IIS6 ASP

I have migrated an ASP app to 2003 IIS6 I have a simple ASP script that
updates a TXT file (actually a hit counter). On my win 2000 box it worked
fine on my 2003 box it will not update the file. I have tried creating a new
application pool as local system and have given every user account i can
think off write priv to the file but no luck.

Any Ideas

Mike

Joseph
Mon Aug 11 16:16:52 CDT 2003

Did you turn on the Active Server Pages Web Service Extensions. They are
off by default.
Actually it sounds like you have the asp page working but it can't update
the file. If that is the case then turn auditing on the file. Watch to see
who is accessing it. It should be the identity of the application pool.
Then apply appropriate permissions.

"Mike B" <mike@charolais.com> wrote in message
news:bh90du$pfj$1@newsg2.svr.pol.co.uk...
> I have migrated an ASP app to 2003 IIS6 I have a simple ASP script that
> updates a TXT file (actually a hit counter). On my win 2000 box it worked
> fine on my 2003 box it will not update the file. I have tried creating a
new
> application pool as local system and have given every user account i can
> think off write priv to the file but no luck.
>
> Any Ideas
>
> Mike
>
>

Paul
Mon Aug 11 17:02:35 CDT 2003

Mike,

What are you suggesting should be run under the Local System account?

I don't think it's a very good idea to run anything related to the web
server under the Local System account unless you wish to open yourself up to
security threats. As you probably know, any user can write to a file if they
are given appropriate access by the DACL.

Paul

"Mike B" <mike@charolais.com> wrote in message
news:bh93en$glj$1@newsg1.svr.pol.co.uk...
> I have asp turned on and regular ASP access works fine. running the
> application as Local System should have give sufficent priv to write a
file
>
> Mike
>
>
> "Prasanna Padmanabhan" <prasannap@citrix.com> wrote in message
> news:#RoBo4EYDHA.2524@TK2MSFTNGP09.phx.gbl...
> > I think IIS 6.0, being more secure and all that, disallows
> > running anything other than static content. So you cannot
> > run scripts (such as ASP) unless you explicitly allow running
> > scripts. To do so, expand on the Web Server extenstions node
> > in IIS 6.0, select Active Server pages and press Allow. Oh, and do
> > revert the app pool to run under Network Service account as
> > it is most secure. You can give write permissions for the Network
> > Service just for the folder that has your .txt hit counter file.
> >
> > Prasanna
> >
> >
> > "Mike B" <mike@charolais.com> wrote in message
> > news:bh90du$pfj$1@newsg2.svr.pol.co.uk...
> > > I have migrated an ASP app to 2003 IIS6 I have a simple ASP script
that
> > > updates a TXT file (actually a hit counter). On my win 2000 box it
> worked
> > > fine on my 2003 box it will not update the file. I have tried creating
a
> > new
> > > application pool as local system and have given every user account i
can
> > > think off write priv to the file but no luck.
> > >
> > > Any Ideas
> > >
> > > Mike
> > >
> > >
> >
> >
>
>

Chris
Mon Aug 11 18:29:08 CDT 2003

Hey ~

I think somewhere I read that someone suggested that NetworkService be
granted write access. This is not necessary. Keep in mind that the thread
where the ASP page is loaded is actually running under the context of the
user who is authenticated - if anonymous - this would IUSR_MachineName.
Otherwise, it is the authenticated user...

There isn't any necessary reason to grant any process account write
capabilities - any process account should be just fine with membership in
the IIS_WPG group. Also, do not assign IIS_WPG group write access either
otherwise all process accounts have access to each others content..

HTH,

--
~Chris (MSFT)
IIS Supportability Lead

This posting is provided "AS IS" with no warranties, and confers no rights


"Paul Baker" <ask> wrote in message
news:OXgeGRFYDHA.2032@TK2MSFTNGP10.phx.gbl...
> Mike,
>
> What are you suggesting should be run under the Local System account?
>
> I don't think it's a very good idea to run anything related to the web
> server under the Local System account unless you wish to open yourself up
to
> security threats. As you probably know, any user can write to a file if
they
> are given appropriate access by the DACL.
>
> Paul
>
> "Mike B" <mike@charolais.com> wrote in message
> news:bh93en$glj$1@newsg1.svr.pol.co.uk...
> > I have asp turned on and regular ASP access works fine. running the
> > application as Local System should have give sufficent priv to write a
> file
> >
> > Mike
> >
> >
> > "Prasanna Padmanabhan" <prasannap@citrix.com> wrote in message
> > news:#RoBo4EYDHA.2524@TK2MSFTNGP09.phx.gbl...
> > > I think IIS 6.0, being more secure and all that, disallows
> > > running anything other than static content. So you cannot
> > > run scripts (such as ASP) unless you explicitly allow running
> > > scripts. To do so, expand on the Web Server extenstions node
> > > in IIS 6.0, select Active Server pages and press Allow. Oh, and do
> > > revert the app pool to run under Network Service account as
> > > it is most secure. You can give write permissions for the Network
> > > Service just for the folder that has your .txt hit counter file.
> > >
> > > Prasanna
> > >
> > >
> > > "Mike B" <mike@charolais.com> wrote in message
> > > news:bh90du$pfj$1@newsg2.svr.pol.co.uk...
> > > > I have migrated an ASP app to 2003 IIS6 I have a simple ASP script
> that
> > > > updates a TXT file (actually a hit counter). On my win 2000 box it
> > worked
> > > > fine on my 2003 box it will not update the file. I have tried
creating
> a
> > > new
> > > > application pool as local system and have given every user account i
> can
> > > > think off write priv to the file but no luck.
> > > >
> > > > Any Ideas
> > > >
> > > > Mike
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Joseph
Mon Aug 11 18:56:29 CDT 2003

Yes my comment was not 100% correct. I have spent a little to much time
making network connections from my worker process to other machines.


"Chris Adams (MSFT-IIS)" <chrisad@online.microsoft.com> wrote in message
news:OUrzpBGYDHA.1744@TK2MSFTNGP12.phx.gbl...
> Hey ~
>
> I think somewhere I read that someone suggested that NetworkService be
> granted write access. This is not necessary. Keep in mind that the
thread
> where the ASP page is loaded is actually running under the context of the
> user who is authenticated - if anonymous - this would IUSR_MachineName.
> Otherwise, it is the authenticated user...
>
> There isn't any necessary reason to grant any process account write
> capabilities - any process account should be just fine with membership in
> the IIS_WPG group. Also, do not assign IIS_WPG group write access either
> otherwise all process accounts have access to each others content..
>
> HTH,
>
> --
> ~Chris (MSFT)
> IIS Supportability Lead
>
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "Paul Baker" <ask> wrote in message
> news:OXgeGRFYDHA.2032@TK2MSFTNGP10.phx.gbl...
> > Mike,
> >
> > What are you suggesting should be run under the Local System account?
> >
> > I don't think it's a very good idea to run anything related to the web
> > server under the Local System account unless you wish to open yourself
up
> to
> > security threats. As you probably know, any user can write to a file if
> they
> > are given appropriate access by the DACL.
> >
> > Paul
> >
> > "Mike B" <mike@charolais.com> wrote in message
> > news:bh93en$glj$1@newsg1.svr.pol.co.uk...
> > > I have asp turned on and regular ASP access works fine. running the
> > > application as Local System should have give sufficent priv to write a
> > file
> > >
> > > Mike
> > >
> > >
> > > "Prasanna Padmanabhan" <prasannap@citrix.com> wrote in message
> > > news:#RoBo4EYDHA.2524@TK2MSFTNGP09.phx.gbl...
> > > > I think IIS 6.0, being more secure and all that, disallows
> > > > running anything other than static content. So you cannot
> > > > run scripts (such as ASP) unless you explicitly allow running
> > > > scripts. To do so, expand on the Web Server extenstions node
> > > > in IIS 6.0, select Active Server pages and press Allow. Oh, and do
> > > > revert the app pool to run under Network Service account as
> > > > it is most secure. You can give write permissions for the Network
> > > > Service just for the folder that has your .txt hit counter file.
> > > >
> > > > Prasanna
> > > >
> > > >
> > > > "Mike B" <mike@charolais.com> wrote in message
> > > > news:bh90du$pfj$1@newsg2.svr.pol.co.uk...
> > > > > I have migrated an ASP app to 2003 IIS6 I have a simple ASP script
> > that
> > > > > updates a TXT file (actually a hit counter). On my win 2000 box it
> > > worked
> > > > > fine on my 2003 box it will not update the file. I have tried
> creating
> > a
> > > > new
> > > > > application pool as local system and have given every user account
i
> > can
> > > > > think off write priv to the file but no luck.
> > > > >
> > > > > Any Ideas
> > > > >
> > > > > Mike
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Istvan
Tue Aug 12 03:05:06 CDT 2003

"Chris Adams (MSFT-IIS)" <chrisad@online.microsoft.com> wrote in message
news:OUrzpBGYDHA.1744@TK2MSFTNGP12.phx.gbl...
> Hey ~
>
> I think somewhere I read that someone suggested that NetworkService be
> granted write access. This is not necessary. Keep in mind that the
thread
> where the ASP page is loaded is actually running under the context of the
> user who is authenticated - if anonymous - this would IUSR_MachineName.
> Otherwise, it is the authenticated user...
>
> There isn't any necessary reason to grant any process account write
> capabilities - any process account should be just fine with membership in
> the IIS_WPG group. Also, do not assign cwrite access either
> otherwise all process accounts have access to each others content..
>
> --
> ~Chris (MSFT)

I have a somewhat related problem and I am getting this error message:
Error: The Template Persistent Cache initialization failed for Application
Pool 'DefaultAppPool' because of the following error: Could not create a
Disk Cache Sub-directory for the Application Pool. The data may have
additional error codes..
ISS is running on the main DC in AD in Windows 2003 native mode. ISS was
installed after the server became a DC and the folders related to ISS have
the right permissions. The IIS_WPG group has one member, IWAM_'servername'.
ISS is used only in our intranet to distribute updates and hotfixes via SUS.
How can I fix this problem?

Istvan

>
> "Paul Baker" <ask> wrote in message
> news:OXgeGRFYDHA.2032@TK2MSFTNGP10.phx.gbl...
> > Mike,
> >
> > What are you suggesting should be run under the Local System account?
> >
> > I don't think it's a very good idea to run anything related to the web
> > server under the Local System account unless you wish to open yourself
up
> to
> > security threats. As you probably know, any user can write to a file if
> they
> > are given appropriate access by the DACL.
> >
> > Paul
> >
> > "Mike B" <mike@charolais.com> wrote in message
> > news:bh93en$glj$1@newsg1.svr.pol.co.uk...
> > > I have asp turned on and regular ASP access works fine. running the
> > > application as Local System should have give sufficent priv to write a
> > file
> > >
> > > Mike
> > >
> > >
> > > "Prasanna Padmanabhan" <prasannap@citrix.com> wrote in message
> > > news:#RoBo4EYDHA.2524@TK2MSFTNGP09.phx.gbl...
> > > > I think IIS 6.0, being more secure and all that, disallows
> > > > running anything other than static content. So you cannot
> > > > run scripts (such as ASP) unless you explicitly allow running
> > > > scripts. To do so, expand on the Web Server extenstions node
> > > > in IIS 6.0, select Active Server pages and press Allow. Oh, and do
> > > > revert the app pool to run under Network Service account as
> > > > it is most secure. You can give write permissions for the Network
> > > > Service just for the folder that has your .txt hit counter file.
> > > >
> > > > Prasanna
> > > >
> > > >
> > > > "Mike B" <mike@charolais.com> wrote in message
> > > > news:bh90du$pfj$1@newsg2.svr.pol.co.uk...
> > > > > I have migrated an ASP app to 2003 IIS6 I have a simple ASP script
> > that
> > > > > updates a TXT file (actually a hit counter). On my win 2000 box it
> > > worked
> > > > > fine on my 2003 box it will not update the file. I have tried
> creating
> > a
> > > > new
> > > > > application pool as local system and have given every user account
i
> > can
> > > > > think off write priv to the file but no luck.
> > > > >
> > > > > Any Ideas
> > > > >
> > > > > Mike
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

jcochran
Tue Aug 12 08:03:42 CDT 2003

On Mon, 11 Aug 2003 22:05:01 +0100, "Mike B" <mike@charolais.com>
wrote:

>I have migrated an ASP app to 2003 IIS6 I have a simple ASP script that
>updates a TXT file (actually a hit counter). On my win 2000 box it worked
>fine on my 2003 box it will not update the file. I have tried creating a new
>application pool as local system and have given every user account i can
>think off write priv to the file but no luck.

What do your logs show? Have you isolated the ASP code that writes to
the file and tested it separately? As for granting acces for user
accounts, STOP IT! The ASP will act as either the anonymous user
account or the account you autenticate as when the page is loaded.
Local system accounts have no bearing here.

Jeff

David
Tue Aug 12 17:42:26 CDT 2003

Your error is because you are running IIS6 on the DC. This wouldn't happen
if IIS wasn't on the DC (IIS on DC is not a recommended configuration).

Normally, IIS_WPG would contain IWAM, Network Service, Local Service, but
since this is on a DC, the IIS_WPG group cannot be used for this (groups on
DC become domain groups, and IIS_WPG needs to be a local group). So,
everywhere place where there is an IIS_WPG ACL, you must individually ACL
the process identity used by the Application Pool with the same permissions
as IIS_WPG.

The particular error you're noting is not fatal.

--
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Istvan Csiszar" <kiiscs@_delete_uta.fi> wrote in message
news:eIYmlhKYDHA.536@TK2MSFTNGP10.phx.gbl...
"Chris Adams (MSFT-IIS)" <chrisad@online.microsoft.com> wrote in message
news:OUrzpBGYDHA.1744@TK2MSFTNGP12.phx.gbl...
> Hey ~
>
> I think somewhere I read that someone suggested that NetworkService be
> granted write access. This is not necessary. Keep in mind that the
thread
> where the ASP page is loaded is actually running under the context of the
> user who is authenticated - if anonymous - this would IUSR_MachineName.
> Otherwise, it is the authenticated user...
>
> There isn't any necessary reason to grant any process account write
> capabilities - any process account should be just fine with membership in
> the IIS_WPG group. Also, do not assign cwrite access either
> otherwise all process accounts have access to each others content..
>
> --
> ~Chris (MSFT)

I have a somewhat related problem and I am getting this error message:
Error: The Template Persistent Cache initialization failed for Application
Pool 'DefaultAppPool' because of the following error: Could not create a
Disk Cache Sub-directory for the Application Pool. The data may have
additional error codes..
ISS is running on the main DC in AD in Windows 2003 native mode. ISS was
installed after the server became a DC and the folders related to ISS have
the right permissions. The IIS_WPG group has one member, IWAM_'servername'.
ISS is used only in our intranet to distribute updates and hotfixes via SUS.
How can I fix this problem?

Istvan

>
> "Paul Baker" <ask> wrote in message
> news:OXgeGRFYDHA.2032@TK2MSFTNGP10.phx.gbl...
> > Mike,
> >
> > What are you suggesting should be run under the Local System account?
> >
> > I don't think it's a very good idea to run anything related to the web
> > server under the Local System account unless you wish to open yourself
up
> to
> > security threats. As you probably know, any user can write to a file if
> they
> > are given appropriate access by the DACL.
> >
> > Paul
> >
> > "Mike B" <mike@charolais.com> wrote in message
> > news:bh93en$glj$1@newsg1.svr.pol.co.uk...
> > > I have asp turned on and regular ASP access works fine. running the
> > > application as Local System should have give sufficent priv to write a
> > file
> > >
> > > Mike
> > >
> > >
> > > "Prasanna Padmanabhan" <prasannap@citrix.com> wrote in message
> > > news:#RoBo4EYDHA.2524@TK2MSFTNGP09.phx.gbl...
> > > > I think IIS 6.0, being more secure and all that, disallows
> > > > running anything other than static content. So you cannot
> > > > run scripts (such as ASP) unless you explicitly allow running
> > > > scripts. To do so, expand on the Web Server extenstions node
> > > > in IIS 6.0, select Active Server pages and press Allow. Oh, and do
> > > > revert the app pool to run under Network Service account as
> > > > it is most secure. You can give write permissions for the Network
> > > > Service just for the folder that has your .txt hit counter file.
> > > >
> > > > Prasanna
> > > >
> > > >
> > > > "Mike B" <mike@charolais.com> wrote in message
> > > > news:bh90du$pfj$1@newsg2.svr.pol.co.uk...
> > > > > I have migrated an ASP app to 2003 IIS6 I have a simple ASP script
> > that
> > > > > updates a TXT file (actually a hit counter). On my win 2000 box it
> > > worked
> > > > > fine on my 2003 box it will not update the file. I have tried
> creating
> > a
> > > > new
> > > > > application pool as local system and have given every user account
i
> > can
> > > > > think off write priv to the file but no luck.
> > > > >
> > > > > Any Ideas
> > > > >
> > > > > Mike
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>