File Access Denied in XP - Web Server *PRO* Questions and Bug Reports

Welcome Guest! To enable all features please Login or Register.

Notification

Error

UltiDev Forum » UltiDev Web Server Pro » Web Server *PRO* Questions and Bug Reports » File Access Denied in XP

2 Pages12 >

File Access Denied in XP

Options

Previous Topic Next Topic

pkatsoulas		#1 Posted : Tuesday, February 28, 2012 10:43:48 AM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		My browser application running with UltiDev Pro 14 gets the following error when trying to access a file that is not in the target folder. Access to path c:\Documents and Settings\All Users\Application Data\SPR\KnowledgePLAN Enterprise\ApplicationSettings.xml This only happens in XP. It works fine in Windows 7 which uses folder c:\Users\Public\SPR\KnowledgePLAN Enterprise\ApplicationSettings.xml. My guess is that this has to do with my host process which is ASP.NET 4, Network Service. Is there a way in UltiDev Exporer to allow the file access? Better yet, can it be done using Starter.exe? My Starter.exe arguments are as follows: [ProgramFilesFolder]\UltiDev\Web Server\UWS.RegApp.exe" /r /AppID="[UpgradeCode]" /aspnet:4 /defaultdoc:Default.aspx /vdir:KnowledgePLAN /path:"[TARGETDIR]KnowledgePLAN" /appname:"SPR KnowledgePLAN®" /appdesc:"SPR KnowledgePLAN® Enterprise Any help would be appreciated.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#2 Posted : Tuesday, February 28, 2012 11:49:59 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi there! Assuming that lack of "network service" access rights is the cause of the problem, there are several possible workarounds, listed below in no particular order. Use cacls.exe utility. Use UWS.Configuration's AclFoder() method. If application is not Internet-facing and is deployed inside a secure network, register application with a host process running "Local System" account. Isolate the logic requiring higher privileges into a ServicedObject and put it into a separate Class Library project that can be installed as an out-of-process (COM+) component, with its own user identity. Hopefully this helps, Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

pkatsoulas		#3 Posted : Thursday, March 1, 2012 10:37:03 AM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		I have no access problems when accessing the file outside of my application. Therefore, I will stick to the assumption that it has something to do with "network service" access rights. I tried calcs.exe which didn't work. My application is internet facing and your COM+ suggestion is not appealing. So that leaves me with trying the ActFoder()method about which I have some questions. The ActFoder() method is in the UWS.Framework.SystemUtilities package which I cannot find. Please tell me where it is so that I can reference it in my C# code. Can you provide an example of calling the "well known system users" version of this method. It would be appreciated.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#4 Posted : Thursday, March 1, 2012 10:57:37 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi there! In order to use UWS Configuration API, please add reference to "UWS.Configuration" assembly to your project from the Visual Studio "Add Reference" list. After that you should have no trouble using UWS.Framework.SystemUtilites.AclFolder() methods. WellKnownSidType enum has NetworkServiceSid - that's the one to be used. Please let us know if this information was helpful. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW \| Edit by user

User Profile View All Posts by User View Thanks

pkatsoulas		#5 Posted : Thursday, March 1, 2012 12:35:53 PM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		I was able to try the AclFolder() method approach but it did not work. I used NetworkServiceSid and gave Fill Control. I am still getting the same access denied message. If you have any other suggestions, I would appreciate it. Otherwise I may have to consider not supporting XP.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#6 Posted : Thursday, March 1, 2012 1:05:26 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi there! Could you please clarify whether "Access Denied" occurs when you call AclFolder() method, or when your application does what it does? If it's former, please be sure that application that attempts to grant rights runs as administrator. If it's latter, could you please check whether "Network Service" user now has access rights to the folder in question. We think that whatever makes it not working, also affects cacls.exe. Also, could you try manually granting "Network Service" access rights to the folder and see whether that will make difference? Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW \| Edit by user

User Profile View All Posts by User View Thanks

pkatsoulas		#7 Posted : Thursday, March 1, 2012 3:27:56 PM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		The access denied message is now coming from the call to the AclFolder() method. I am running the application logged on as an administrator. When I manually added the Network Service account to the folder and gave it Full Control the problem was fixed. It appears that something is stopping the Acfolder() method from doing its job. Note that in Windows 7, there is no Network Service account yet the problem does not exist. The XP security is obviously different. I agree that calcs.exe probably does not work for the same reason as AclFolder(). Any other ideas?
Back to top

User Profile View All Posts by User View Thanks

pkatsoulas		#8 Posted : Thursday, March 1, 2012 4:05:57 PM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		I have a little more information to add to my above post. I manually changed the Network Service permission to read only and then ran my application again. This time the access denied failure came from where it originally came from (creating a FileStream). The call to Aclfolder() did not fail. It appears that when there was no Network Service user, AclFolder failed because it is not capable of creating a new user. When there was a Network Service user with Read Only permission, AclFolder does not fail but it also does not change the permission (Read Only to Full Control) and therefore the original failure happens again.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#9 Posted : Thursday, March 1, 2012 4:49:47 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi! "Network Service" user does exist on both XP and 7 at all times and cannot be created or deleted. If you were able to grant/revoke Network Service user's rights manually, but not via programs like cacls and your own, it is very strange, if in both case it was done under the same user account. Are there any security policy in place there? In any case, we seriously doubt that this issue is XP-specific. Have you tried to test it with other XP systems? Also, could you please post exception details of failed AclFolder() call? Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW \| Edit by user

User Profile View All Posts by User View Thanks

pkatsoulas		#10 Posted : Friday, March 2, 2012 2:17:43 PM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		I was not implying that I created a Network Service user. I simply brought up the properties dialog of the folder in which my file exists, selected the Security tab, added Network Service to the Group or User Name list, and gave it Full Control. Note that in order to get the Security tab, it is necessary to bring up Windows Explorer,select Tools > Folder Options,select the View tab, and uncheck "Use simple file sharing". There are no security policies in place. The call to AclFolder produces exception: "Attempted to perform an unauthorized operation"
Back to top

User Profile View All Posts by User View Thanks

pkatsoulas		#11 Posted : Friday, March 2, 2012 3:07:21 PM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		Sorry, I forgot to mention above that I did try this on another XP machine and got the same results. Also, I found an article on the Internet that suggested the same approach that I took. It appears to me that folder C:\Documents and Settings\All Users\Application Data in XP does not by default allow adequate permissions to user Network Sevice and therefore it must be manually adjusted. Since I put my file in a sub-folder of the above folder, I have a problem. This does not however explain why method AclFolder does not allow me to make the permission change from withing my code.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#12 Posted : Friday, March 2, 2012 3:55:43 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi! Thank you for additional details. We still don't know why AclFolder() does not work, but we'd like to ask you to try something. Please go to the "C:\Program Files\UltiDev\Web Server" and copy "Redirector" folder to "c:\Documents and Settings\All Users\Application Data\SPR". Now, in "c:\Documents and Settings\All Users\Application Data\SPR\Redirector", please create App_Data folder and make sure that "Network Service" user does not have any rights to it. Open UWS Explorer and register a new application (under a "Network Service" host) with physical location at "c:\Documents and Settings\All Users\Application Data\SPR\Redirector". Now App_Data folder under "c:\Documents and Settings\All Users\Application Data\SPR\Redirector" should be accessible to "Network Service" - application registration process grants access to Network Service user for App_Data folder. We have tested this and it has worked for us under XP, but, we have found in our comments that ACLing does not always works for some reason. Application registration process uses AclFolder() like this: Code: SystemUtilites.AclFolder(app_dataFolder.FullName, System.Security.AccessControl.FileSystemRights.Modify, System.Security.Principal.WellKnownSidType.NetworkServiceSid); If that does not work, please try using this utility to check whether your current user has access to the folder in question. Please let us know what you have found. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW \| Edit by user

User Profile View All Posts by User View Thanks

pkatsoulas		#13 Posted : Monday, March 5, 2012 10:35:19 AM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		The App_data folder does get read/write privileges for the Network Service user. However, as stated above, I receive an error when calling the AclFolder method from within my code using the exact same arguments as you. I tried AccessChk and it confirms that the App_data folder has read/write privileges for the Network Service user and that my folder has no privileges for the Network Service user. It appears that we still need to discover why the AclFolder method is not working in my code.
Back to top

User Profile View All Posts by User View Thanks

pkatsoulas		#14 Posted : Monday, March 5, 2012 10:43:32 AM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		I thought as a sanity check, I would show you the c# code I use to call AclFolder. string folderName = "C:\\Documents and Settings\\All Users\\Application Data\\SPR\\KnowledgePLAN Enterprise"; System.Security.Principal.WellKnownSidType[] wellKnownSidType = new System.Security.Principal.WellKnownSidType[1]; wellKnownSidType[0] = System.Security.Principal.WellKnownSidType.NetworkServiceSid; UWS.Framework.SystemUtilites.AclFolder(folderName, System.Security.AccessControl.FileSystemRights.Modify, wellKnownSidType);
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#15 Posted : Monday, March 5, 2012 2:54:22 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi! You've done it right, although since the last parameter has "params" keyword, you could use simplified form as shown in our code snippet in our previous post. The mystery deepened, unfortunately, because we thought our code would be unable to ACL the folder on the machine. Since your code is fine, it leaves us at loss as to why both cacls.exe and our AclFolder() function don't work. We suspect that once you make cacls.exe work, our API will work too. Sorry we could not be of more help. Best regards, UltiDev Team.m Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

pkatsoulas		#16 Posted : Thursday, March 22, 2012 11:36:36 AM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		I can now give privileges to the Network Service user using calcs.exe as follows: cacls "C:\Documents And Settings\All Users\Application Data\SPR\KnowledgePLAN Enterprise\ApplicationSettings.xml" /T /E /G networkservice:F However, I still get the following error if I try doing this in my code (see post 14): Can't grant access rights to folder "C:\Documents And Settings\All Users\Application Data\SPR\KnowledgePLAN Enterprise\ApplicationSettings.xml" because it does not exist. If I strip off the file name (ApplicationSettings.xml) in my code, I get the following error: Attempted to perform an unauthorized operation. Now that I can set the Network Service user privileges using calcs, it seems to me that there is probably a problem in your code. The failure is always in the call to UWS.Framework.SystemUtilites.AclFolder. Any further ideas?
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#17 Posted : Thursday, March 22, 2012 1:24:42 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi there! AclFolder() works for folders only, and not files. "Attempted to perform an unauthorized operation" means that process/context user does not have permissions to do this. Does problem go away if you use cacls.exe? Is it possible to use it instead of AclFolder()? We ask because we think we will be unable to find out why AclFolder() fails on that system. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

pkatsoulas		#18 Posted : Thursday, March 22, 2012 2:09:05 PM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		As stated above, using cacls solves the problem. Your explanation is a bit strange since not only can I use cacls to give privileges to the Network Service user but I can also do it manually. I wonder if from within my application I need Network Service privileges to set Network Service privileges? I guess I will use cacls from within my setup. Hopefully that will do it. Thanks.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#19 Posted : Thursday, March 22, 2012 2:49:12 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi there! Are you able to use cacls.exe to grant permissions to the folder, and not to the file? Could you please let us know if you are logged in as an administrator (if it's Windows XP/2003) or run elevated (if it's Win Vista/7/2008)? Please consider using SetAccessControl() .NET API call - which is what we eventually do in AclFolder(), but you could use it to grant permissions to a file rather than a folder. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

pkatsoulas		#20 Posted : Friday, March 23, 2012 9:48:46 AM(UTC)
Groups: Member Joined: 8/1/2011(UTC) Posts: 33		I can grant permissions using cacls on either the folder or the specific file. I am logged in as an administrator. I am running XP SP3. This issue only happens on my XP machines. It is fine on Vista and Windows 7. I have put the call to cacls in my setup and it runs fine. I am happy with this approach. Thanks.
Back to top

User Profile View All Posts by User View Thanks

Rss Feed

Atom Feed

Users browsing this topic
Guest

2 Pages12 >

UltiDev Forum » UltiDev Web Server Pro » Web Server *PRO* Questions and Bug Reports » File Access Denied in XP

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.