BLUF
Our application is attempting to write a file to a UNC folder using an ASP.NET web service running under .NET 4.5, IIS 7.5, and Windows Server 2008 R2. However, any attempt to write the file to the desired location results in an access denied exception.
The task seems simple however me and my team have been troubleshooting this for a while now and we are stumped as to what may be causing the error. Below are the details of our setup and what we have tried and found so far. Names have been changed to protect the innocent.
Environment Setup
The web server, mywebserver, has a website named My.Site.Com with a corresponding application pool named My.Site.Com. The application pool is configured as shown below.
.NET Framework Version : v4.0
Enable 32-bit Applications : False
Managed Pipeline Mode : Integrated
Name : My.Site.Com
Identity : ApplicationPoolIdentity
Load User Profile : False
The UNC path we are attempting to write to is \myotherserver\mydirectories\output where mydirectories is the actual share. On this share a domain group named mygroup-www has been granted full permissions to the share and all subfolders. The machine account (i.e., mywebserver) is a member of this mygroup-www group.
NOTE: For the moment, this UNC path actually lives on the same
machine, mywebserver. However, this will eventually be moved to a machine other
than mywebserver in our test environment and in the production environment
when that it is ready. Currently, I only have the one test environment to troubleshoot with.
The error can be replicated by executing the following code.
[WebMethod]
[ScriptMethod(UseHttpGet = false, ResponseFormat = ResponseFormat.Json)]
public string ExportReport(int reportId)
{
try
{
string output = ConfigHelper.OutputPath + "test.html"; // UNC path
string url = ConfigHelper.VirtualPath + "test.html";
string[] lines = { "Hello", "World!" };
File.WriteAllLines(output, lines); // Access Denied!
return url;
}
catch (System.Exception ex)
{
Logger.ErrorException("Error exporting report", ex);
throw;
}
}
Troubleshooting
Failed Attempts
We tried various combinations of group/user permissions on the folders (listed below). When running these tests we also ran Process Monitor. For each configuration we saw the same result. The w3wp.exe process attempted to create the file in the desired location but reported a result of ACCESS DENIED. The user of each configuration was IIS APPPOOL\My.Site.Com as expected.
Granting mydomain\mymachine$ full permissions to \myotherserver\mydirectories
Granting mydomain\mymachine$ full permissions to \myotherserver\mydirectories\output
NOTE: I have also tried modifying the code so that it would read a
simple file from \myotherserver\mydirectories\output. When
attempting to read the file, the process fails with an ACCESS DENIED
message as it did when writing the file.
Successful Attempts
We also tried several configurations that worked.
Grant the local IIS APPPOOL\My.Site.Com permissions
The first configuration to work was to grant the IIS APPPOOL\My.Site.Com full permissions to \myotherserver\mydirectories The file was successfully written however the process's user was quite unexpectedly a domain account that was set up for a web application on the same machine in another website. This remains very confusing but worked as the 'other' account also has write permissions to the share.
This won't work in production as we cannot use local accounts to grant access to networked resources but is an interesting data point nonetheless.
Change the App Pool Identity to Domain User
The second configuration that worked was to change the My.Site.Com application pool's identify to domain account that had full permissions to \myotherserver\mydirectories. This was a 'vanilla' domain account that was manually created by us. We did not capture what the user of the process was but that may be another useful data point.
This option may be possible, however it breaks away from best practices with IIS 7.5 and may not be allowed in our production environment due to fairly stringent IT policies.
Run the Site On My Development Machine
The third test was to run the site locally on my development machine, mydevmachine. My local IIS configuration is identical to mywebserver with the exception that I am running Windows 7 instead of Windows Server 2008. I granted full permissions for mydomain\mydevmachine to the \myotherserver\mydirectories and ran the application. The file was successfully written. According to Process Monitor the user for the process was correctly set to IIS APPPOOL\My.Site.Com.
Conclusion
We would like to enable write access as designed using the machine account of mywebserver. We have read ApplicationPoolIdentity user cannot modify files in shared folder in Windows Server 2008 and Permissions for Shared Folder for IIS 7 Application Pool Identity Across Domain and Application Pool Identities.
According to this information we should be able use the machine account to grant read and write access to networked resources such as the UNC path. In fact, I can do this in the desired manner when running the web site from my development machine.
There are a couple thoughts that come to mind. Perhaps there is something wrong with the machine account of the test web server. Or perhaps that 'other' software is interfering with the process somehow.
Any thoughts as to what may be causing this issue? What else should we do to troubleshoot?
Reboot your 'mywebserver'.
Marvel at the now mysteriously functional ApplicationPoolIdentity.
Install MS HotFix KB2545850 and learn the details about this bug in KB2672809 which also shows the steps to reproduce and demonstrate this apparently random problem. Direct download link here.
Speculate why Microsoft has not managed to release a normal windows update for this in the 3 years since that hotfix was published. While people still continue running into it and pulling their hair out because of this obscure problem.
Learn about the other folks who have shared and enjoyed this gift from MS that still continues to keep on giving:
IIS application using application pool identity loses primary token?
DirectoryServicesCOMException 80072020 From IIS 7.5 Site Running Under ApplicationPoolIdentity
ApplicationPoolIdentity cannot access network resources
ApplicationPoolIdentity IIS 7.5 to SQL Server 2008 R2 not working
Windows Authentication Failed when using application pool identity
IIS 7.5 stops using machine account to connect to network resource when using AppPoolIdentity
Your Windows 7 dev machine probably worked fine because it reboots more often than the server. Congrats on your very well written and thorough bug report. I rarely see that here.
I had similar problem accessing a network share using AppPoolIdentity in an ASP.NET application (access denied).
Using NetworkService account or other domain account worked but these were not the best solution.
I performed almost all the tests you did but finally found something that worked.
I figured out that the Network Service account was not used when accessing the shares, just like you did (i expected domain\machine$ account)
This worked for us:
On your IIS web site, go to Authentication and change the Anonymous Authentication item to "Application Pool Identity". It's by default set to "IUSR". This solved our problem.
Also maybe activating ASP.NET impersonation (still in Authentication menu) may help.
Thibault
I have faced same issue, I resolved by creating one domain account for each environemt (QA, STAGE, PRODUCTION). In Application pool identity I have set custom account and I used domain user for respective account. Now It gives me the ability to write and read the files from UNC Path.
SCVMM 2012
When to create VM template from a win7 VM, scvmm throws the following errors:
Error (10619) The user name provided is not a valid local
administrator user name for this operating system.
Recommended Action Provide a valid user name other than the built-in
Administrator account name and then try the operation again.
Error (10666) Hardware changes while creating a template from a
virtual machine are not supported and were ignored.
Recommended Action Make any hardware changes to the template after you
create the template.
Solution: Remove the interACT default user and only left the
administrator account
Seems everything is ok and I tried for several times and got the same error.
Following the post:
1.Clean administrator password as blank
2.Stop Windows Media Sharing service
This code was used once to get the Current user's windows logon name.
The application was published on a webserver and this code worked to get the end user's Windows Logon Name, so how could this happen when this code is actually running in the code behind on the server itself?
Dim CurrentUser As String = System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString
Please explain to me if you can.
IIS has a mode called Windows Authentication which (usually when combined with Internet Explorer) will authenticate the user with the server automatically and enable this functionality.
For this to work you usually have to disable anonymous access.
When you try to log into SSRS's root site at http:// (servername)/Reports it displays:
User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
This is on a 64 bit edition of Windows 8 Pro, running SQL Server 2008 enterprise. Everything should be using the local system as the account of execution.
I have tried changing the execution account as my user which is admin, I have added the site as the trusted site, I have UAC turned completely off, I have tried to hit the site with IE AS ADMIN, Chrome, and Firefox. Everything I try the site states back that I don't have the rights. I go into SQL Server and ensure my roles are everything for my user. It does not care. I am currently reinstalling the SSRS node of the SQL Server install but am curious if anyone else had this issue yet.
I am going to try to change my account to a 'local' account as I am thinking that may be an issue yet I don't understand why SQL Server can recognize my login integrated just fine. Honestly I never ran into this and am wondering if this is an issue just with Windows 8 accessing SQL Server 2008. I would upgrade but I have a full version of SQL Server 2008 and not of 2012 so I am hesitant to just upgrade unless Express 2012 will come with Business Intelligence Development Studio and SSRS site with tools.
EDIT: 3-8-2016:
No answer with: "Just turn on site settings" is valid as this is the first time installing as the admin of the server or machine locally and not able to access the landing page as that admin.
No answer with: "Just run IE as admin" will work last I tested that.
Answers with "Trusted SITE settings MAY WORK" on Windows 8 and higher as I had a similar problem to this with Windows 10 and on Windows 10 it did fix it. I am not going to rollback two OS versions to check at home though, sorry.
I don't get how this question can be existing for a while and people are now on a mission to claim it is duplicate when the very answer is different than the potential duplicate. That whole thread deals with someone able to get into the site with elevated permission and just not setting up roles and users after the fact. This is the main user of the machine not getting to the landing page as an admin to the site listed as the default landing. Not even the same ballpark. Getting into a page as an admin to let local users in versus the highest level God user not getting in is not the same.
Everything in this answer is true but don't reinstall all of SSRS thats nonsense...
Windows 8
Disable UAC
Enable Administrator Account (You can go to Control Panel > Computer Management > Users)
Restart PC
Run IE ad Administrator when prompted login with your local Administrator account you enabled.
You will need to adjust site settings security and folder settings security. Easy fast fix just add "Everyone" in both of those with full rights.
Problem solved!
I ran into the same issue myself but with Windows 7 and SQL Server 2008. I resolved the issue following the instructions from Suresh Kumar's blog post at http://skamie.wordpress.com/2010/06/24/ssrs-and-uac/
In a nutshell here are the steps you need to take to resolve this issue:
Start your browser using 'run as Administrator'.
Navigate to the report manager and under Site Settings -> Security assign your account or the local administrators group to the System Administration role.
Then navigate to the home folder and under the security settings assign your account or the local administrators group to the Browser, Conent Manager, My Reports, Publisher and Report Builder roles.
Now you should be able to run your browser as normal and access SSRS without any issues.
Okay this is really annoying what needed to be done but here goes.
From what I kept reading Windows 8 does not by default enable the default administrator account.
I usually don't use this account but in this case I was desperate as my account could not get in.
I understand ONCE YOU ARE IN you can set the site settings, that does not help if you cannot even see the site's main landing page to see that setting.
The steps I took to finally resolve were;
Uninstall SSRS Node COMPLETELY by going to control panel>SQL Server 2008>Remove>Check Reporting Services
Enable default admin account: command prompt>run as administrator>net user administrator p#ssw0rD, hit enter.
New line: net user administrator /active:yes
Reboot
Reinstall SSRS from disc with logging in as default administrator
Install SP3 as administrator
Go to IE.exe DIRECTLY in Windows 8: C:\Program Files\Internet Explorer\iexplore.exe>Run as administrator.
Go to http:// (servername)/Reports
You SHOULD now be able to finally see site settings. NOW YOU CAN FOLLOW everyone's directions of adding YOUR USER under site settings. Also go to folder permissions and add the user as a default here as well.
(optional) For safety I would hide the default admin account now by using step 2 but substitute /active:no in.
If your main admin can't open the door, no one is getting in. That was the main issue I was having. My default admin could not get in. Now everything is working fine and dandy like it should with deploying from BIDS as well.
I had the same problem on my Windows 8 system (32 bit) with SQL Server 2008R2. When I started IE using 'run as Administrator' it still asked for a user name and password and resulted in "user does not have permissions"-error when I entered my user name and password. This is what fixed it for me:
I disabled UAC in the registry (Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to 0). I first set notify-level under Control Panel | System and Security | Change User Account Control to the lowest level but that didn't make any difference.
After reboot I started IE using 'run as Administrator'. Went to Report Manager | Site Settings | Security: added my account as System administrator.
Still in Report Manager I went to Home | Folder Settings and added my account with role Content Manager.
I enabled UAC through Control Panel | System and Security | Change User Account Control settings by setting it to default level again. (Reboot required)
When I run IE as Administrator now and supply my user name and password it does show the homepage of the report manager.
Run Internet Explorer as administrator (right click on the Taskbar icon)
Step 1 :: Add your local username to the Site Settings security roles page. (Security - System Administrator)
Step 2 :: Add your local username to the Folder Settings on the home page. (Select Content Manager)
Close the Administrator IE session.
Open IE in normal mode under your user account.
Windows 8.1
I resolved this with help from the answer by Austin McLaughlin posted earlier. In my case I had been logged in with a local account that had administrator privileges, but attempting to http://127.0.0.1/Reports (hearinafter referred to as "the Reporting Services Manager") produced the error reported by the OP.
The key for me was that the Administrator account was disabled by default in my Windows 8.1 laptop. Note that I did not originally have Windows 8.1 Pro, so there was no "Local Users and Groups" under "Computer Management". Thus, I had to purchase the Windows 8.1 Pro Pack online from MS for $100.
In Windows Explorer, right click on the Computer node and select "Manage".
Navigate to Local Users and Groups > Users
Right click on Administrator and select Properties
De-select "Account is disabled"
Restart PC
Log in to the PC as Administrator (I did not have to enter a password for the Administrator account on first login.)
From the desktop, run IE. No need to run as Administrator, of course, since you logged in as Administrator.
Navigate to the Reporting Services Manager.
At this point you should be logged in to the Report Administrator and on the Home screen. I had not been able to get this far before.
On the Home screen, click "New Role Assignment"
In "Group or user name", enter the local administrator account you use for development; i.e.: [yourmachine]\[username]
Select all the checkboxes (shortcut is to click the checkbox to the left of "Role") and click OK.
In the upper right hand side of the page, click Site Settings.
On the left side of the page, click Security.
Click "New Role Assignment"
In "Group or user name" enter the same account as in step 10
Check "System Administrator" checkbox and click OK
As a precaution, disable the Administrator account that you enabled in step 4.
Log out, then back in with your local account from step 10.
In IE, browse to the Reporting Services Manager. Note: It was not necessary for me to start IE as Administrator.
At this point you should be able to access Reporting Services Manager page, and configure reporting services further.
Change service account type as "Network Service" in service account tab then stop and start service and run IE as Administrator.
From Reporting Services Configuration Manager you can get to the node Report Manager Url. The URL works from this screen. Now you can use the Folder Settings to add yourself as a Content Manager, etc... Now the url will work for your user.
In IE, just add Add the reporting services website to "Local intranet" sites.
That's it.
Just open IE as Run As Administrator and just type URL as http://localhost/reports
So here's a bit of context for the horror story:
Win 2003 SP2 64bit running on a VM exposed to outside world for web access.
SQL Server 2008 Std SP2 64bit with Reporting Services (RS) installed for native mode (i.e. not sharepoint mode).
IIS 6 .NET 3.5 web site app written to use the web services from RS. The site has been set to use Windows Authentication and nothing else.
To save writting custom authentication since I don't need it for this demo I have set-up a local account in Win 2003, i.e. servername\myDemoUser, effectively allow fake Windows Authentication.
Default.aspx lists folders on RS and the reports from each folder. It also has a link to the Report Builder 2 on the server.
The rsreportserver.config has been changed so that the only <AuthenticationType> is <RSWindowsNTLM> since <RSWindowsNegoiate> can't work since it's across the internet and users will not be on the same network (hence the local account myDemoUser).
The web site app has url of the form: http://mysite.mydomain.co.uk/ and the link on it to the Report Builder is of the form: http://mysite.mydomain.co.uk/services/reportbuilder/reportbuilder_2_0_0_0.application, in this case RS has been configured so the Web services virtual directory is "services".
The web.config for the website app has been set to <identity impersonate="true /> for <locations> for the ASPX pages that access the RS webservice. I even added a <location path="services/reportbuilder"> with the same thing and also to allow anonymous users.
So after all the above I go to the site from a machine that isn't on the network, I get prompted by IE8 for username/password and I enter servername\myDemoUser and the correct password. The homepage is displayed and correctly shows the list of folders and reports from RS. HOWEVER if I click the RS report builder link I get the pop window saying it's doing it's clickonce verfication stuff but after a couple of seconds it shows simple message box saying there was an authentication error. The details button then shows a text file with a bunch of stacktrace stuff in which eventually says that the server returned 401 while accessing the .application file mentioned above.
I turned on failure auditing for logins on the Win 2003 VM and I can see that when the clickonce fails it is trying to use the local machine account I logged into on the external (to my network) machine instead of the credentials I entered into the browser on that machine when testing it.
Much Googling and granting of permissions to Network service, everyone etc... on various folders involved later nothing the Report Builder bit just won't install via clickonce due to permissions or the incorrect use there of.
I'm looking into maybe changing something in the RS to try and grant permissions to the report builder to anonymous but at this point I'm pretty pessimistic that I'll actually find anything. The annoying thing about this is that this a test that doesn't represent the final thing (we'll be using custom authentication in RS) but unfortunately I have to do it, 8(.
Any ideas would be most appreciated.
It turns out that when using fake Windows authentication in this way when the machine you are accessing the site from a machine where you have not logged into the domain then clickOnce won't work because it won't pass the details you enter into the browser as found.
So the solution is to:
1) Log into a (any) domain on the machine that is going to access the clickonce link on your site.
2) In Control Panel go to User Accounts (XP)/Store Users and Passwords (Win 2003), and manage the network passwords for a user (XP) and add in the URL, username and password.
Whenever clickonce fires up for this URL it will pass the username/password specified as opposed to the local machine account.
Either of the above will solve this problem.