Network Service Account and Access Denied Exception
First, I felt I had a clear understanding of how the Network Service account work. It is the default account ASP.Net runs under and has very limited access. I have verified in the Application Pool that ASP.Net is running under the Network Service Account.
I have a UNC file share that is located on another server, let us say "\\myserver\myfiles".
I have logged on to "MyServer" and right-clicked on the shared folder "myfiles" and just for the sake of testing, went to the Shared Tab->Permissions and added the Network Service account and gave it "change and read" access. I then went to the Security Tab, added the Network Service account and gave it all permissions.
For some reason, I am still getting an "access denied" exception.
I know impersonation is an option at some point, but I would really like to know why my ASP.Net application cannot copy a file to this share just for my own personal understanding given the fact that I gave the Network Service account the proper access.
Re: Network Service Account and Access Denied Exception
I found the following quote on the Internet and just wondered if someone could confirm this.
Howeve, if you're running ASP.NET as a local account ( ASPNET or NETWORK SERVICE ),
you will not be able to give that local account permission to access the UNC share
( because that account will not exist in the server where the share is located ).
The Network Service Account is a special account that would exists on other Windows machines, so I am not sure if this is correct.
At home, I created a basic page that copies a file on 1 server to another server via a UNC share and I get the access denied error.
Re: Network Service Account and Access Denied Exception
Hey,
I wouldn't necessarily agree with that statement no. As long as you qualified the Network Service account with the computer name that it is associated with, then you should be able to give it permissions.
Having said that though, in situations like this, we normally create a "service" account, with the necessary permissions to do everything that is required, and that account is used to run the web site.
Re: Network Service Account and Access Denied Exception
Originally Posted by gep13
Hey,
I wouldn't necessarily agree with that statement no. As long as you qualified the Network Service account with the computer name that it is associated with, then you should be able to give it permissions.
Having said that though, in situations like this, we normally create a "service" account, with the necessary permissions to do everything that is required, and that account is used to run the web site.
Re: Network Service Account and Access Denied Exception
Hey,
So, when setting permission for that user on MachineA, all you need to do is say "Network Service" user has access. However, if on MachineB, you want to give the "Network Service" user of MachineA access to something on it's machine, you need to give permission to "MachineA\Network Service"
Re: Network Service Account and Access Denied Exception
Originally Posted by gep13
Hey,
So, when setting permission for that user on MachineA, all you need to do is say "Network Service" user has access. However, if on MachineB, you want to give the "Network Service" user of MachineA access to something on it's machine, you need to give permission to "MachineA\Network Service"
Gary
Hmmm, when I type in "computername\NETWORK SERVICE" , that username is not found in Active Directory.
Re: Network Service Account and Access Denied Exception
Hi,
I am trying to do something similar, where a service I am creating will copy a file onto a remote computer on the network. Every time I try this it tells me access is denied. I have made the service run under a user account, which allowed it to work, but external security requirements (company policy imposed not OS imposed) won't let me run the service under a user account or impersonate a user account. Therefore I believe I am limited to the service accounts (Local Service, Local System, Network Service).
I have tried to go through and use the method described above to allow the service to copy. I go to the security settings for the destination folder and click Add, but the computer the service is running on does not appear in my available locations. I also notice that the dialog box is titled "Select Users or Groups" rather than "Select Users, Computers, or Groups." How do I give my service the permissions it needs to copy the file? If necessary, how do I see the computer that requires the permission in that dialog box?
I'm running XP Pro SP3 if that makes a difference at all.
Re: Network Service Account and Access Denied Exception
Currently they are in a workgroup because that's what I have for prototyping equipment. I'm told that when the computer is hooked up to the rest of the system it will be on a domain.
Re: Network Service Account and Access Denied Exception
Since the computers are in the workgroup, you should be able to browse the other computers in the workgroup, and set the necessary permissions, in the same way as you can when you are in a domain.
Is there anyone in the IT department there that can help you with this?
Re: Network Service Account and Access Denied Exception
I can go through and set permissions but I think it only applies to the local users. I can't select or type in a seperate computer on the network or a login on a seperate computer in the security dialog.
To clarify, I can get all the access I need when navigating the network and logging the service on using any user account. I don't get access whenever I am running the service under the local system, network service, or local service accounts, which is what I need it to run under.
IT at my company is contracted out, and they only involve themselves with the workstations with internet access and such. They aren't allowed to touch the equipment we're developing.
Re: Network Service Account and Access Denied Exception
This is the window I'm trying to use to add my other computers service account. Once I get the service entered, it should be simply clicking a check box. The problem is I can't choose the other computer in the locations menu. All I get is a tree with one branch: the one location that is shown above. From what I've seen, if I use a domain instead of a workgroup, I will be able to select the computer because this dialog changes to "Select Users, Computers, or Groups" but I'm not sure on that.
Re: Network Service Account and Access Denied Exception
I am running Windows XP Professional SP3.
I navigate in windows explorer until I get to the folder I want to write to. I right click it and select Properties. I go to the Security tab (since advanced sharing and security is activated). I am given a list of users and their permissions. I then click Add and get the dialog posted above.
Re: Network Service Account and Access Denied Exception
Okay, so to be clear...
You have two machines, and both of them are running Windows XP Service Pack 3.
You are browsing the machine that has the folder on it that you want to set the permissions on, or you are browsing from the first computer to the computer that has the folder that you want to set permissions on.
Re: Network Service Account and Access Denied Exception
Computer A: Windows XP SP3 - has destination folder (one requiring access)
Computer B: Windows XP SP2 (don't ask)
The above steps were performed on Computer A in order to make a service running on computer B have the permissions to copy a file into a specific folder on computer A.
Note: at some point Computer B will be switched to Windows XPe (XP embedded)
Reply With Quote
Originally Posted by gep13
