Its always the simple things that take longer than expected, if you are trying to access a network share, say \\server1\netshare$ from some code on your webserver (say \\server2) – you would think this would be simple? If your on IIS you would be wrong, kind of. I think if you are on Apache this wouldn’t be such a big deal, its more to do with the stupid setup of IIS6 (may also be fixed in IIS7 – havent tried) and how it deals with user based access, networking and permissions. It was probably set up to give flexibility but its less than transparent. You cannot add permissions to a folder on another server for a local user (again we are talking Windows Server 2003, IIS6), so at first it would seem that you need to either need to make a shared domain account and add the permissions for that, switching out the IUSR account on the webserver, but in fact this doesn’t even work. You could of course use impersonation if you are talking about aspx but that was overkill in this situation.
After a ton of messing about and a load of messy permissions trials I happened across the solution:
In short the easiest way to access \\server1\netshare$ from a piece of code on \\server2 (without giving administrator rights, creating specific domain users, etc.) is to find the IUSR account details on \\server2 (your webserver) and then create a user on \\server1 with these exact credentials. Having both boxes with these local permissions then allows you to assign this local user on the netshare server the permissions you want on its local folder structure, and curiously lets the webserver login locally.
Now this doesn’t, or rather shouldn’t work if you ask me, but it does. To get the IUSR password from the webserver you need to do a bit of a fudge, but once you are all set up this works. Great if you want to access network shares from a web server without compromising your network security!
Get your webserver’s IUSR Account username and IUSR Account password:
- Right click my computer -> manage -> local users and groups -> users (this does not show up on domain controllers so wont work if your web server is also your dc)
- You will have an account in here called IUSR_*SOMETHING* (if you are running iis) – this is what I was refering to as the IUSR account and what you will need to create an account as on the other server – you do this in the same place on that box.
- Next you need to get the IUSR account password, which you can do by first going to C:\Inetpub\AdminScripts and opening adsutil.vbs in notepad, finding the line “isSecureProperty = True” – (this is within an if statement) and replacing true with false (this is temporary – you will want to change this back as soon as you have got the IUSR Password.)
- Once you have altered your adsutil.vbs open up a command prompt (cmd) and type/copy the following and hit return:
- C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass
- You should be presented with something like
- anonymoususerpass : (STRING) “**PASSWORDHERE**”
- And there you have it – this is your IUSR Password, use this and the IUSR account name you got from above and create a local user on the server and you will be singing! Don’t forget to change isSecureProperty = False back though!
11 Comments
I tried this and it did not work for my asp.net page. I had to give user everyone access to share. Is this because user aspnet would need to be created as well on server2?
you *might* need IIS on it, although as long as you create the user’s exactly the same you should have no issues…could you give more info on your architecture?
I have a Access database stored on server2 with an asp.net form that a user inputs data and that data is saved to the db and an e-mail is sent when the user clicks the submit button. If I don’t use the user everyone on the share I cannot open up the asp.net page without getting an error. I’ve been trying to overcome this and thought your solution would work.
I’ve also created the aspnet local user with the same password and I still have the same issue.
Is the access database protected? its only one user accessing it at a time?
you are creating the same user on both servers yeah? whats the error your getting? it works with the everyone permission but not without it yeah?
I have the same user on both servers, I’ve added that user to the security settings for the db file, share and security settings.
Here is the error if everyone is not used.
Server Error in ‘/TT’ Application.
——————————————————————————–
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a “web.config” configuration file located in the root directory of the current web application. This tag should then have its “mode” attribute set to “Off”.
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the “defaultRedirect” attribute of the application’s configuration tag to point to a custom error page URL.
What windows / iis version are you on? its the iUSR account you have added on both right? from the calling server?
are you using full network path e.g. \\servername\e$\data.mdb or ip or mapped drive or what?
I’m running this on Win 2003 server IIs Ver 6, the iusr account is on both systems the web server and the file server. The path is the unc \\servername\share name\data.mdb.
Difficult situation isn’t it? Took me days to work it out but its worth sticking with. I would hazard a guess its to do with your IIS settings on the calling box, it needs to be calling using IUSR and no pass through account?
Can you elaborate on this? How do you have your IIs virtual directory setup?
To be honest Kevin I was lazily using \\servername\e$ (dollar shares) to test the theory, but this can still be secured as long as your overall permissions are set well across the second box? Do you want me to remote in see if I can help? lol