0

I'm trying to get my MVC app to write a simple text file to another server using System.IO.File.WriteAllText. (A separate process is looking in that folder for text files to grab.) It works fine when debugging on my local machine, but when deployed to IIS on a test server, I always get this error when trying to write the file:

Access to the path '\\server\C$\folder\subfolder\file.txt' is denied.

The answer to at least half a dozen similar questions here on SO was to give the application pool identity account access to that folder. However, the app pool on IIS was already running under a service account that had full permissions to the desired folder but was still getting the error. I even tried changing the app pool to my own account (the one used successfully in debugging) and still get the error.

Anonymous access is turned off, and Windows Authentication is turned on (part of the file.txt is info from the user's AD account). I have tried accessing the app with several AD accounts, both with and without access to \\server\C$\folder\subfolder\ but they all give the same error.

I don't see how the app can be running under an authorized account, and the user can be logged in to the app with an authorized account, but still get the access denied error. Is there any way to get more info about specifically what access is denied or which account is actually being denied? Anything else I'm missing here??

techturtle
  • 2,519
  • 5
  • 28
  • 54
  • As @Polyfun notes below, please confirm that the path is actually correct (beginning with a double slash) and what you have shown above is just a copy/paste or transcription problem. – GalacticCowboy Dec 08 '17 at 16:17
  • 1
    @GalacticCowboy I did check and the code has it correctly (plus it works in debug). SO's markdown just counted the two slashes as a single "escaped" slash when displaying it. – techturtle Dec 08 '17 at 16:24

2 Answers2

2

You need to check whether other processes already have the file open, e.g, "A separate process is looking in that folder for text files to grab" - perhaps this separate process already has the file open and is therefore locking out your IIS process? Use Process Monitor (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) to monitor activity on the file.

Also you give the file location as '\server\C$\folder\subfolder\file.txt'. UNC paths normally begin with a '\\', e.g., '\\server\C$\folder\subfolder\file.txt'. That may just be an artefact of StackOverflow escaping the double slash to a single slash.

As a simple test, can you use notepad with your own account to open the file in the error message and write to the file? What if you use the application pool identity account?

Edit: You run Process Monitor on the server that has the file location. Add a Path filter like this:

Path   excludes    file.txt   then  Exclude

Where file.txt is the file name (without the directory) of the file you are monitoring. This filter will only capture events for that file and will exclude everything else. Once an event occurs, right click it, and go to Properties, Process to see the User initiating the event.

Polyfun
  • 9,479
  • 4
  • 31
  • 39
  • "Grab" might have been a poor word choice. The process looking for the files is only reading them, and it's triggered by other events, so not locking the file at this time. The single `\\` was SO escaping the character; the code and the error both have 2. I did try opening the file in Notepad from the test server using the path as given in my code and it does work. – techturtle Dec 08 '17 at 16:22
  • Process Monitor should tell you what identity/account IIS is using when it is trying to open the file - is this the account you are expecting? – Polyfun Dec 08 '17 at 16:32
  • I have not used Process Monitor before. Trying it out now. Do I need to look on the IIS server or the one that has the file location? – techturtle Dec 08 '17 at 16:38
  • You run Process Monitor on the server that has the file location. Add a filter for the file name. It will show all processes/identities accessing that file, with any errors. – Polyfun Dec 08 '17 at 16:50
  • This helped me find the problem. There were apparently lingering credentials on my computer and even on the IIS server that allowed direct access to the folder but which IIS could not use. ProcMon showed that IIS was not ever making it to the file from the test server, but in debug on my machine it was accessing it using the lingering credential. Still have to figure out what's wrong with the service account that **should** have access to that file, but at least now I know where the problem lies. Thanks! – techturtle Dec 08 '17 at 19:34
0

First of all, you can try to give write rights to IUSR user on your folder in which you want to write your text file.

There is a way to imitate an user in your asp.net application by using Impersonate tag in your web.config file but I think this can be dangerous.

  <identity impersonate="true" userName="nomducompte" password="motdepasse" />

I hope this helps.

Coskun Ozogul
  • 2,389
  • 1
  • 20
  • 32
  • 1
    Isn't the IUSR user a local account to the IIS server? How would that work with giving it access to a remote machine? I did play briefly with the `identity` tag. Not sure if I did it wrong or if something was just incompatible with other settings because it always resulted in a `500 - internal server error`. – techturtle Dec 08 '17 at 16:26