DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 2 of 2

Thread: 401.3: You do not have permission to view this directory or page

  1. #1
    Join Date
    Apr 2008
    Posts
    5

    Question 401.3: You do not have permission to view this directory or page

    See: http://msdn2.microsoft.com/en-us/library/ms998358.aspx

    "Windows authentication without impersonation. This is the default setting. ASP.NET performs operations and accesses resources by using your application's process identity, which by default is the Network Service account on Windows Server 2003."
    Am I misreading something?

    I am using Windows Server 2003 and my site is configured for “Integrated Windows Authentication” only (in IIS).

    The “Network Service” account has read & execute permissions to the application folder.

    See: http://msdn2.microsoft.com/en-us/library/ms998320.aspx

    "By default on Windows Server 2003, ASP.NET applications run using this account's identity."
    However, if anyone other than an administrator attempts to access the site they get the following error message after three attempts to log on:

    "401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists)."

    The web.config file contains this line…

    <authentication mode="Windows" />

    See: http://msdn2.microsoft.com/en-us/library/aa291347.aspx

    "The Windows authentication provider relies upon IIS to perform the required authentication of a client. After IIS authenticates a client, it passes a security token to ASP.NET. ASP.NET constructs and attaches an object of the WindowsPrincipal Class to the application context based on the security token it receives from IIS."
    And: http://msdn2.microsoft.com/en-us/lib...0e(VS.80).aspx

    "Specifies Windows authentication as the default authentication mode. Use it with any form of Microsoft Internet Information Services (IIS) authentication: Basic, Digest, Integrated Windows authentication (NTLM/Kerberos), or certificates. In this case, your application delegates the authentication responsibility to the underlying IIS."
    And: http://msdn2.microsoft.com/en-us/lib...0e(VS.71).aspx

    "Specifies Windows authentication as the default authentication mode. Use this mode when using any form of Microsoft Internet Information Services (IIS) authentication: Basic, Digest, Integrated Windows authentication (NTLM/Kerberos), or certificates."

    The web.config file also contains this line…

    <identity impersonate="false" />

    Which, I am assuming explicitly disables impersonation (even though that is the default behavior)

    See: http://msdn2.microsoft.com/en-us/lib...c5(VS.71).aspx

    "[If impersonate=”true”] The ASP.NET application, now impersonating the client, then relies on the settings in the NTFS directories and files to allow it to gain access, or not. Be sure to format the server file space as NTFS, so that access permissions can be set."
    I am assuming the opposite of that is true. If I am explicitly NOT impersonating users, then NTFS permissions (ACLs) are not required for each user, but instead, you just need to grant “Network Service” NTFS permissions.


    The web.config file also contains this:

    <authorization>
    <allow users="*"/>
    <deny users="?"/>
    </authorization>

    See: http://msdn2.microsoft.com/en-us/lib...cd(VS.80).aspx

    "A question mark (?) denies anonymous users and an asterisk (*) indicates that all user accounts are denied access."
    So, I am assuming by adding that, that I am allowing only authenticated users. (no anonymous, or “guest” users)


    I also wrote code to output the current windows identity being used by the application…

    Code:
    System.Security.Principal.WindowsIdentity.GetCurrent().Name
    When I run that code, it returns the following value: “NT AUTHORITY\NETWORK SERVICE”

    If I grant NTFS file permissions for the specific user to allow read & execute access to the application folder, the 401.3 error goes away for that user.

    This behavior seems contradictory to the statements I read in the Microsoft documentation linked above.

    Am I incorrect in assuming that NTFS permissions for “Network Service” should be enough?

    Do I really have to grant every single user NTFS permissions to all the files in my ASP.Net application folder?

  2. #2
    Join Date
    Apr 2008
    Posts
    5

    Smile Solved - Windows Authentication without Impersonation requires ACLs for user as well

    Though it is not explicitely stated anywhere in Microsoft ASP.Net security documentation (that I could find), IIS not only performs authentication (this fact is stated), it also performs it's own authorization. This is independant of ASP.Net and occurs before ASP.Net (aspnet_wp.exe) is involved.

    If your your ASP.Net / IIS6 web applicaoin is configured for the default "Windows Authentication without Impersonation" (as explained here) then you must remember these points...

    First, you need to configure NTFS file permissions (ACLs) for the Process Identity ("Network Service" by default).

    Second, (not found in documentation) is that you ALSO need to configure NTFS file permissions for your Windows Users so IIS can authorize them to access the aspx pages.

    So far, from testing, it appears that Windows Users only require read & execute rights on the root application folder of your web app. I did not have to grant access for the areas mentioned in the "NTFS file permissions" link above (which only applies to the Process Identity).

    Note: If you are impersonating users, the Process Identity is the user identity, in which case the account would need those permissions too.

    Sorry, I could not find a link to a document that explicitely makes the statement above. So far, I'm the only one that I know of that has actually put this to print.

    If someone else out there can provide a link to prove you need (or don't need) to set NTFS file permissions for your Windows Users as well as for the Process Identity account, please let me know!

Similar Threads

  1. Replies: 3
    Last Post: 06-23-2007, 12:16 PM
  2. Replies: 4
    Last Post: 06-24-2005, 01:40 AM
  3. Replies: 0
    Last Post: 03-01-2001, 09:23 PM
  4. Replies: 0
    Last Post: 01-22-2001, 04:59 PM
  5. Tree View/List View in Web Page
    By Javaid Ahmad in forum Web
    Replies: 1
    Last Post: 03-28-2000, 11:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center