Network Service Account and Access Denied Exception

First, I felt I had a clear understanding of how the Network Service account work. It is the default account ASP.Net runs under and has very limited access. I have verified in the Application Pool that ASP.Net is running under the Network Service Account.

I have a UNC file share that is located on another server, let us say "\\myserver\myfiles".

I have logged on to "MyServer" and right-clicked on the shared folder "myfiles" and just for the sake of testing, went to the Shared Tab->Permissions and added the Network Service account and gave it "change and read" access. I then went to the Security Tab, added the Network Service account and gave it all permissions.

For some reason, I am still getting an "access denied" exception.

I know impersonation is an option at some point, but I would really like to know why my ASP.Net application cannot copy a file to this share just for my own personal understanding given the fact that I gave the Network Service account the proper access.

Like always, I will continue to research.

IIS 6
ASP.Net 2.0

I found the following quote on the Internet and just wondered if someone could confirm this.

Quote:

---

Howeve, if you're running ASP.NET as a local account ( ASPNET or NETWORK SERVICE ),
you will not be able to give that local account permission to access the UNC share
( because that account will not exist in the server where the share is located ).

---

The Network Service Account is a special account that would exists on other Windows machines, so I am not sure if this is correct.

At home, I created a basic page that copies a file on 1 server to another server via a UNC share and I get the access denied error.

Hey,

I wouldn't necessarily agree with that statement no. As long as you qualified the Network Service account with the computer name that it is associated with, then you should be able to give it permissions.

Having said that though, in situations like this, we normally create a "service" account, with the necessary permissions to do everything that is required, and that account is used to run the web site.

Gary

Quote:

---

Originally Posted by gep13

Hey,

I wouldn't necessarily agree with that statement no. As long as you qualified the Network Service account with the computer name that it is associated with, then you should be able to give it permissions.

Having said that though, in situations like this, we normally create a "service" account, with the necessary permissions to do everything that is required, and that account is used to run the web site.

Gary

---

Gep, what do you mean by the comment in bold?

I went ahead and used impersonation, so the issue has been resolved.

I wonder if there is some type of inherent feature to the Network Service account that disallows writing to a UNC Share?

Not sure.

Hey,

So, when setting permission for that user on MachineA, all you need to do is say "Network Service" user has access. However, if on MachineB, you want to give the "Network Service" user of MachineA access to something on it's machine, you need to give permission to "MachineA\Network Service"

Gary

Quote:

---

Originally Posted by gep13

Hey,

So, when setting permission for that user on MachineA, all you need to do is say "Network Service" user has access. However, if on MachineB, you want to give the "Network Service" user of MachineA access to something on it's machine, you need to give permission to "MachineA\Network Service"

Gary

---

Hmmm, when I type in "computername\NETWORK SERVICE" , that username is not found in Active Directory.

It will only recognize "NETWORK SERVICE".

Hey,

Are you using the standard "Security" dialog? What is your "Location" set as?

Gary

Quote:

---

Originally Posted by gep13

Hey,

Are you using the standard "Security" dialog? What is your "Location" set as?

Gary

---

gep, sorry for the late response.

I am not sure what you mean by "standard security dialog".

1) What I am doing is going to the "shared" folder in Windows XP.

2) Right-click and choosing the Security Tab

3) Push the add button and the "select users, computers and groups" dialog comes up

4) Entering "COMPUTERNAME\NETWORK SERVICE" and pressing "check name"

Hey,

Yes, this is what I was referring to.

Have you not got another option, above where you enter the name, called "From this location"?

What is that set to?

Gary

Quote:

---

Originally Posted by gep13

Hey,

Yes, this is what I was referring to.

Have you not got another option, above where you enter the name, called "From this location"?

What is that set to?

Gary

---

I see what you are saying.

The default is the "domain" and I would have to navigate to my PC. When I get some time, I will retry just to see if that works.

Hey,

I seem to remember this is what I had to do the last time, since you are essentially trying to add a local user, not a domain user.

Let us know how you get on.

Gary

Hi,
I am trying to do something similar, where a service I am creating will copy a file onto a remote computer on the network. Every time I try this it tells me access is denied. I have made the service run under a user account, which allowed it to work, but external security requirements (company policy imposed not OS imposed) won't let me run the service under a user account or impersonate a user account. Therefore I believe I am limited to the service accounts (Local Service, Local System, Network Service).
I have tried to go through and use the method described above to allow the service to copy. I go to the security settings for the destination folder and click Add, but the computer the service is running on does not appear in my available locations. I also notice that the dialog box is titled "Select Users or Groups" rather than "Select Users, Computers, or Groups." How do I give my service the permissions it needs to copy the file? If necessary, how do I see the computer that requires the permission in that dialog box?
I'm running XP Pro SP3 if that makes a difference at all.

Thanks in advance
Chris

Welcome to the forums!!

Are these computers on a workgroup, or on a domain? Or are they stand alone computers on neither a workgroup or a domain?

Gary

Currently they are in a workgroup because that's what I have for prototyping equipment. I'm told that when the computer is hooked up to the rest of the system it will be on a domain.

Chris

Since the computers are in the workgroup, you should be able to browse the other computers in the workgroup, and set the necessary permissions, in the same way as you can when you are in a domain.

Is there anyone in the IT department there that can help you with this?

Gary

I can go through and set permissions but I think it only applies to the local users. I can't select or type in a seperate computer on the network or a login on a seperate computer in the security dialog.

To clarify, I can get all the access I need when navigating the network and logging the service on using any user account. I don't get access whenever I am running the service under the local system, network service, or local service accounts, which is what I need it to run under.

IT at my company is contracted out, and they only involve themselves with the workstations with internet access and such. They aren't allowed to touch the equipment we're developing.

Chris

Can you take a screen shot of the dialog that you are trying to set the permissions on. I just want to verify something.

Gary

This is the window I'm trying to use to add my other computers service account. Once I get the service entered, it should be simply clicking a check box. The problem is I can't choose the other computer in the locations menu. All I get is a tree with one branch: the one location that is shown above. From what I've seen, if I use a domain instead of a workgroup, I will be able to select the computer because this dialog changes to "Select Users, Computers, or Groups" but I'm not sure on that.


Chris

Hmm, what OS are you running?

Can you also talk through the exact steps that you have taken to get to the above screen shot? I will try and replicate it on this end.

Gary

I am running Windows XP Professional SP3.

I navigate in windows explorer until I get to the folder I want to write to. I right click it and select Properties. I go to the Security tab (since advanced sharing and security is activated). I am given a list of users and their permissions. I then click Add and get the dialog posted above.

Okay, so to be clear...

You have two machines, and both of them are running Windows XP Service Pack 3.

You are browsing the machine that has the folder on it that you want to set the permissions on, or you are browsing from the first computer to the computer that has the folder that you want to set permissions on.

Gary

Computer A: Windows XP SP3 - has destination folder (one requiring access)
Computer B: Windows XP SP2 (don't ask)

The above steps were performed on Computer A in order to make a service running on computer B have the permissions to copy a file into a specific folder on computer A.

Note: at some point Computer B will be switched to Windows XPe (XP embedded)

And to clarify one other thing, both these computers are either on the same workgroup, or on the same domain, correct?

Gary

Yes, they are both on the same workgroup, creatively named WORKGROUP.