization.

Sequence of events: (as I understand it now)
  • First, since IIS is set up for windows integrated authentication it requests authentication from the web browser
  • The web browser (IE7) responds with a security token (hash)
  • IIS uses that token to check permissions on the file the user is attempting to access (in our case an aspx page)
  • If the account has access to execute that file, the file is executed and the code runs
  • Once the code is running, then the "Network Service" account is used for subsequent resource access in code. Such as getting data from a SQL server.

 
Old May 7th, 2008, 09:45 AM
Registered User
 
Join Date: May 2008
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am struggling with this same issue. Is there any additional information that may be helpful to my situation?

Getting the 401.3 error. When I put the user in the Admin group it works, but when I take the user out of the Admin group no luck. I have set permissions on the Reports folders through IIS and verified the NTFS permissions as well.

 
Old May 7th, 2008, 08:50 PM
Authorized User
 
Join Date: Oct 2007
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

tfishb,

From what I've learned, before any code is executed, IIS must first authorize the user to access the file based on ACL's set on that file (usually inherited from parent folder).

In other words, it doesn't matter how you configure your asp.net application because your application code hasn't executed yet at this point.

If you enabled only Windows Integrated security in IIS, then you need to make sure that user has access to Read & Execute the files you wish him to use in your web site. (in the root folder)

If you allow anonymous access then you need to grant the IUSR_<machine> account those same Read & Execute permissions.

But realize that this is just for IIS.

ASP.Net has it's own methods for authentication and authorization.

Based on those settings, you'll also need to apply ACL permissions for the account running the ASP.Net worker process.

By default, this is the "Network Service" account on Win2003. On Win2000 this is the "ASPNet" account.

Note however, that you can enable impersonation. In which case, your worker process would execute using the security token of user authenticated through the web browser. However this configuration too comes with caveats, because of deligation issues and that dredded "double hop" issue.

Unfortunately, my efforts of trying to find a clear official document describing any of this behavior went unrewarded.

I'm about ready to write my own whitepaper on it. If only I had the time.

Hope I've helped.

Regards,
Charles

 
Old May 28th, 2009, 01:56 PM
Registered User
 
Join Date: May 2009
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default I found the answer

I am on Vista Ulitmate using IIS 7 and I added the IUSR to the ACL for the directory I am pointing to and this fixed the issue.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Access denied error when using FileUpload Control mii2029 ASP.NET 3.5 Basics 0 October 25th, 2008 05:45 PM
access is denied shanwaj ASP.NET 1.0 and 1.1 Basics 0 December 28th, 2007 03:04 AM
Access Denied tys MySQL 4 April 6th, 2007 08:31 AM
Programatically manipulating Access control List suhelahmed C# 2005 3 August 30th, 2006 01:19 PM
Access is denied. Ramakrishna General .NET 4 November 30th, 2004 09:05 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.