• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

ASP sharing permissions problem? Or FileSystemObject problem? Please help!!

E

edmicman

Golden Member
Hello all, maybe someone could help me with this problem I'm having with ASP permissions? I'm running a win2k server setup, and am trying to access files through ASP code using the FileSystemObject code. Whenever I try and access the files, according to the internal
paths, I get a permissions error. However, I am sure the permissions are set up correctly on the machine, as I am able to bring up files from a different mapped directory on the server, and both directories are set up the same. I have gone over the NTFS file permissions many times and they are identical. The only difference seems to be that the one that doesn't work is using the FileSystemObject to retrieve files. Additionally, if I enter in an http URL to the file in question, I am able to retrieve it. So it seems like an internal problem of sorts. So my question is, what else could it be if it isn't a permissions thing? I'm wondering if FileSystemObject uses some internal port (NETBIOS perhaps?) to communicate? I ask this, because the problem seemed to start when we tightened
down our internet firewall box, which is in between the web server with the files and anything thats trying to access them. We locked out everything except what it needs to function (http, https, etc.), including the NETBIOS port. Could I be on to something here? Any help would be greatly appreciated, as this problem is becoming more critical the longer we wait. Any suggestions to another place to look would be great too! Thanks!

Peter
 
From what I can tell you have a webserver, and separate fileserver. the filesystemobject communicates just like any other application in windows (i.e. explorer). It use netbios to get to the other server where the files are located. you need to allow either netbios through the firewall or configure the webserver and fileserver to use another protocol (netBeui) to communicate.
 
Thanks for the reply. I think thats getting closer to what the problem is. I believe we have netbios shut off since thats a security risk, but could see about opening up a specific hole for it or something. If we switched to another protocol, would the filsystemobject use that then, or is it hardwired to use the netbios?
 
Explicit Assumptions:
1. The file that your ASP is trying to access contains sensitive information, that cannot be stored on the WebServer.
2. You've blocked NetBIOS access from the DMZ to your private network, for d**n good reason. (It's supposed to be closed!)

Opening up NetBIOS is a real can of worms, and requires at least 3 ports, maybe more, depending on what OS versions you have, and the authentication protocol you want to use.

Suggestions:
1. Move the file to the webserver.
2. Move the fileserver to the DMZ.
3. Change your file-request from an Nbt file request, to an SQL query--which can be locked down to an individual port.
4. None of the above??

--Woodie
 
FileSystemObject will use whatever protocol that "Client for Microsoft Networks and File/Print Sharing" is bound to.
I agree with woodie, either put the files locally, or use SQL to do it. I would never even consider putting a fileserver in the DMZ. You could use a SQL server (i.e MS SQL server) and setup a table where one of the fields (columns) is of data type binary (for storing files). Then you could build all sorts of slick queries against it. However, the larger the files stored in the SQL server, the more overheard is created.

Personally I would drop an extra nic in the web server and file server. On those nics use a crossover cable to connect them, and use NetBeui as the protocol. Then enable auditing on (which should already be running) the folders that contains the files. You can never log too much information.
 
hmmmm i tried opening up the netbios to no avail.....so now i'm back to square one. it almost seems like a basic permissions problem, but i keep checking all of the respective folders, permissions settings, users, etc., and everything seems in order. if the iusr account wasn't working, then web users shouldn't be able to pull up any files at all, which they can. its just when we try and do it through the asp code. what other areas might i be overlooking permissions-wise?

also, about storing the files locally, wouldn't that defeat the purpose of having a separate webserver and fileserver? i would think this must be able to be done....gahhh i'm just missing something! thanks again for any help!
 
What ports did you open for netbios? and did you configure the target server to use a high-port (ala COM object), and did you open that high port?

W2K prefers to use Kerberos Authentication, which also requires port 88, in addition to 135/137/139.

You may also have to do an explicit call, like: net use * \\FileServer\SharePoint /User:FileServer\USERNAME password
That way the connection is authenticated using the specified ID, rather than the ID that the ASP is running under. Since the two machines have no established trust relationship (domain), the fileserver would attempt to authenticate the incoming ASP request/ID as a local ID on the fileserver, along w/ the password [hash].

--Woodie
 
hmmmm I just selected through our sonicwall internet firewall to enable the netbios ports between the webserver on the dmz and the fileserver that is behind the firewall. i essentially ended up with what appeared to be a specific hole between the two servers, and those two only, using the netbios ports. that didn't work, so i changed it to allow everything between the fileserver and the webserver, but still got the same results. port 88 was not among those enabled though.

however, something else strange occurred. i scrapped the port thing, and went back to the permissions. everything looked to be set up right, but in the ASP code using the filesystemobject, it would error out with a permissions issue whenever i try and access a file on the network using the mappeed name (ie, \\fileserver\directory\filename.txt). The filesystemobject did work for a local file though, so it looks to be a network thing. So I thought maybe there was in fact an issue where it didn't have rights to see the file. BUT.....i did a runas cmd using the IUSR_WEBSERVER account, which is/should be the one that web access is using, and when doing that i was able to navigate and read files, etc., normally as expected.

So now I'm even more perplexed. I don't see how the account apparently works, but when the asp code is trying to access the files, its somehow locked out. Is it even possible that the filesystemobject component has somehow corrupted or something? that doesn't seem to explain how the local files work but the networked ones don't. perhaps the net use thing you mentioned might be the issue, if the asp is using a different account for some odd reason than what it should......crazy crazy stuff
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top