View Full Version : ASP and IIS Authentication Problem

09-07-2005, 10:11 PM
Hi, I'm using IIS 5.1 to host some ASP pages I developed.

One of the ASP pages allows for file uploading, which then stores the file in a specified folder on the server; next, using CDOSYS it emails it as an attachment; and lastly, it deletes it from the server folder since it has now been emailed. The file upload is accomplished via pure VBScript (no installed components), just to give you a bit more info.

I have found that in order to get this to work without receiving a "Permission Denied" error is to uncheck Anonymous Authentication for my website folder (wwwroot in IIS). Now, this works fine as long as I'm accessing from localhost. If I change to accessing the page with my IP address in the address bar, I'm prompted with a login because now I'm not using Anonymous Authentication that internet guests use (IUSR_<machinename>).

How can I allow outside users to be able to upload to the server without requiring Authentication? Because take for example a company that allows uploads for Resumes for employment purposes. Naturally you don't want the user to have to go through any kind of authentication, but still be able to upload their resume to your server.

I mean, with Anonymous Authentication checked, I could easily set the Folder Security Permissions of wwwroot to allow IUSR_<machinename> the ability to do more than just read, like write, modify, and delete (which corrects the problem of course), but that seems very unsafe to allow that to outside users. If I just modified those permissions to the folder used for uploads to allow creating and deleting of files, instead of wwwroot, would that be ok security- and safety-wise?

Thanks for any input!

09-07-2005, 11:15 PM
You should try adding the IUSR account onto the security permissions for the folder your site is hosted in or wherever the files are being saved at and give it write permissions. That way people won't need to login in. Hopefully that makes sense.

09-08-2005, 01:24 AM
Yep, makes sense. So far I've conceded to just giving the permissions of being able to create/write files and delete for the upload folder, which allows me to keep Anonymous Authentication checked without giving me a Permissions Denied error on my ASP pages. I'm just hoping that won't give me any kind security breach with leaving that kind of access to that folder. I would think I'd be fine since I'm only constraining it to that one folder, but I just wanted to make sure, and was hoping someone might be able to shed a little more light on this area since I'm still pretty new to this. Thanks for the reply.