Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / February 2005

Tip: Looking for answers? Try searching our database.

webservice permissions

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Daniel Wilson - 04 Feb 2005 20:21 GMT
I have a client who is trying to deploy a webservice I wrote. The web
service reads a file on a file server and delivers information about it. The
file needs to be inaccessible to the user of the webservice because it is
intellectual property.

This sounds easy. Just give the IUsr account on the web server, a 2003
server running IIS6, read rights to the files on the file server. Since no
HTTP path will get to the file server, the user can't steal the file.

Unfortunately, the service returns the error
Access to the path "\\FS1\Share\Designs\" is denied.

The Everyone group has rights to the share as well as the Designs folder.
But this happens.

I suggested running the virtual directory under which the web service ran
under a domain account, not the local IUSR.  The client reported that the
webservice page would not load at all under that configuration.

What are we doing wrong?

Thanks.

Signature

Daniel Wilson
Senior Software Solutions Developer
Embtrak Development Team
http://www.Embtrak.com
DVBrown Company

Reply to this Message
Ken Schaefer - 05 Feb 2005 04:01 GMT
a) IUSR_<machinename> is a *local* account. You can't assign it permissions
to remote resources

b) If this is a .NET app, then your code probably isn't running under
IUSR_<machinename> anyway, but rather the process identity for the worker
process (w3wp.exe) that's services your web app

c) If you want to use a custom account for a web app pool identity, then
place that account into the IIS_WPG group on the IIS server (at the very
least), so that it has the necessary permissions to run. If that still
doesn't work, consult this KB article here, to see if anything else is
missing: http://support.microsoft.com/?kbid=812614

Hope that helps

Cheers
Ken

>I have a client who is trying to deploy a webservice I wrote. The web
> service reads a file on a file server and delivers information about it.
[quoted text clipped - 19 lines]
>
> Thanks.
Reply to this Message
Daniel Wilson - 07 Feb 2005 22:47 GMT
Thanks for the suggestions.  They've tried those ideas today ... to no
avail.

Any more ideas?

Thanks.

dwilson
> a) IUSR_<machinename> is a *local* account. You can't assign it permissions
> to remote resources
[quoted text clipped - 37 lines]
> >
> > Thanks.
Reply to this Message
SQLScott - 09 Feb 2005 15:47 GMT
Daniel,

You need pass credentials to the web service that have access to the share.  
For example:

ws = New csiaigws.csiaighooks

Dim cache As New CredentialCache

cache.Add(New Uri("http://localhost/CSIAIGWS/"), "negotiate", New
NetworkCredential("domainuser", "password", "domain"))

ws.Credentials = cache

The credentials that you use in the Cache.Add this way you don't have to
mess with IUSR or anything else.

Let me know if you have any questions about this.  HOpe this helps...

Scott

> Thanks for the suggestions.  They've tried those ideas today ... to no
> avail.
[quoted text clipped - 51 lines]
> > >
> > > Thanks.
Reply to this Message
Daniel Wilson - 09 Feb 2005 16:54 GMT
Thanks, Scott. We just got it working another way as I'll detail in another
branch of this thread. This way might have been easier though.

dwilson

> Daniel,
>
[quoted text clipped - 72 lines]
> > > >
> > > > Thanks.
Reply to this Message
Daniel Wilson - 09 Feb 2005 16:50 GMT
Thanks for the help, Ken. Your point B contained the key, though I missed it
at first.  Here are the steps that got it working for us.

The network admin created a domain user named "Browser".

I added the user to the local IIS_WPG group.

I created a new application pool and set it to run under the Browser
identity.

I set the LogoBrowser application to run in that new application pool.

Finally, I gave Browser full control of Windows\Temp.  See
http://www.error-bank.com/microsoft.public.dotnet.framework.webservices/9ZANb.57
609$G04.12433880@news4.srv.hcvlny.cv.net_Thread.aspx

dwilson

> a) IUSR_<machinename> is a *local* account. You can't assign it permissions
> to remote resources
[quoted text clipped - 37 lines]
> >
> > Thanks.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.