I manage several IIS servers and from time to time I struggle with permissions and web apps. Some situations are more unique than others, but usually I run into problems when a webserver is running a .NET appliaction and trying to reach across the network to capture some data from a network share on another server.
This is the error you might be familiar with:
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true">, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user. </identity>
To get your webapp to work correctly you have to decide how secure you need the webapp. If this application does not require security you’ll need to:
- Create a domain user (remember the password…duh)
- Under IIS directory security click “Edit” for Authentication and access control.
- Check allow anonymous access and browse to the domain user, enter the password you gave the user
- Sometimes optional. Create new application pool and set the identity to the domain user you created and browse to the webapp you’re working with in IIS and select properties and the virtual directory tab. Set the app to run as the new application pool you created. This will ensure IIS will use the user you created.
- Browse to the network resource on the other server and add the created user to the share and ntfs permissions of that file/folder you need to access (give appropriate permissions, if you don’t require write don’t give it!)
- Edit the web.config file for the app you’re working and set <identity impersonate=”false”/>
If you require to secure the webapp to a select group of individuals it is slightly different.
- Give the group/users appropriate ntfs permissions to the web app
- Under IIS browse to the application and select properties and Directory Security. Uncheck anonymous access (this will capture the windows user authenticated that’s opening the web application).
- Make sure the network share/folder/file has the required users/groups and appropriate permissions.
- Edit the web.config file for the app you’re working with and set <identity impersonate=”true”/>
- While you’re in web.config you’re going to need to familiarize yourself with the following two tags to secure your applications:
- <allow roles=”Active Directory group”>
- <deny users=”*”/>
- That will check the user authenticated for the correct group membership as assigned in Active Directory and the file permissions on your network resource and will deny all users that aren’t members.
Side note….I’m not a programmer just a SysAdmin. I’m sure there are all kinds of ways to get around this or perhaps even do it better. The above is just what I’ve encountered while working with internal portal applications. There are definitely not enough hours in the day to fully understand ASP.NET application and IIS security but I think that’s a pretty good stab at it. Whenever I google for results I have a hard time remembering the differences between the Impersonate user so hopefully now I won’t forget!
Quick note… Use <identity impersonate=”false”/> when you want to use IIS anonymous security and <identity impersonate=”true”/> when you want to ensure your application is most secure!