2

My ASP page reads a file from a shared directory and sends it to the user.

        Response.Clear();
        Response.ContentType = "application/octet-stream";
        Response.AddHeader("Content-Disposition:", string.Format("attachment; filename={0}", fileName));
        Response.WriteFile(filePath);
        Response.End();

This ASP code runs on the web server, I suppose it is running as Local System account because IIS is. filePath points to a file on the file server \\fileserver\shared\abc.pdf

When I debug the code on my local machine, the file is read correctly from ASP page. However when I run it on the web server, it can not read the file. What permission do I need to give \fileserver\shared so that the ASP page will correctly read the file? Obviously Local System is not a valid user logon in the permission page.

yyyykk
  • 41
  • 2
  • 2
  • 3

3 Answers3

2

The ASP.NET worker process runs using the identity of the application pool configured in IIS. In IIS 6 and above, this defaults to Network Service (as splattne points out).

If you need to access remote files from your ASP.NET application, I'd recommend creating a specific domain account and run the application pool as that user, and also grant that same user access to the share. That way you can control who gets access to the files. Network Service is a builtin account that exists on all WinXP machines (and above) so you wouldn't want to open the share up to that.

Another solution would be to just elevate the code that accesses the share to use the domain login, but let the rest of the ASP.NET code run as Network Service. This is probably more secure, though you have to figure out how to store the credentials securely then.

-dave

David Gardiner
  • 503
  • 1
  • 5
  • 12
1

Network service and local system both appear on the network as the computer account (DOMAIN\computer$). So you'll need to give that account permission on your file share, if you are unable to use a regular user account.

user2278
  • 873
  • 5
  • 9
0

In Windows Server 2003 (IIS 6.0) ASP.NET code runs as

Network Service

account. So grant the folder read permission to that built-in account.

Microsoft TechNet article: IIS and Built-in Accounts (IIS 6.0)

The built-in Network Service user account has fewer access privileges on the system than the LocalSystem user account, but the Network Service user account is still able to interact throughout the network with the credentials of the computer account.

For IIS 6.0, it is recommended that the worker process identity that is defined for application pools run as the Network Service user account, which is the default setting. The following table shows the default user privileges for the Network Service account, along with how each privilege is derived.

splattne
  • 28,508
  • 20
  • 98
  • 148