How do I give permission to the IIS process to read a network location?

Question

I'm attempting to read the size of a backup file on a network server from a web page to determine if there's still enough space to store several days of backups.

The following code works on a local directory:

var directoryInfo = new DirectoryInfo( @"c:\AppFolder\" );
var file = directoryInfo.GetFiles()
    .OrderByDescending( f => f.LastWriteTime )
    .First()
    ;
var length = file.Length;

But when I try to access a network folder (e.g. \\server1.domain1\share\), I receive a System.UnauthorizedAccessException: "Access to the path '\\server1.domain1\share\' is denied."

When logged in to the web server (Windows Server 2012 R2), my account can access the network share. I am fairly new to IIS 8.5. The web site was moved from IIS 6 on a Windows 2003 R2 server. I tried changing the identity of the Application Pool to each of the 4 options or even set it to my account, but I still get an access denied message. I used Process Monitor to see what account was accessing the network location. It seems to show that the correct identity is attempting to access the network location. But even on the entry which is set to my account, it gives an Access Denied message.

I tried giving permissions to the Application Pool identity as described here: IIS7 Permissions Overview - ApplicationPoolIdentity, but the Windows Server 2003 machine doesn't recognize IIS AppPool\website as a valid account.

Finally, I tried giving Everyone Full Control on the folder and the share. Even that doesn't work...

Updated diagnostic information:
Results of net share share

Share name              share
Path                    c:\share
Remark                  
Maximum users           No limit
Users                   USER1
Caching                 Manual caching of documents
Permission              DOMAIN1\User1, READ

Results of icacls c:\share:

c:\share NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(F)
         BUILTIN\Administrators:(I)(OI)(CI)(F)
         DOMAIN1\User2:(I)(F)
         CREATOR OWNER:(I)(OI)(CI)(IO)(F)
         DOMAIN1\User3:(I)(OI)(CI)(M)
         DOMAIN1\User1:(I)(OI)(CI)(RX)
         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
         BUILTIN\Users:(I)(OI)(CI)(RX)
         BUILTIN\Users:(I)(CI)(S,AD)
         BUILTIN\Users:(I)(CI)(S,WD)

Successfully processed 1 files; Failed processing 0 files

Process Monitor:

Operation: CreateFile
Path: \\\\server1.domain1\\share1
Result: ACCESS DENIED
Detail: Desired Access:  Read Data/List Directory, Synchronize,  
    Disposition: Open, Options: Directory, Synchronous IO Non-alert,  
    Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete,  
    AllocationSize: n/a, Impersonating:  DOMAIN1\\User1
User: DOMAIN1\\User1

score 0 · Answer 1 · answered Feb 13 '19 at 20:04

0

Did you try to set both application pool identity and site's anonymous authentication to your account?

answered Feb 13 '19 at 20:04

zc2

478
3
7

I have Anonymous Authentication disabled. Windows Authentication and ASP.NET Impersonation are both enabled. – SqlSamurai Feb 13 '19 at 21:32
Can you open an administrator command prompt on the server which hosts the share end execute commands "net share " and "icacls " and post the output here? Also, you said you used Process Monitor, could you post here the failed transaction info? – zc2 Feb 13 '19 at 21:46
Results of `net share share` Share name share Path c:\share Remark Maximum users No limit Users USER1 Caching Manual caching of documents Permission Domain1\User1, READ – SqlSamurai Feb 13 '19 at 22:03
so, you login as "Domain1\User1" to your web application? – zc2 Feb 13 '19 at 22:15
added the results to the question. – SqlSamurai Feb 13 '19 at 22:16
Yes, that's the account I log in as. Others should be able to log in as their own accounts though. – SqlSamurai Feb 13 '19 at 22:17
Also, what is the Provider for the Windows Authentication? – zc2 Feb 13 '19 at 22:23
Provider is Negotiate and NTLM. – SqlSamurai Feb 13 '19 at 22:24
I believe, only Kerberos provider can let the authenticated user to access a shared folder. Please read this article: https://msdn.microsoft.com/en-us/library/ff647404.aspx#paght000023_delegation There is a Delegation Table (closer to the page bottom) which explains different IIS Authentication Types and their abilities to access (delegate) remote resources. NTLM does not support delegation. Kerberos supports delegation with the appropriate Active Directory configuration. – zc2 Feb 13 '19 at 22:28
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/ – zc2 Feb 13 '19 at 22:32
I've looked at the article and in the Delegation tab, I'm not quite sure which service is responsible for accessing network files. Any ideas? – SqlSamurai Feb 15 '19 at 04:37
I might be wrong, but I don't think there a special service besides the system itself. It looks like to me that to accomplish your goal you need ether switch to Kerberos with correctly setup SPNs (and I wont' help you with it due to my lack of knowledge on this field) or Basic authentication with the disadvantage of passing the credentials not encrypted. So, to most simple solution would be to enable the anonymous auth and create and use a service account the IIS process will be impersonating to. – zc2 Feb 15 '19 at 15:03

How do I give permission to the IIS process to read a network location?

1 Answers1