views:

432

answers:

1

Summary: One of our web applications requires write access to C:\Windows\Temp. However, no matter how much I weaken the NTFS permission, procmon shows ACCESS DENIED.

Background (which might or might not be relevant for the problem): We are using OLEDB to access an MS Access database (which is located outside of C:\Windows\Temp). Unfortunately, this OLEDB driver requires write access to the user profile's TEMP directory (which happens to be C:\Windows\Temp when running under IIS 7.5), otherwise the dreaded "Unspecified Error" OleDbException is thrown. See KB 926939 for details. I followed the steps in the KB article, but it doesn't help.

Details:

This is the output of icacls C:\Windows\Temp. For debugging purposes I gave full permissions to Everyone.

C:\Windows\Temp NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                CREATOR OWNER:(OI)(CI)(IO)(F)
                BUILTIN\IIS_IUSRS:(OI)(CI)(S,RD)
                BUILTIN\Users:(CI)(S,WD,AD,X)
                BUILTIN\Administrators:(OI)(CI)(F)
                Everyone:(OI)(CI)(F)

However, this is the screenshot of procmon:

procmon screenshot

Desired Access: Generic Read/Write, Delete
Disposition:    Create
Options:        Synchronous IO Non-Alert, Non-Directory File, Random Access, Delete On Close, Open No Recall
Attributes:     NT
ShareMode:      None
AllocationSize: 0
Impersonating:  MYDOMAIN\myuser

PS: When logged in as MYDOMAIN\myuser, I can create files in C:\Windows\Temp using Windows Explorer without any problems.

EDIT: Relevant parts of web.config:

 <authentication mode="Windows" />
 <identity impersonate="true" />
 <authorization>
   <deny users="?" />
   <allow users="*" />
 </authorization>

Authentication seems to work, i.e., System.Security.Principal.WindowsIdentity.GetCurrent().Name (which is shown on my custom error page) returns MYDOMAIN\myuser.

A: 

Have you tried following the steps on this: loadUserProfile and IIS 7 temporary directory failures

CarlosAg
Well, that's exactly what I did (grant permissions). I even went so far as to grant *full* permissions.
Heinzi