Hi all,
I've to access to a network file from an asp pages.

I've red a lot of things on old posts and on Microsoft article but I can't
still solve my problem.

I've got two server inside the same NT domain, each one has its own web
server.

The web server is always IIS 5.0.

One of this web server have to access to a network file in writing mode
inside the other server.

I've tried using this code
-------------------
Set fso = Server.CreateObject("Scripting.fileSystemObject")
uri=\\web21bcklab\c$\Inetpub\wwwroot\WebModules\Logger\debugLog.txt
Response.Write fso.FileExists(uri)
---------------------

the existence check returns always false. why ?

How can I solve this problem ?

thx

Show quote Hide quote http://www.aspfaq.com/show.asp?id=2168

He is not trying to access an Access file but rather a text file. I think
the problem is using an administrative share. c$, rather than a public
share.

Set up a public share on the directory containing the file, e.g., pubdir,
and access it as \\pubdir\filename.

Tom Skinner [ C# MVP]

Show quoteHide quote

It's the same with a public share.

I've already tried it

Show quoteHide quote

Yes - but the procedure provided by Aaron is the same.

Good point about the share - C$ is only available to admins.

Show quoteHide quote

The problem is still the same.  IUSR cannot touch a text for the same
reasons it can't touch an MDB file... the other machine doesn't know who he
is!

Yes, this definitely part of the problem.  The only way you could have C$ be
used is if you add WebServer\IUSR_WebServer to the local admin group on the
server web21bcklab ... not exactly a recommended approach, but I guess it
depends on the environment.  I'd prefer to have public shares explicitly
granted access than suddenly give IUSR carte blanche over the whole server.

A

Your solution is formally correct but it's doesn't solve completly my
problem.

I've an asp file inside a virtual directory with necessary only Windows
Integrated Authentication enabled. That file have to access to text file
inside another host member of the same NT domain.

The authentication inside asp file is made only with domain user. By this
domain users I can manually access to tha text file, but my web server can
not.

Does my web server always access to text file on network share only by using
IUSR_webserver user ?

Show quoteHide quote

It's not the web server, but rather the ISAPI extension. In this case
ASP.dll. ASP.NET doesn't run under IUSR_server, but rather under the account
ASPNET on XP Pro and under NETWORK on WS3 if I recall correctly. With
ASP.NET there are ways of impersonating a user and therefore any actions by
that user would have that users security token. Unfortunately I don't think
there is any way to do this under ASP other than writing your own ISAPI
extension. You are probably stuck with IUSR_server credentials. I might be
wrong though. Personally I would switch to ASP.NET.

You can always put this file in its own directory and make it a public
writable share and then your server could access it regardless of
authentication credentials. Of course this offers no protection.

Tom Skinner [C# MVP]


Show quoteHide quote

This is the classic "double hop" scenario.  Integrated Authentication(NTLM)
does not support "double hop" because the web server is not authorized to do
so.

Authentication choices that allow double hop include:
1. Basic
2. Integrated Authentication(Kerberos)
3. Custom Authentication that mimics #1 or #2 in principle
4. Protocol Transition from (Whatever)->Kerberos

The following URL should have the necessary pointers to set this up. It
talks about things in terms of a UNC vdir, but it is really not much
different than an ASP page accessing a UNC share.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

I believe IIS5 supports choices #1, #2, and #3.

FYI: There is a difference between using the domain user to manually access
the text file and having the domain user login to the web server and use the
web server access the text file using the domain user's identity.  Namely,
when the domain user manually accesses the text file, they are directly
doing this action (no delegation through third party). Meanwhile, with a web
server, the user only authenticates to the web server and can touch objects
on that server as themselves; the web server does not have permissions to
access other network resources on behalf of the user. If this looks
illogical to you, consider when a user accesses your webserver, whether your
web server should be allowed to withdraw money from their bank's remote
server as the user (instead of copying a file to a remote server as the
user). The two actions are identical from a networking/trust perspective,
but one action is clearly ok while the other is not ok. The reason that it
is not ok is the reason your current ASP page is failing.

Your solution is formally correct but it's doesn't solve completly my
problem.

I've an asp file inside a virtual directory with necessary only Windows
Integrated Authentication enabled. That file have to access to text file
inside another host member of the same NT domain.

The authentication inside asp file is made only with domain user. By this
domain users I can manually access to tha text file, but my web server can
not.

Does my web server always access to text file on network share only by using
IUSR_webserver user ?

Show quoteHide quote

your suggestion is correct but now I've got this strange problem.

When I use my asp page (try.asp) to access the text file by this url
http://IIS_WebServerName/try.asp, it is all right, but when I use this url
http://IIS_WebServerName.DomainName.Ext/try.asp , I obtain the usual error:
my asp page can't access the text file.

Can you still help me?


Show quoteHide quotehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
Show quoteHide quote

This is most likely a browser-side issue.  For example, IE authenticates
differently depending on whether the server name has dots in it or not (it
treats it as different zones).

IIS does not alter behavior based on server name (unless you configured host
header and DNS incorrectly or have server-side application that alters
behavior based on SERVER_NAME server variable). It is just another
identifier as far as IIS is concerned.

your suggestion is correct but now I've got this strange problem.

When I use my asp page (try.asp) to access the text file by this url
http://IIS_WebServerName/try.asp, it is all right, but when I use this url
http://IIS_WebServerName.DomainName.Ext/try.asp , I obtain the usual error:
my asp page can't access the text file.

Can you still help me?


Show quoteHide quotehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
Show quoteHide quote

when I use url WITH domain specification IE loads it inside Internet
Security Zone, while when I use url WITHOUT domain specification it's loaded
inside Intranet Security Zone.

So I've tried adding the host with domain specification inside Trusted Sites
Security Zone and now my asp page works properly.

I've found the solution but I can't understand the reason, or better, I
couldn't found which option inside Security Option panel has solved my
problem.

Any idea ?

Show quoteHide quotehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
Show quoteHide quote

I believe IE has some hardcoded behavior that treats names differently
depending on whether it has dots or not. The thing that changed is probably
its authentication/auto-logon behavior.

As to how it affects usage of Integrated Authentication -- maybe IE has code
in it that thinks "Integrated Authentication should not work over the
Internet" (because it usually does not).  Sorry, dunno much more about IE
other than superficial observations of IE behavior from the outside.

when I use url WITH domain specification IE loads it inside Internet
Security Zone, while when I use url WITHOUT domain specification it's loaded
inside Intranet Security Zone.

So I've tried adding the host with domain specification inside Trusted Sites
Security Zone and now my asp page works properly.

I've found the solution but I can't understand the reason, or better, I
couldn't found which option inside Security Option panel has solved my
problem.

Any idea ?

Show quoteHide quotehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
Show quoteHide quote

Show quote Hide quote How often does it need to be accessed and how updated does the data need to
be?

I can't understand why you want to know this kind of information.

That file could be access a lot of time in some days and just a few in other
ones

Show quoteHide quote

Why can't you just answer the question, instead of being defensive about it?
Maybe the response after that would show you why he was asking...

He was probably wondering if the file could be copied locally on a schedule,
so that ASP had access to it locally.  Then you don't have to change
permissions and deal with an app having access to important shares.

You should look into DFS, perhaps.

I can't move to local that text file.

I have to access remotely to that file by using an asp file publish on a web
server.

Show quoteHide quote

Then you're going to have to set IIS to run that application/virtual
directory/site as a domain authenticated user instead of IUSR.  Again,
http://www.aspfaq.com/show.asp?id=2168 tells you how to change the user that
IIS impersonates.  You should read through it.

Show quoteHide quote

The solution described in your url is formally correct, but it is not
suitable to my problem.

My text file must be accessed only by an ASP file or application that use
only Integrated Windows Authentication.

Your solution is correct but it uses Anonymous Access.

Show quoteHide quote

"Aaron [SQL Server MVP]" wrote in message
You were right on the money.

To not be able to open up security, you could use WSH to make the file
available locally so the user could access it with the rights they have
right now.

I have a service I offer to customers that sign up for it for a product I
have written.  Shipping tables update sometimes weekly.  It is a annoying
process to update these manually.  I have automated the procedure and allow
people to get it from me in the format they need so they don't have to do it
themselves.  I pull data from the vendor's web sites with WSH and update
their config.asp file.  This file is scheduled with AT.  It works well.

If you are unable to do something similar then, as Aaron said, you're going
to have open up your security so the users have access.

David Wang, your suggestion is correct but now I've got this strange
problem.

When I use my asp page (try.asp) to access the text file by this url
http://IIS_WebServerName/try.asp, it is all right, but when I use this url
http://IIS_WebServerName.DomainName.Ext/try.asp , I obtain the usual error:
my asp page can't access the text file.

Can you still help me?

It's an automatic trust within the local network, but not the same when the
domain name is out in the wild.  This is what zones are for.

You may have to have your users add the .domainname.ext domain to their
local/trusted zone, or seek another workaround.

Show quoteHide quote

How you can see into my last reply to David Wang, I've verified what you
have wrtitten and I've found another workaround but I can't understand
because that workaround is correct.
Can you read that post and still help me ?

Another question about your solution: where have I to add domain information
? insiede domain users profile on Domain Server ?

Show quoteHide quote

Cookie Expire Date question
Saving a file
backing up an asp database
Which book to get?
ASP Thread Scheduling Anomalies