Web Connection
Access to Temp folder denied
Gravatar is a globally recognized avatar based on your email address. Access to Temp folder denied
  Whil Hentzen
  All
  Dec 10, 2018 @ 10:42am

Hi folks,

Back again after a long time gone. Running WC 7 on Windows Server 2008, a public facing box that was configured by someone else and I'm coming into the mix after the fact. Never been THAT comfortable with that part of the plumbing, and it's been a LONG time since I last set up a server.

Getting a Access to the path... temp\WC_...ret is denied.

I'm getting the OUT files written to the temp folder but the RET files each have file size of 0.

The help file says "It's important that whatever user your Web application runs under has rights to read and write in the temp folder. You can use Module Admin page to see the actual user account that your server is running under (lower right corner of the display settings)."

I'm having trouble confirming that this is the case.

In Server 2008 IIS Manager, after clicking on either the Default Web Site node or the actual EXE node, there's a module applet. Clicking on that simply lists a screen full of services. No user account info.

Help further says "In IIS you control the identity via the Application Pool security settings by setting the Application Pool Identity to the user of your choice. The default user is SYSTEM which should always work"

When I open up permissions on the temp folder, I see a half dozen users....

CREATOR OWNER Special (grey) SYSTEM M R/E L R W (grey) NETWORK SYSTEM M R/E L R W (black) HDWebAdmin Special (grey) Administrators M R/E L R W (grey) Users R/E L R Special (grey) INTERACTIVE M R/E L R W (black)

So at this point I'm stuck.

P.S. I've confirmed that both myapp.ini and wc.ini have the same temp folder identified, and recycled the Web Connection application pool.

Thanks...

Whil

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Rick Strahl
  Whil Hentzen
  Dec 10, 2018 @ 10:54pm

Check the module admin page and first make sure what type of handler you're running. If you're using the default setup you should be running the .NET module rather than ISAPI, in which case wc.ini is not used. Configuration settings will be in web.config for the .NET module.

Permissions will be determined by the Application Pool Identity which you should be able to see at the bottom of the module admin page.

It sounds like your path is correct since the file can be written which means the IIS account is probably ok. The .ret file should be zero bytes - it's just a confirmation file that Web Connection server writes, and should get deleted by Web Connection handler. My guess is the delete permissions might be missing.

Whatever account is running the Application Pool needs to have FULL RIGHTS in the temp folder. SYSTEM, ADMINISTRATORS, INTERACTIVE and NETWORK SERVICE will be auto-installed with full rights. Any other accounts you have to add explicitly if you changed either the Application Pool or FoxPro DCOM identity explicitly.

If this doesn't make sense please describe your setup in more detail.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Whil Hentzen
  Rick Strahl
  Dec 11, 2018 @ 08:19pm

OK, first things first. "Module Admin Page" means localhost/admin/admin.aspx. Duh. 😃

Can't get there either, running into the Access is Denied message (401.3, You do not have permission to view this directory or page using the credentials you supplied. Ask the Web server's admin to ....)

Followed the instructions on Loopback Protection, looked in Registry after, and Data was 1.

Consulted with the server admin and they're not really sure why the HDWebAdmin account isn't allowing access. I've looked myself at the admin folder's permissions, and see

SYSTEM Modify, R/E, List, Read, Write (i.e. Full Control)

HDWebAdmin Special - all perms Allowed, This folder only

I don't really understand the server admin enough to know what more info to provide.

Whil

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Rick Strahl
  Whil Hentzen
  Dec 13, 2018 @ 12:22am

Did you follow instructions to install IIS properly from here:

Make sure that:

  • ASP.NET is installed
  • Windows Authentication is installed
  • Loopback adapter check is disabled

My guess is Windows (and Basic) Auth is missing...

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Whil Hentzen
  Rick Strahl
  Dec 13, 2018 @ 10:54am

You know how you leave the house and you KNOW you turned the stove off but you're driving off and that little voice in your head says, "Are you SURE?"

So I KNOW I turned authentication services on, installed ASP.NET, but I had to go look...

In IIS Server Manager (Windows Server 2008), Roles, Web Server (IIS), right-click, Add New Role, Select Role Services dialog. They don't match one to one to the client screenshot in help, but I think I've got everything required:

And double-check on loopback:

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Rick Strahl
  Whil Hentzen
  Dec 13, 2018 @ 12:59pm

Yes that all looks good (assuming ASP.NET is installed as part of the IIS configuration which isn't shown in your screen shots)...

Try this to make sure ASP.NET is working at all without the authentication. Create a simple ASP.NET page (test.aspx) like this:

<h1>Hello world</h1>
<hr>
App's running under this account: <b><%= Environment.UserName %>

This does two things:

  • Tells you whether ASP.NET is working on your config
  • What account the app is running under (Application Pool Identity)

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Whil Hentzen
  Rick Strahl
  Dec 16, 2018 @ 11:30am

It looks like 1. yes, and 2. DefaultAppPool, per the attached.

Is #2 the problem?

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Rick Strahl
  Whil Hentzen
  Dec 17, 2018 @ 01:49pm

Yes most likely that account doesn't have the permissions needed to read/write in the temp folder.

I recommend reading through the IIS configuration topic again.

We provide automated setup routines that handle all this, but if you insist on doing it manually you have to deal with the individual configuration issues as well 😃

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Whil Hentzen
  Rick Strahl
  Dec 17, 2018 @ 08:38pm

Well I'm confused here. Haven't used these Application Pools before, and so I don't understand the relationship between App Pools and user accounts on the server machine.

I've read through the IIS Config topic multiple times, but don't see this concept covered. I don't see anything related to permissions, except for the notes about enabling Basic and Windows Auth.

I see two interesting App Pools: "DefaultAppPool" and "West Wind Web Connection".

But I don't see any user accounts (right-click on the deploy\Temp folder, select Properties, select Security tab) that relate to these pools. In previous messages I've listed the accounts and their permissions.

What is the user account associated with the DefaultAppPool?

Whil

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Rick Strahl
  Whil Hentzen
  Dec 17, 2018 @ 08:48pm

The relevant section is here:

The Application Pool has a Windows Identity which by default is passed through to the FoxPro server. IOW, the identity you set for the application pool determines what Windows account your Fox server runs under.

So - you have to ensure the account you use for the Application Pool has rights to:

  • Invoke the COM server (DCOM permissions - have to be explicitly set for non-Admin accounts when running COM)
  • File permissions (at minimum access to temp folder, but most likely also data and application and Web folders)

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Whil Hentzen
  Rick Strahl
  Dec 20, 2018 @ 08:56am

We Have A Winner!

I'd read that section and verified that the West Wind Connection App Pool had the 32 bit set and the Identity set as well, but didn't put 2 and 3 together to do the same for the Default App Pool. I'm not sure why my EXE is running under the Default App Pool, so then why there's also a West Wind Connection Pool, but for the time being, I'm happy that I'm getting hits processed successfully. I'll re-read this a couple more times and it'll sink in. 😃

I'll switch to COM after the NY and I'm sure I'll have another question or two.

Thanks for suffering through all this with me. The users are already getting all jazzed. 😃

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Rick Strahl
  Whil Hentzen
  Dec 20, 2018 @ 04:01pm

You only need to do this for one of the app pools but just make sure your site/virtual is using the right app pool. You probably want the West Wind Web Connection app pool rather than Default AppPool, but it doesn't matter which you use as long as you configure the one that's attached to your site.

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Stein Goering
  Whil Hentzen
  Dec 21, 2018 @ 03:50pm

Whil,

You can specify the application pool your app runs under via the Manage Application/Advanced Settings dialog, as shown below. Per Rick's recommendation, you probably want to switch yours from Default AP to West Wind.

--stein

Gravatar is a globally recognized avatar based on your email address. re: Access to Temp folder denied
  Whil Hentzen
  Rick Strahl
  Jan 16, 2019 @ 09:01am

Hi Rick, Stein,

Back in action, thanks for your notes. I will likely build a second server and see if my notes culled from this thread are copious enough. 😃

Stein, I'm in Madison a lot these days, I'm taking care of my pregnant daughter after a car accident, she's on the east side. I'm usually there over the weekend. Mebbe buy you a beer one of these times I'm in town? Would love to catch up...

Whil

© 1996-2019