How Do I Setup IIS to Allow it to Use Network Resources?

If you're working with files (creating, copying, deleting etc) in your ASP applications, you have probably configured the permissions for the IUSR_MachineName account so it is allowed to write to the folder where your files reside. However, if you want to write to a folder on another machine you'll run into problems. This FAQ describes a few common scenarios to overcome these problems.

Let's say you have two machines, called WebServer and FileServer. The first machine is obviously the one that hosts IIS and serves your Web site. The second is the machine where you want to save your files. To configure your Web site on WebServer so it is allowed to write to a folder on FileServer, you have at least 4 options:

  1. Use Integrated Security;
  2. Synchronize the IUSR account account between the two machines;
  3. Configure IIS on WebServer so it uses a Domain Account instead of the default IUSR_WebServer account;
  4. Move your code to a COM+ DLL and host this DLL in a COM+ package. This package can be configured to run under a specific Domain Account.

In this article, I'll use WebServer and FileServer to refer to the two machines. This also means that the account IUSR_WebServer refers to the local account that IIS uses on WebServer. Make sure you replace WebServer and FileServer with the names of your machines.

Using Integrated Security

If you're using Integrated Security, IIS will run under the context of the currently logged on user. So, if you access your Web site, IIS will run with your privileges. By configuring IIS to use Integrated Security, you can overcome the permissions issue: simply grant the users of your Web site the necessary permissions to the folder on FileServer.
Note that Integrated Security is only suitable for an Intranet scenario as it won't work over the Internet across firewalls and because it's an Internet Explorer only solution.

How to Configure Your Server for Integrated Security?

  1. Open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel.
  2. Expand your server in the tree on the left until you see the Web site or Virtual Directory you want to configure. Right click the site or directory and choose Properties.
  3. Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area.
  4. Make sure you disable Anonymous access and make sure Integrated Windows authentication is checked. The dialog should end up like this:

    The Authentication Method in IIS set to Anonymous Authentication
    Figure 1 - The Authentication Method in IIS set to Integrated Windows Authentication

  5. Browse to your Web site. Internet Explorer will log you on automatically and IIS runs with the privileges of your user account. If your account is allowed to write to the folder at FileServer, your file access code will work.

Synchronize the IUSR Account

The second solution is to create two identical accounts with identical passwords on both machines. This will work, as both accounts will use the same password hash. So, at run-time, when WebServer tries to write to FileServer, the machine FileServer will recognize the account that WebServer presents, and will allow it to write to the folder where the Web files reside.

How to Configure Your Servers for Synchronized Accounts?

  1. On WebServer, open up User Management (either under Computer Management, or within Active Directory) and change the password for the IUSR_WebServer account. Give it a strong password, and make sure that the password does not automatically expire.
  2. In IIS on WebServer, change the password that the IUSR_WebServer account uses. Also disable the feature Allow IIS to control password. To do this, open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel. Expand your server in the tree on the left until you see the Web site or Virtual Directory you want to configure. Right click the site or directory and choose Properties.
    Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area. Make sure Anonymous access is enabled, and provide the strong password you set for the IUSR_WebServer account in step 1. The dialog box should look similar to this one:

    Anonymous Authentication with a Synchronized IUSR Account
    Figure 2 - Anonymous Authentication with a Synchronized IUSR Account

  3. On FileServer, create a new account and name it IUSR_WebServer. Notice that the account ends with WebServer, not with FileServer. Give this account the same password as you gave to IUSR_WebServer in step 1.
  4. Give the IUSR_WebServer account on the FileServer machine the required privileges to write to the directory that holds your files
  5. Browse to your site. IIS will use the anonymous account IUSR_WebServer for any requests made to IIS. The mirrored account on FileServer makes sure that your IIS is allowed to write files to the folder on FileServer.

Using a Domain Account in IIS

Instead of using the mirrored IUSR account, you can create a brand new account that is specifically used for IIS anonymous access. Since this account lives in your (Active Directory) domain, it's easy to give it the required permissions on both WebServer and FileServer. You may be tempted to use the the Administrator account for that, but it's recommended not to that. Using the Administrator account for IIS is a great security risk as it allows IIS, and all pages being served by it, to operate with Administrator privileges.

How to Configure Your Servers for a Domain Account?

To create the domain account follow these steps:

  1. On WebServer, open up Active Directory Users and Computers (or other User Management software you may have) and create a new account. Call this account AnonIIS for example, although any name will do. Give it a strong password, and make sure that the password does not automatically expire.
  2. In IIS on WebServer, change the user account and password that is used for anonymous account uses. Also disable the feature Allow IIS to control password. To change both settings, open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel. Expand your server in the tree on the left until you see the Web site or Virtual Directory you want to configure. Right click the site or directory and choose Properties.
    Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area. Make sure Anonymous access is enabled, and provide the account name and strong password you created in step 1. The dialog box should look similar to this one:

    Anonymous Authentication Using a Network Account
    Figure 3 - Anonymous Authentication Using a Network Account

  3. On FileServer, give the YourDomain\AnonIIS account the required privileges to write to the directory that holds your files.
  4. Browse to your site. IIS will use the anonymous account you set in step2 for any requests made to IIS. That domain account has also access rights to the folder on FileServer so IIS is allowed to write to files in that folder.

Using a COM+ Package

The last method I'll discuss in this article is the use of a COM+ package to host a COM+ DLL created in VB 6 or C++ for example. I won't discuss the steps you need to perform to create the actual DLL, but instead I'll assume you have a project called MyCompany that exposes a class called MyUsefulproject which in turn has a method called WriteFile. This DLL will be hosted inside a COM+ package that is configured to use a specific domain account that has the required privileges to write to the folder on FileServer.

How to Configure Your Servers for COM+?

  1. On WebServer, open up COM+ Services in Start | Programs | Administrative Tools (It's called MTS in NT 4).
  2. Expand Component Services | Computers | My computer.
  3. Expand COM+ applications.
  4. Right-click COM+ applications and choose New | Application.
  5. Click Next and choose Empty application.
  6. Enter a (arbitrary) name and click Next.
  7. Enter the details for a user account you want the component to run under. Leaving it to interactive can be dangerous. Suppose somebody without rights logs in, then your component will no longer work. Your package will also not run when nobody is logged on, a common scenario with (Web) servers. It's better to specify a user you created for this purpose with just enough rights. Refer to How to Configure Your Servers for a Domain Account, step 1 to find out how to create the account.
  8. Click Finish.
  9. Expand your newly created package and right-click Components and choose New | Component.
  10. Click Next, then choose Install new components.
  11. Click Add and browse for your DLL .
  12. Click Next again and then click Finish.
  13. Make sure the account you configured in step 7 has the required permissions for the documents folder on FileServer.
  14. Make changes to the code in your ASP pages. Instead of code dealing with files in your ASP pages directly, you should now make calls to the COM+ component, for example:
    Dim ObjFileHandler
    Set ObjFileHandler = Server.CreateObject("MyCompany.MyUsefulproject")
    ObjFileHandler.WriteFile()
    
  15. Browse to your page. The code from step 14 will run. Instead of using your user context or the context of the IUSR_WebServer account, the context of the user you configured in step 7 is now used to access the folder on FileServer. Since this account is allowed to access that folder, any file handling code in the WriteFile method will run successfully.

Summary

Setting security permissions in IIS is not always a piece of cake. There are quite a lot of possibilities and options you can change. Choosing the right security settings often depends on the requirements of your application. The four solutions presented in this article all serve different setups and applications. Choose the correct mechanism for the job, and you'll end up with a secure but easily maintainable Web server configuration.


Where to Next?

Wonder where to go next? You can read existing comments below or you can post a comment yourself on this article .


Consider making a donation
Please consider making a donation using PayPal. Your donation helps me to pay the bills so I can keep running Imar.Spaanjaars.Com, providing fresh content as often as possible.



Feedback by Other Visitors of Imar.Spaanjaars.Com

On Wednesday, April 04, 2007 4:56:05 PM Phillip said:
How much different are the instructions for 'Synchronize the IUSR Account' when using IIS 6.0?

Thanks!
On Wednesday, April 04, 2007 5:00:05 PM Imar Spaanjaars said:
Hi Phillip,

Not much different at all. Did you try it? You'll see the same terminology and very similar screens....

Imar
On Saturday, December 01, 2007 8:34:58 AM GUNASEKARAN said:
i read ur article,
one more clarification required regarding my asp.net web application (about com+ components).
i have a dll which is registered. (regsvcs *.dll).
when web server machine(windows server 2003) is loged in, the component is working fine. but when web server machine is logout, it is not working.
can u helpt rectify this?


with thanks and regards,
gunasekaran.  
On Saturday, December 01, 2007 9:10:47 AM Imar Spaanjaars said:
Hi gunasekaran,

You probably gave the permissions for the component to your own account and not a service account like Network Service.

Imar
On Friday, April 25, 2008 5:37:32 PM Waner said:
My problem is simular, but the diference is that I dont have a IIS user on the webdirectory. Our site must to get the Active Directory User and autenticate it, and if the anonymous user is setted, the IIS cant get the AD user. =(
Have u seen this problem before?

Thanks,

Waner
On Friday, April 25, 2008 5:50:48 PM Imar Spaanjaars said:
Hi Waner,

Sorry, but I have no idea what you are saying or asking.

Imar
On Tuesday, June 10, 2008 8:56:55 AM Nitesh Kumar Bahety said:
This is a very nice article hope it will work.Also in this article add the names of DLL's which are used to access network resources in .NET.
On Wednesday, June 18, 2008 12:58:37 PM Gavin said:
Great article, thanks.
Works well for me on my 2003 machine, but my xp machine on same domain does not seem to connect to relative path using the assigned user account.
(the xp machine is a development machine).
Strange, but creating the account was a clean solution.
Do you have any tips for security settings?
On Wednesday, June 18, 2008 3:39:48 PM Imar Spaanjaars said:
Hi Gavin,

Not sure what tips you are asking for. You got it to work, right?

Imar
On Sunday, August 03, 2008 9:57:31 AM Yakimo said:
I have just move my Web server to VMWare, applied all security patches and suddenly my intranet access to the documents on mapped shared drive stopped.
I use ADODB.Stream.LoadFrom like that:
set objStream = Server.CreateObject("ADODB.Stream")
objStream.Type = adTypeBinary
objStream.Open objStream.LoadFromFile"//srv-fil01/K2007.doc"And here is exactly where I get an error: (the same error if I map "//srv-fil01/ to a drive K\)
Information (for support personnel)
Error Type:
ADODB.Stream (0x800A0BBA)
File could not be opened.
/tzy.asp, line 78

If I use objStream.LoadFromFile "C:/K2007.doc"it works just perfect (from the machine where IIS is runnng)
In short - if the file is on local drive, it works. If it is on file server, it doesn't

I tried the approach (1) with integrated security, but it didn't work for me.

Any suggestions how can I solve that? I don't like much the idea moving all files to the local drive :-(
On Sunday, August 03, 2008 10:23:41 AM Imar Spaanjaars said:
Hi Yakimo,

AFAIK, LoadFromFile accepts a UNC path as well, so in theory this should work. My guess it's a security issue where your IIS account cannnot access the network file.

BTW: mapping a drive won't work. The drive is mapped for your acount, not for the entire server and thus not for the IIS account.

Have you tried \\ in your path instead of // ?

Imar
On Tuesday, December 30, 2008 10:54:42 PM Ahmed said:
I tried two of the methods you mentioned, ie, Solution 1 and 3 (Integrated Security and using Domain Account) but that doesn't solve the problem. I keep on getting the same exveption

Exception Details: System.IO.DirectoryNotFoundException: Could not find a part of the path 'h:\'

h:\ is the network shared drive in my case.
On Wednesday, December 31, 2008 11:56:50 AM Imar Spaanjaars said:
Hi Ahmed,

A drive mapping like h:\ is user specific. That is, it only applies to your account. The Network Service (or any other account) doesn't understand what it refers to. You need to use a UNC path like this instead:

\\ServerName\ShareName

Hope this helps,

Imar
On Sunday, April 25, 2010 11:33:02 AM ali noroozi said:
hi
in general how can i call a remote service in another server in network?
for instant a CA server that need to called from IIS.
please help me.
tanx
On Sunday, April 25, 2010 12:34:29 PM Imar Spaanjaars said:
Hi ali,

A bit too general, and a bit too off-topic for me to answer here.

Look up WCF Services or post this on a forum like http://p2p.wrox.com/index.php?referrerid=385. If you do post there, be sure to provide more details than you've done here.

Cheers,

Imar
On Tuesday, June 03, 2014 7:37:49 PM sebastian said:
great article!
but how would it be to configure the "Synchronize the IUSR account" option under IIS 7 and IIS 8?
thanks
On Tuesday, June 03, 2014 8:42:52 PM Imar Spaanjaars said:
Hi sebastian,

You would need to set the identity of the application pool to "Custom account" and then enter the details for the account.

Cheers,

Imar
On Tuesday, June 03, 2014 8:49:52 PM sebastian said:
wouldn't be enough to (under iis manager) navigate to the folder/application (on the left panel), then "authentication" on the middle panel, and then modify the anonymous authentication to specify the user and pass?
that's because i don't want to affect all my websites and i don't want to create a new apppool either
thanks!
On Tuesday, June 03, 2014 8:58:49 PM Imar Spaanjaars said:
Hi sebastian,

Yes, that might work as well. Have you tried it?

Imar

Talk Back! Comment on Imar.Spaanjaars.Com

I am interested in what you have to say about this article. Feel free to post any comments, remarks or questions you may have about this article. The Talk Back feature is not meant for technical questions that are not directly related to this article. So, a post like "Hey, can you tell me how I can upload files to a MySQL database in PHP?" is likely to be removed. Also spam and unrealistic job offers will be deleted immediately.

When you post a comment, you have to provide your name and the comment. Your e-mail address is optional and you only need to provide it if you want me to contact you. It will not be displayed along with your comment. I got sick and tired of the comment spam I was receiving, so I have protected this page with a simple calculation exercise. This means that if you want to leave a comment, you'll need to complete the calculation before you hit the Post Comment button.

If you want to object to a comment made by another visitor, be sure to contact me and I'll look into it ASAP. Don't forget to mention the page link, or the QuickDocId of the document.

For more information about the Talk Back feature, check out this news item.