msxml3.dll error '80070005' Access is denied. - Loading XML file from shared folder
in [ASP]
|
From: jordanrieger on 9 Aug 2007 17:29 Here is a nasty issue that has been giving me grief for the last couple days. This requires good knowledge of IIS, MSXML, and Windows/ NTFS permissions. We have an existing ASP (VBScript) app hosted on IIS 6.0 (W2K3). We need to restrict access to specific users within our company network. To reduce development effort I figured the easiest solution was to enable Integrated Windows Authentication. However once I enable IWA and disbale Anonymous access, the app generates the following error: msxml3.dll error '80070005' Access is denied. /training/quickstart/functions.asp, line 172 The relevant code: 'g_sClassInfoXMLPath set to "\\JRIEGER\Share\classinfo.xml" for testing purposes Function LoadDocument Dim xmlInfo Set xmlInfo = Server.CreateObject("MSXML2.DOMDocument") xmlInfo.async = False Call xmlInfo.Load(g_sClassInfoXMLPath) 'generates error 'etc...[/CODE] For testing purposes, I hosted the XML file from a share on my box and recreated the problem. I have granted access to the share to my user. I have also created a local user on my box matching the username and password of the IUSR account on the server, and granted it access to the share. If I log into the server as myself and then navigate to the shared folder, I can access the file. Both my box and the server are on the same domain, and my user account is on the domain. If I change the app back to Anonymous access, it works fine. I need to host the XML file on a network share because the application could possibly be load-balanced in production and we want to store a single copy of the XML file on our NAS device to keep the data consistent between web servers. Here are some things I've tried: - On my box, I opened Computer Management > System Tools > Shared Folders > Sessions and then ran the app; sometimes when I refreshed the sessions window, II caught a new session from the user CSSSQAWEB01$ (this is the name of the server, followed by a $). There is no such user on the server. Does this indicate that the user is not authenticating properly? - I ran FIlemon on my box to try to see which user was attempting to access the file, but I couldn't find any record of the attempt. In fact, when I switched the app back to Anonymous access, Filemon still didn't see anything, even though the attempt succeeded. I wasn't filtering the output and I did a Find for "xml" but nothing came up. Any suggestions would be much appreciated.
From: Anthony Jones on 10 Aug 2007 04:14 <jordanrieger(a)gmail.com> wrote in message news:1186694963.166995.131020(a)x40g2000prg.googlegroups.com... > Here is a nasty issue that has been giving me grief for the last > couple days. This requires good knowledge of IIS, MSXML, and Windows/ > NTFS permissions. > > We have an existing ASP (VBScript) app hosted on IIS 6.0 (W2K3). We > need to restrict access to specific users within our company > network. To reduce development effort I figured the easiest solution > was to enable Integrated Windows Authentication. However once I > enable IWA and disbale Anonymous access, the app generates the > following error: > > msxml3.dll error '80070005' > > Access is denied. > > /training/quickstart/functions.asp, line 172 > > The relevant code: > > 'g_sClassInfoXMLPath set to "\\JRIEGER\Share\classinfo.xml" for > testing purposes > Function LoadDocument > Dim xmlInfo > Set xmlInfo = Server.CreateObject("MSXML2.DOMDocument") > xmlInfo.async = False > Call xmlInfo.Load(g_sClassInfoXMLPath) 'generates error > 'etc...[/CODE] > > For testing purposes, I hosted the XML file from a share on my box and > recreated the problem. I have granted access to the share to my > user. I have also created a local user on my box matching the > username and password of the IUSR account on the server, and granted > it access to the share. If I log into the server as myself and then > navigate to the shared folder, I can access the file. Both my box and > the server are on the same domain, and my user account is on the > domain. > > If I change the app back to Anonymous access, it works fine. > > I need to host the XML file on a network share because the application > could possibly be load-balanced in production and we want to store a > single copy of the XML file on our NAS device to keep the data > consistent between web servers. > > Here are some things I've tried: > - On my box, I opened Computer Management > System Tools > Shared > Folders > Sessions and then ran the app; sometimes when I refreshed > the sessions window, II caught a new session from the user > CSSSQAWEB01$ (this is the name of the server, followed by a $). There > is no such user on the server. Does this indicate that the user is > not authenticating properly? > - I ran FIlemon on my box to try to see which user was attempting to > access the file, but I couldn't find any record of the attempt. In > fact, when I switched the app back to Anonymous access, Filemon still > didn't see anything, even though the attempt succeeded. I wasn't > filtering the output and I did a Find for "xml" but nothing came up. > > Any suggestions would be much appreciated. Has the user got both read access on the share _and_ read access on the file? Is JRIEGER on the same domain as the Web server and the same domain as the user attempting the access? -- Anthony Jones - MVP ASP/ASP.NET
From: jordanrieger on 13 Aug 2007 12:15 Hi Anthony, Yes to both questions. The server (CSSSQAWEB01) and my computer (JRIEGER) are on the same domain and the user (JRIEGER) is the same. I used the Effective Permissions tab of the advanced file security dialog to ensure that the correct user has read access. I also tested logging into the server as myself and navigating to the share manually, and it allows me to read the file. FYI: I duplicated this issue using a FileSystemObject to load the XML file into a string instead of loading it directly into the DOMDocument object. In this scenario I get the following error: Microsoft VBScript runtime error '800a0035' File not found /training/quickstart/test.asp, line 6 But if I switch the application from Integration Windows Authentication to Anonymous access, it works fine. So at least I know for sure that the problem has nothing to do with the MSXML component. I think it has something to do with the user account that the server uses to try to access the file. It must be something other than the user logged in through IWA, but what? I wish I had a tool that could tell me which user was attempting to access a file over the network. Filemon doesn't seem to be it. Thanks for any further suggestions you can provide. > Has the user got both readaccesson the share _and_ readaccesson the > file? > Is JRIEGER on the same domain as the Web server and the same domain as the > user attempting theaccess? > > -- > Anthony Jones - MVP ASP/ASP.NET- Hide quoted text - > > - Show quoted text -
From: Anthony Jones on 15 Aug 2007 03:31 <jordanrieger(a)gmail.com> wrote in message news:1187021745.894322.304030(a)x35g2000prf.googlegroups.com... > Hi Anthony, > > Yes to both questions. The server (CSSSQAWEB01) and my computer > (JRIEGER) are on the same domain and the user (JRIEGER) is the same. > I used the Effective Permissions tab of the advanced file security > dialog to ensure that the correct user has read access. I also tested > logging into the server as myself and navigating to the share > manually, and it allows me to read the file. > > FYI: I duplicated this issue using a FileSystemObject to load the XML > file into a string instead of loading it directly into the DOMDocument > object. In this scenario I get the following error: > > Microsoft VBScript runtime error '800a0035' > > File not found > > /training/quickstart/test.asp, line 6 > > But if I switch the application from Integration Windows > Authentication to Anonymous access, it works fine. > > So at least I know for sure that the problem has nothing to do with > the MSXML component. I think it has something to do with the user > account that the server uses to try to access the file. It must be > something other than the user logged in through IWA, but what? I wish > I had a tool that could tell me which user was attempting to access a > file over the network. Filemon doesn't seem to be it. > Both the file system object and MSXML will use whatever the current security token is in the thread to access a file sytem resource. In the case of an anonymous connection that would normally be IUSR_<machine> unless the anonymous user account has been changed in IIS. For an authenticated connection it will the autheniticated user account. -- Anthony Jones - MVP ASP/ASP.NET
From: jordanrieger on 20 Aug 2007 14:16 Right, and this is an authenticated connection, so you'd think that the authenticated user account (TOP\JRIEGER) would be the one trying to access the file. Early in troubleshooting I verified that the authenticated user was the same by doing a Response.Write Request.ServerVariables("LOGON_USER") which returned TOP\JRIEGER. But then why does it get Access Denied? The permissions are correct because I can log into the server as TOP\JRIEGER and access the share through Explorer. FYI: Response.Write Request.ServerVariables("AUTH_TYPE") returns "Neogtiate". Is this normal for Windows Authentication? > Both the file system object and MSXML will use whatever the current security > token is in the thread to access a file sytem resource. In the case of an > anonymous connection that would normally be IUSR_<machine> unless the > anonymous user account has been changed in IIS. For an authenticated > connection it will the autheniticated user account. > > -- > Anthony Jones - MVP ASP/ASP.NET- Hide quoted text - > > - Show quoted text -
|
Next
|
Last
Pages: 1 2 Prev: Consuming Web Service using classis ASP Next: call asp fuction on button click in asp |