2

I have an MVC Web application that generates Excel and PDF reports (using Crystal) using templates .xlt and .rpt, it generates the reports without a glitch when I place the templates in the web server itself but once I place the templates in a remote location then I get an Access Denied error which I found out through process monitor, screen shot below

enter image description here

When I manually browse the remote folder through explorer from the server its all OK and I can open the files I needed its just fires the access denied error when its the server reading the files. My web application is using the ApplicationPoolIdentity in Integrated Pipeline. Authentication is through impersonation and Windows Authentication. Whats even makes it confusing is that the User who runs the Excel templates is my self but I get the access denied, while user used in generating PDF is IIS Apppool.

Does anyone know how to resolve the access denied issue, I already tried putting all users full access on that folder but still it does not work.

ADDITIONAL INFO

I am using IIS 7.5, I also checked on the File Server where the share is, on the Event Logs the user registered is not me but with the following details

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:       ANONYMOUS LOGON
    Account Domain:     NT AUTHORITY
    Logon ID:       0x90eb7c7
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   MYWEBSERVER
    Source Network Address: 10.10.10.01
    Source Port:        00000

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V1
    Key Length:     128

UPDATE

I need to use ApplicationPoolIdentity in this instance, so I am looking for a solution that can still use ApplicationPoolIdentity.

ANOTHER UPDATE

I tried @Davids suggestion below and now I get same error message

System.Runtime.InteropServices.COMException (0x800A03EC): Microsoft Excel cannot access the file '\MyServer\Templates\MyTemplate.xlt'. There are several possible reasons:

• The file name or path does not exist. • The file is being used by another program. • The workbook you are trying to save has the same name as a currently open workbook. at Microsoft.Office.Interop.Excel.Workbooks.Open(String Filename, Object UpdateLinks, Object ReadOnly, Object Format, Object Password, Object WriteResPassword, Object IgnoreReadOnlyRecommended, Object Origin, Object Delimiter, Object Editable, Object Notify, Object Converter, Object AddToMru, Object Local, Object CorruptLoad) at Ci.Infrastructure.Reporting.ReportProviderExcel.RunReport()

Raymund
  • 7,684
  • 5
  • 45
  • 78
  • Why don't you firs try mapping the remote location as a drive and give the correct user permission first. If it's .net it normally uses 'Network Service' permission. – user1785999 Nov 01 '12 at 15:12
  • Isn't mapping under the context of a logged in user, if I am not logged in to the web server how would it map? – Raymund Nov 01 '12 at 20:43
  • Do you have a domain so that you can use NETWORKSERVICE to access that folder: http://www.iis.net/learn/manage/configuring-security/application-pool-identities – Andrei Drynov Dec 18 '12 at 22:13
  • @Andrei I need it to run as ApplicationPoolIdentity as I use that in the application – Raymund Dec 18 '12 at 22:28

1 Answers1

2

I believe your problem is because the application pool needs to be configured to run either as a domain account or network service account.

If you choose the latter you'll need to grant permissions to '<domainname>\<machinename>$' if you choose to run as a specific account then this is the user you will need to grant permissions to.

You've already granted everyone access, so it should just be a case of changing the app pool user, but once you have it working I recommend you restrict this to the specific account.

The following link will give you more information:

http://www.iis.net/learn/manage/configuring-security/application-pool-identities

David Martin
  • 11,764
  • 1
  • 61
  • 74
  • Yup I am using ApplicationPoolIdentity and still have that issue above – Raymund Dec 18 '12 at 22:19
  • 1
    @Raymund, sorry maybe I didn't make it too clear, you need to move away from ApplicationPoolIdentity and use either network service or a domain account. – David Martin Dec 18 '12 at 22:21
  • that will be an issue because I use the ApplicationPoolIdentity to identify who is using the intranet app – Raymund Dec 18 '12 at 22:27
  • Is there any workaround so I can maintain the ApplicationPoolIdentity but dont have that access denied issue – Raymund Dec 18 '12 at 22:28
  • Changing the app pool shouldn't stop you from identifying who is using your app. HttpContext.Current.User.Identity should give you that, the network access will then be carried out on that user's behalf by the identity account. – David Martin Dec 18 '12 at 22:30
  • Ok will give it a shot and let you know – Raymund Dec 18 '12 at 22:51
  • OK I tried it but no success, its giving me a different error now – Raymund Dec 18 '12 at 23:17
  • @Raymund the new error doesn't look related to your original issue and indicates that you are now gaining access to the file. I base this on the COM error discussed in this question - http://stackoverflow.com/questions/7099770/hresult-0x800a03ec-on-worksheet-range – David Martin Dec 18 '12 at 23:22
  • Still giving me access denied on Process Monitor – Raymund Dec 19 '12 at 00:45
  • Can you see which user is getting access denied? – David Martin Dec 19 '12 at 08:16
  • The user is me and its funny I am a domain admin but I still get Access Denied. Anyways thanks for helping out, I am having a nose bleed for the past couple of days because of this issue – Raymund Dec 19 '12 at 19:21
  • 2
    Is the app pool running as you? If not then I'm guessing that you have impersonation switched on which will try and access network resources as you, unless you have enabled delegation and are using kerberos throughout then you will be affected by the double hop issue. http://forums.asp.net/t/1475677.aspx/1 – David Martin Dec 19 '12 at 20:35
  • Thats what I am suspecting. Any links on how to enable the delegation and kerberos would be really helpfu – Raymund Dec 19 '12 at 23:05
  • Personally I would avoid giving end users permissions to network resources, but this might be your design goal. I would favour authenticating the user then allowing the identity pool user access on your behalf, however the double hop issue is described here: http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx – David Martin Dec 20 '12 at 08:42
  • The processmon screenshot at the top of your post has almost everything in the User column blurred out, except the last line which is only partially blurred: what is readable says "IIS APPPOOL\blurred again". Are you __sure__ that the APPPOOL is running as you? I'm really keying off the Event Log snapshot and its mention of Security ID: ANONYMOUS LOGON and Account Name: ANONYMOUS LOGON. Look closely at that [post](http://www.iis.net/learn/manage/configuring-security/application-pool-identities) @DavidMartin recommended -- cont – David Tansey Dec 22 '12 at 22:26
  • -- cont particularly under the heading __Securing Resources__. This quote gets my attention: > __Whenever a new Application Pool is created, the IIS management process creates a security identifier (SID) that represents the name of the Application Pool itself...However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.__ Following that they provide a recipe for giving proper permission for the resource to the 'not-real' user account. :) – David Tansey Dec 22 '12 at 22:27
  • Thanks David this helped a lot in understanding the issue – Raymund Dec 26 '12 at 18:44