Its always the simple things that take longer than expected, if you are trying to access a network share, say \\server1\netshare$ from some code on your webserver (say \\server2) – you would think this would be simple? If your on IIS you would be wrong, kind of. I think if you are on Apache this wouldn’t be such a big deal, its more to do with the stupid setup of IIS6 (may also be fixed in IIS7 – havent tried) and how it deals with user based access, networking and permissions. It was probably set up to give flexibility but its less than transparent. You cannot add permissions to a folder on another server for a local user (again we are talking Windows Server 2003, IIS6), so at first it would seem that you need to either need to make a shared domain account and add the permissions for that, switching out the IUSR account on the webserver, but in fact this doesn’t even work. You could of course use impersonation if you are talking about aspx but that was overkill in this situation.
After a ton of messing about and a load of messy permissions trials I happened across the solution:
In short the easiest way to access \\server1\netshare$ from a piece of code on \\server2 (without giving administrator rights, creating specific domain users, etc.) is to find the IUSR account details on \\server2 (your webserver) and then create a user on \\server1 with these exact credentials. Having both boxes with these local permissions then allows you to assign this local user on the netshare server the permissions you want on its local folder structure, and curiously lets the webserver login locally.
Now this doesn’t, or rather shouldn’t work if you ask me, but it does. To get the IUSR password from the webserver you need to do a bit of a fudge, but once you are all set up this works. Great if you want to access network shares from a web server without compromising your network security!
Get your webserver’s IUSR Account username and IUSR Account password:
- Right click my computer -> manage -> local users and groups -> users (this does not show up on domain controllers so wont work if your web server is also your dc)
- You will have an account in here called IUSR_*SOMETHING* (if you are running iis) – this is what I was refering to as the IUSR account and what you will need to create an account as on the other server – you do this in the same place on that box.
- Next you need to get the IUSR account password, which you can do by first going to C:\Inetpub\AdminScripts and opening adsutil.vbs in notepad, finding the line “isSecureProperty = True” – (this is within an if statement) and replacing true with false (this is temporary – you will want to change this back as soon as you have got the IUSR Password.)
- Once you have altered your adsutil.vbs open up a command prompt (cmd) and type/copy the following and hit return:
- C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass
- You should be presented with something like
- anonymoususerpass : (STRING) “**PASSWORDHERE**”
- And there you have it – this is your IUSR Password, use this and the IUSR account name you got from above and create a local user on the server and you will be singing! Don’t forget to change isSecureProperty = False back though!
15 Comments
I tried this and it did not work for my asp.net page. I had to give user everyone access to share. Is this because user aspnet would need to be created as well on server2?
you *might* need IIS on it, although as long as you create the user’s exactly the same you should have no issues…could you give more info on your architecture?
I have a Access database stored on server2 with an asp.net form that a user inputs data and that data is saved to the db and an e-mail is sent when the user clicks the submit button. If I don’t use the user everyone on the share I cannot open up the asp.net page without getting an error. I’ve been trying to overcome this and thought your solution would work.
I’ve also created the aspnet local user with the same password and I still have the same issue.
Is the access database protected? its only one user accessing it at a time?
you are creating the same user on both servers yeah? whats the error your getting? it works with the everyone permission but not without it yeah?
I have the same user on both servers, I’ve added that user to the security settings for the db file, share and security settings.
Here is the error if everyone is not used.
Server Error in ‘/TT’ Application.
——————————————————————————–
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a “web.config” configuration file located in the root directory of the current web application. This tag should then have its “mode” attribute set to “Off”.
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the “defaultRedirect” attribute of the application’s configuration tag to point to a custom error page URL.
What windows / iis version are you on? its the iUSR account you have added on both right? from the calling server?
are you using full network path e.g. \\servername\e$\data.mdb or ip or mapped drive or what?
I’m running this on Win 2003 server IIs Ver 6, the iusr account is on both systems the web server and the file server. The path is the unc \\servername\share name\data.mdb.
Difficult situation isn’t it? Took me days to work it out but its worth sticking with. I would hazard a guess its to do with your IIS settings on the calling box, it needs to be calling using IUSR and no pass through account?
Can you elaborate on this? How do you have your IIs virtual directory setup?
To be honest Kevin I was lazily using \\servername\e$ (dollar shares) to test the theory, but this can still be secured as long as your overall permissions are set well across the second box? Do you want me to remote in see if I can help? lol
I work with IIS6 on Windows Server 2003. I use Integrated Windows Authentication because i’am working in a Domain and I want SSO. Then this is not possible because the IUSR-account is not used. For read and write you can let the share be read/writeble for everyone (not only the domain user, but also from outside the domain), but the problem is that everyone can map this share and get files from it. PHP should first check the database if the user is allowed to view the specified document. Now the upload-folder is outside the webroot on the same server, that works perfect, but I want load balancing and 1 storage-server for the files. I read a lot of documents, is there someone that can help?
Not sure on this I’m afraid Harrie – this was years ago now and I don’t touch windows servers anymore! 🙂 Best of luck
how to get images from unc path directory or another network computer directory in php ….
glob(), opendir(), alll methods are used but not work path is not valid… please reply me quick…
Not Sure!
Comments Archive
Hi there. This is my old blog and it's archived, so you can no longer post new comments on this post (ASP/PHP Network Share browsing between Servers on IIS).
Read my new blog about writing software and stories at WoodyHayday.com