Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > .NET > .NET 2.0 and Visual Studio. 2005 > .NET Framework 2.0
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
.NET Framework 2.0 For discussion of the Microsoft .NET Framework 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the .NET Framework 2.0 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old April 11th, 2008, 03:28 AM
Authorized User
 
Join Date: Oct 2007
Location: Everett, WA, USA.
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default 401.3 Access denied due to Access Control List

Hi All,

I can't figure this out.

Here's the setup:

Windows 2003 Server IIS 6
IIS is set up for integrated windows authentication only
Separate Application Pool running under "Network Service" account
The following settings are set up in the web.config for the app:

Code:
    <authentication mode="Windows"  />
    <identity impersonate="false" userName="" password="" />
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
    <customErrors mode="Off"/>

    <authorization>
      <allow users="*"/>
      <deny users="?"/>
    </authorization>


I browse to the site in IE7. IE7 prompts 3 times for me to authenticate. I do, each time with a network user account and it's correct password.

Then IE7 gives me this error after the third time:
Quote:
quote:Access is denied.
Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.

Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\Inetpub\CFTest\default.aspx'.
However, the "Network Service" account has Read & Execute on the folder where the .aspx is installed.

I thought that the app would be requesting files as "Network Service" account not as the logged in user. (due to the identity impersonate="false" and all)

Am I wrong?

How do I set it up so I only need to set ACL's for Network Service account (or whatever account the process is running under) instead of the actual authenticated user?

Or perhaps I don't have adequate permissions for the "Network Service" account? What permissions do I need and where do I need them (if it's other than the web application's main folder and it's contents)

Thanks for any help/clarification...

-Charles


Reply With Quote
  #2 (permalink)  
Old April 11th, 2008, 04:03 AM
samjudson's Avatar
Friend of Wrox
Points: 8,687, Level: 40
Points: 8,687, Level: 40 Points: 8,687, Level: 40 Points: 8,687, Level: 40
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2007
Location: Newcastle, , United Kingdom.
Posts: 2,128
Thanks: 1
Thanked 189 Times in 188 Posts
Default

The best solution for this problem would be to create a Windows Security Group, and assign all the users who should have access to the web site to this group. Then you simply assign access to the files to this group. If you somehow got ASP.Net to impersonate the Network Service user this would be a terrible security risk, as any user who could authenticate to your server (even guest users) would then have the elevated privilege of the Network Service user.

/- Sam Judson : Wrox Technical Editor -/
Reply With Quote
  #3 (permalink)  
Old April 11th, 2008, 06:54 AM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

If you have this:

<allow users="*"/>

Doesn't that allow all users? Isn't any authentication setting irrelevant then?

Is your goal to allow anonymous access to the site? If not, please tell us what it is. I can't get a clear understanding of the overall objective from what has been provided.

Regarding the failed login: is the server part of the domain that owns the login you were trying?

-Peter
peterlanoie.blog
Reply With Quote
  #4 (permalink)  
Old April 11th, 2008, 04:23 PM
Authorized User
 
Join Date: Oct 2007
Location: Everett, WA, USA.
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for your posts guys.

Maybe I’m misreading something?
Quote:
quote:Windows authentication without impersonation. This is the default setting. [u]ASP.NET performs operations and accesses resources by using your application's process identity</u>, which by default is the Network Service account on Windows Server 2003.
Source: http://msdn2.microsoft.com/en-us/library/ms998358.aspx

The Network Service account has read & execute permissions on the folder and aspx page.

Yet, non-administrative users still receive the following error:

401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists)


I am using Windows Server 2003

The site is configured for “Integrated Windows Authentication” only (in IIS).


The web.config file contains this line…

<authentication mode="Windows" />

See: http://msdn2.microsoft.com/en-us/library/aa291347.aspx


The web.config file contains this line…

<identity impersonate="false" />

Which, I am assuming explicitly disables impersonation (even though that is the default behavior)

See: http://msdn2.microsoft.com/en-us/lib...c5(VS.71).aspx


In the authorization section of the web.config I have this:

<authorization>
   <allow users="*"/>
   <deny users="?"/>
</authorization>

See: http://msdn2.microsoft.com/en-us/lib...cd(VS.80).aspx
Quote:
quote:“A question mark (?) denies anonymous users and an asterisk (*) indicates that all user accounts are denied access.”
So, I am assuming by adding that I am allowing all AUTHENTICATED users but no anonymous, or “guest” users.

Furthermore, I wrote code to output the current windows identity being used by the application…

Code:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
When I run that code as an administrator, it returns the following value: “NT AUTHORITY\NETWORK SERVICE”

So, why am I seeing behavior that contradicts what has been stated by Microsoft?



Reply With Quote
  #5 (permalink)  
Old April 12th, 2008, 03:30 PM
samjudson's Avatar
Friend of Wrox
Points: 8,687, Level: 40
Points: 8,687, Level: 40 Points: 8,687, Level: 40 Points: 8,687, Level: 40
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2007
Location: Newcastle, , United Kingdom.
Posts: 2,128
Thanks: 1
Thanked 189 Times in 188 Posts
Default

IIS verifies that the user has permission to run the file (e.g. WebPage.aspx) before the actual processing of that web page is run over to the ASP.Net worker process.

So you will need to do like I said. Either give everyone access to those files (read only should do) or create a security group and manually restrict access to the files that way.

/- Sam Judson : Wrox Technical Editor -/
Reply With Quote
  #6 (permalink)  
Old April 13th, 2008, 01:32 AM
Authorized User
 
Join Date: Oct 2007
Location: Everett, WA, USA.
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you very much for the straight answer.

They really need to make that very important fact known in all those Microsoft Articles I read on the subject of authentication and authorization.

Sequence of events: (as I understand it now)
  • First, since IIS is set up for windows integrated authentication it requests authentication from the web browser
  • The web browser (IE7) responds with a security token (hash)
  • IIS uses that token to check permissions on the file the user is attempting to access (in our case an aspx page)
  • If the account has access to execute that file, the file is executed and the code runs
  • Once the code is running, then the "Network Service" account is used for subsequent resource access in code. Such as getting data from a SQL server.

Reply With Quote
  #7 (permalink)  
Old May 7th, 2008, 09:45 AM
Registered User
 
Join Date: May 2008
Location: , , .
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am struggling with this same issue. Is there any additional information that may be helpful to my situation?

Getting the 401.3 error. When I put the user in the Admin group it works, but when I take the user out of the Admin group no luck. I have set permissions on the Reports folders through IIS and verified the NTFS permissions as well.

Reply With Quote
  #8 (permalink)  
Old May 7th, 2008, 08:50 PM
Authorized User
 
Join Date: Oct 2007
Location: Everett, WA, USA.
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

tfishb,

From what I've learned, before any code is executed, IIS must first authorize the user to access the file based on ACL's set on that file (usually inherited from parent folder).

In other words, it doesn't matter how you configure your asp.net application because your application code hasn't executed yet at this point.

If you enabled only Windows Integrated security in IIS, then you need to make sure that user has access to Read & Execute the files you wish him to use in your web site. (in the root folder)

If you allow anonymous access then you need to grant the IUSR_<machine> account those same Read & Execute permissions.

But realize that this is just for IIS.

ASP.Net has it's own methods for authentication and authorization.

Based on those settings, you'll also need to apply ACL permissions for the account running the ASP.Net worker process.

By default, this is the "Network Service" account on Win2003. On Win2000 this is the "ASPNet" account.

Note however, that you can enable impersonation. In which case, your worker process would execute using the security token of user authenticated through the web browser. However this configuration too comes with caveats, because of deligation issues and that dredded "double hop" issue.

Unfortunately, my efforts of trying to find a clear official document describing any of this behavior went unrewarded.

I'm about ready to write my own whitepaper on it. If only I had the time.

Hope I've helped.

Regards,
Charles

Reply With Quote
  #9 (permalink)  
Old May 28th, 2009, 01:56 PM
Registered User
 
Join Date: May 2009
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default I found the answer

I am on Vista Ulitmate using IIS 7 and I added the IUSR to the ACL for the directory I am pointing to and this fixed the issue.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Access denied error when using FileUpload Control mii2029 ASP.NET 3.5 Basics 0 October 25th, 2008 05:45 PM
access is denied shanwaj ASP.NET 1.0 and 1.1 Basics 0 December 28th, 2007 03:04 AM
Access Denied tys MySQL 4 April 6th, 2007 08:31 AM
Programatically manipulating Access control List suhelahmed C# 2005 3 August 30th, 2006 01:19 PM
Access is denied. Ramakrishna General .NET 4 November 30th, 2004 09:05 AM



All times are GMT -4. The time now is 08:40 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.