07-02-2002, 07:34 PM
Hi, hope you can help?!
I have a 2000 server running IIS and SQL and I'm experimenting with ASP.
When a user tries to connect to a page that contains asp stuff linking to the SQL database, unless the user connecting is in the administrator group for the server, they get a login box.
If they cancel the login, they get a you do not have permission to access this page.
if they go directly to a non asp page on the site they can get it ok.
I know it's a bit vague, but can anyone give me some suggestions as to where to start looking?
07-02-2002, 08:25 PM
My first thought would be to verify that the user account IUSR_YOURMACHINENAME has rights to this directory, or whichever NT group you want to have permissions (Everyone, Domain Users, etc.).
07-03-2002, 10:13 AM
I've checked and the permissions for the site seem ok. I removed the asp code from the asp page and the user wasn't prompted for a password. IIS is using Windows authentication.
The site has script and exe permissions enabled.
The SQL permission for the site seem ok too.
I've just removed friendly ie error messages and now can see the error:
HTTP401.3 Access denied by ACL on resource IIS...
Does that give any more clues?!?!
07-03-2002, 04:44 PM
I was actually talking about checking the Security settings on the folder itself. Do this via Windows Explorer. Get to the folder of this specific site and right click on the folder or file within that folder that you want to check the permissions and look at the properties. On the 'Security tab', you'll want to check who has permissions. If you want everyone to access the site, add IUSR_YOURMACHINENAME, possibly the Everyone group and verify their access levels. Generally the IUSR account needs close to full access. While I unfortunately don't get to work with SQL Server (I'm forced to use Access), I have to give the IUSR account 'Full Control' over the folder.
Also is 'Allow Anonymous Access' checked in IIS Management? Of course you only want to check this if it's what you want.
If none of this works, I would check SQL Server security settings. It could be that only the "Administrators" group is being given access to your SQL Server.
Hope this helps.
check with your sysadmin how the SQL Server access is set, which can either be NTFS, SQL, or mixed.
If NTFS or mixed, which presumably is, according to the access control list (ACL) error message you get, the connection string must include an authorized domain user for the uid= parameter.
hmm, just what did you mean by . . . if they go directly to a non asp page on the site they can get it ok.
how else can they get to SQL Server (from a browser based app) if not from within an asp page (unless from within a VB desktop app, if this is what you meant).
07-04-2002, 06:14 PM
Thanks Dan, I've checked the bits you mentioned and they all seem in order...
Server access is NTFS only.
The connection string is:
MM_Phonebook_STRING = "dsn=People;"
Do I just insert the line somewhere: uid="alex"?
Sorry, what I meant by that quote was if a user types in the url of the asp page i.e. http://test/test.asp then they get the login box, but if they type in a non asp page url i.e. http://test/test2.htm then they don't get the error- I was trying to let you know that it wasn't a site permissions problem (overall permissions are set in root folder). If that makes sense!!! Ta for the help so far!!!
you are using a dsn.
check the people.dsn file referred to in that line, and see if it has a uid= or userid= parameter, then set it to the user (or preferrably the user group) you want to give access to.
07-04-2002, 06:42 PM
The DSN is on the 2000 server. I've looked at the config of this DSN using the ODBC data sources admin thingy and it is set to 'verify the authenticity of the login ID' with Windows NT authentication using the network login ID.
Do need to manually edit this file?
Sorry if I'm being a bit thick, I'm a bit new to this part of things!
yes, you would have to edit the file if you want to change the current permissions. BUT if you are not familiar with the process, you can just do a test page directly specifying a connection string.
TIP: you can copy the contents of the .dsn file, and use that as the conection string, including of course, your modification.
it's getting really late here now in my country (it's 1:16 a.m.) , i'll probably be back tomorrow.