0

I am trying to access files from the shared folder(ftp location) in Asp.net application. It is working fine from visual studio. When i deploy same in IIS 7 , i am getting the following error

"Logon failure: the user has not been granted the requested logon type at this computer."

Stack Trace:

[IOException: Logon failure: the user has not been granted the requested logon type at this computer. ]
System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) +9723522 System.IO.FileSystemEnumerableIterator1.CommonInit() +245 System.IO.FileSystemEnumerableIterator1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler) +556
System.IO.DirectoryInfo.InternalGetFiles(String searchPattern, SearchOption searchOption) +64 System.IO.DirectoryInfo.GetFiles() +14

......

My application pool is running in NETWORKSERVICE mode To which user in IIS i need to give the permission for accessing this folder? is it IUSER or NT AUTHORITY\NETWORK SERVICE ? How can i identify the current running user in IIS?

Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
JIJIL
  • 81
  • 1
  • 7

3 Answers3

2

The reason the connection is refused it most likely a Group Policy which disallows access to that service by the user running the IIS service.

I would not want to give any of those system users permission to access a network resource. Other computers could potentially connect as well.

Instead - make your program authenticate with a guest account or another account which you create and give the appropriate permissions.

I would say that it would be a more secure approach.

fredrik
  • 6,483
  • 3
  • 35
  • 45
  • One way to use another account, if the API does not allow for it directly that is, is to use Impersonation – fredrik Mar 06 '13 at 21:22
  • Once we allow the permission to the user running the IIS 7 it will solve this issue right? – JIJIL Mar 06 '13 at 21:34
  • It should - unless there are some build-in countermeasures in either windows or IIS. But if doing that is an alternative, it won't hurt to try. – fredrik Mar 06 '13 at 21:39
  • If i am trying with giving access to IIS user then, how can i check the user who need this access from the IIS. ie from where i will get the username – JIJIL Mar 06 '13 at 21:48
0

You may be trying to log on interactively to a computer you can only access over a network, or vice versa.

Change your logon location. Try to log on either locally (interactively) or remotely (over the network), as appropriate. You may want to ask the person who administers computer security to change the security database so you can log on either locally or remotely.

0

To debug - look at Environment.UserName at the moment of exception. It will be either user that initiated request OR anonymous user.

To fix: if local files - granting permissions may be ok. If remote and using user's impersonated account - need to impersonate with another account that have permissions on remote machine as you can't use already impersonating account to access remote resource ("NTLM one hop").

Note: make sure you review security requirements when allowing access to files.

Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
  • I am gettting IUSR as the Environment.UserName. So you are telling that for remote shared location i can't access by enabling the Read/Write permission , instead i need to go with impersonating the user who is having acces to this folder right?. Then how it is working from visual studio? – JIJIL Mar 06 '13 at 21:44
  • Local account (which IUSR is I believe) can't access remote resource (remote resource will see machine account), so yes - you need to impersonate some user valid for at least remote location. VS uses local web server that runs under your account. – Alexei Levenkov Mar 07 '13 at 00:48