File permissions with FileSystemObject - CScript.exe says one thing, Classic ASP says another

asp-classic permissions wsh filesystemobject
Dylan Beattie picture Dylan Beattie · May 7, 2010 · Viewed 7k times · Source

I have a classic ASP page - written in JScript - that's using Scripting.FileSystemObject to save files to a network share - and it's not working. ("Permission denied")

The ASP page is running under IIS using Windows authentication, with impersonation enabled.

If I run the following block of code locally via CScript.exe:

var objNet = new ActiveXObject("WScript.Network");
WScript.Echo(objNet.ComputerName);
WScript.Echo(objNet.UserName);
WScript.Echo(objNet.UserDomain);

var fso = new ActiveXObject("Scripting.FileSystemObject");
var path = "\\\\myserver\\my_share\\some_path";
if (fso.FolderExists(path)) {
    WScript.Echo("Yes");
} else {
    WScript.Echo("No");
}

I get the (expected) output:

MY_COMPUTER
dylan.beattie
MYDOMAIN
Yes

If I run the same code as part of a .ASP page, substituting Response.Write for WScript.Echo I get this output:

MY_COMPUTER
dylan.beattie
MYDOMAIN
No

Now - my understanding is that the WScript.Network object will retrieve the current security credentials of the thread that's actually running the code. If this is correct - then why is the same user, on the same domain, getting different results from CScript.exe vs ASP? If my ASP code is running as dylan.beattie, then why can't I see the network share? And if it's not running as dylan.beattie, why does WScript.Network think it is?

Answer

Stephen Martin picture Stephen Martin · May 10, 2010

Under impersonation you can only access securable resources on the local computer you cannot access anything over the network.

On Windows when you are running as an impersonated user you are running under what is called a Network token. This token has the user's credentials for local computer access but has no credentials for remote access. So when you access the network share you are actually accessing it as the Anonymous user.

When you are running a process on your desktop (like CScript.exe) then you are running under an Interactive User token. This token has full credentials for both local and remote access, so you are able to access the network share.

In order to access remote resources while impersonating a Windows user you must use Delegation rather then Impersonation. This will involve some changes to your Active directory to allow delegation for the computer and/or the users in your domain. This can be a security risk so it should be reviewed carefully.

Related questions

Detailed 500 error message, ASP + IIS 7.5

IIS 7.5 , 2008rc2, classic asp, 500 error msg: The page cannot be displayed because an internal server error has occurred. I need to know how to configure IIS to get a more detailed error. I've tried setting to true all of debugging …

Read More
Update div with jQuery ajax response html

I am trying to update a div with the content from an ajax html response. I beleive I have the syntax correct, however the div content gets replaced with the entire HTML page response, instead of just the div selected …

Read More
File URL "Not allowed to load local resource" in the Internet Browser

I've got a major brainteaser. I want to open a file in classic ASP. I'm using various variables because things can change but the outcome is correct. I know this because I've tested the outcome by copying the linkadress and …

Read More