This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 23%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
I have a web site written with ASP.NET(VB) that sends out a newsletter monthly, using Amazon SES. The previous month's newsletter had gone out normally, but I received a warning from Amazon that it would soon be a requirement to update security to level TLS 1.2.
I attempted to send out this month's newsletter, but I got a message
Access to the path '\www.famnet.org.nz...\NewsletterEmail.htm' is denied
I remembered the email from Amazon, and so I added into the method that sends newsletters (btnNewsletter_Click): -
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
However, although the web site was updated, I got the same error messages.
Message detail included
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
What file is meant? Is it <path>GroupAdmin.aspx.vb, which is the object containing the btnNewsetter_Click method? Or the html page that is being sent out as the message? There is a problem with either of these: they are both on the server, and I can't see them with Windows File Explorer. I can however see them in the Server-side window of SmartFTP. I can right click and choose properties, and I see three tabs General, Permissions, and Summary. I guessed that Security has been renamed to Permissions and opened this, but it said "This server does not support changing permissions".
So how do I fix this problem? What am I doing wrong? I suspect that I'm looking in the wrong place.
Thank you, Robert Barnes
More information. I have found that with SmartFTP the local window has a normal File Explorer, in which Right-click Properties shows a dialog with General, Security, Details, and Previous versions tab, whereas the server window has General, Permissions, and Summary.
With RDS I opened a remote Windows session on my Amazon Web Server, and navigated to NewsletterEmail.htm.
Right-click/Properties, Security tab, clicked [Advanced], then [Add] => Select Principle, which I filled in like this: -
Clicked [Check Names] => message
[Close], Clicked [Advanced] => dialog "Select user or group". Clicked [Find Now] with the default values set for me, =>
What do I select from this list? There is nothing here with name ASPNET, or anything else I recognize from the original error message.
Thank you again, Robert
Hi Robert,
If your application is running in DefaultAppPool you would enter IIS APPPOOL\DefaultAppPool for the user object and then grant permissions as needed. Might just need Read & execute and Read to the folder/file.
Please click Accept Answer if the above was useful.
Thanks.
-TP
I added user IIS APPPOOL\DefaultAppPool and the list of users for page ... NewsletterEmail.htm now included DefaultAppPool but this didn't make any difference, I still got the message "Access to the path ... denied. I added it to the folder D:\FamNet\Site that contains the hierarchy containing the specific page. Still getting the messages
In both cases I used the dialog Select User or Group, as shown above, searching for IIS APPOOL\DefaultAppPool which was found, and DefaultAppPool was added to the list of users together with permissions Read and Execute, Read, and (for the folder) List Folder Contents.
Edge: cleared Cache. Logged on to FamNet again, tried to send newsletter: still produced message.
What is wrong? Am I missing something?
Please check in IIS Manager to see how your app is configured. Navigate to your site in left pane, select it, then in right pane click Advanced settings..., then check which Application Pool is listed.
Unfortunately, although I could add DefaultAppPool, I still continued to get the message about "Access to path ... denied"
Which application pool running under? You can check in IIS Manager. What version of windows server?
Dumb question - where do I find IIS Manager? Here is a snap of the RDP's file structure, so presumably IIS is somewhere in here. Or it might be in the other server: Amazon have set me up with a separate database server for SQL Server. I don't know much about this, I know about the application, but all the rest has been set up for me, so please treat me like an idiot and spell it out for me.
After RDPing into your server, click Start button, then start typing IIS Manager and it should show. You may also open Server Manager, then click Tools -- Internet Information Services (IIS) Manager.
Navigate to your site in left pane, select it, then in right pane click Advanced settings..., then check which Application Pool is listed.
That's great, now I think we're getting somewhere. I found IIS manager, navigated to this page
I clicked Application Pools, and expanded Sites to see some detail
Both the FamNet and Jazz sites are working normally - you manage user logon, one can navigate to the web pages which you're allowed to see, they display correctly, and download things when they're supposed to. FamNet still uses http, it has not been upgraded to https. Does this explain why FamNet.org.nz has Classic in the column Managed Pipeline Mode?
I added System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 to the method that sends newsletters. This is what is now failing. Coincidence?
The problem has now been fixed. The error message "Access to the path ... denied was triggered by the line of ASP.NET (VB) code
HtmlBody = Webclient.DownloadString(HTMLSource)
However the line above set HTMLSource to //www.famnet.org/...., which was not a valid URL. It was changed to add "http:" to the beginning of the string returned by the Replace function
HTMLSource = "http:" & Replace(URL, NewsletterFileName, EmailFileName)
This solved the problem.
I can't understand this unless it's a consequence of adding
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
to the code. I'm sure that the code had not been changed! Anyway, the newsletters have now all cone out to Amazon SES, and a copy has returned to my own email, so all is now well.
Thank you for your help TP. I've learned something useful from your responses.
Glad you got it figured out. For future reference, your web sites are running in different application pools (not DefaultAppPool), so if you ever need to grant access you will need to use the appropriate name for the app pool instead of DefaultAppPool as I described originally.
There's nothing wrong with them running in a pool other than DefaultAppPool--I just wanted to let you know for purposes of understanding things better.
In regards to your solution, I would need to look at the code to understand better what is happening and why it had incorrect path before you fixed it. Since you have it working there is no need.
Additionally, "Classic" mode has nothing to do with your site running http. This setting deals with how IIS handles requests. Classic is the old mode from many versions back. Usually you set it to classic if you have an older application that was designed in such a way that it won't work with Integrated.
Please note I'm not suggesting you make any changes to your configuration. I mention small tidbits of information above only for learning/understanding purposes in case you need it in the future.
Thank you again TP, it's all useful knowledge. I might need some of it when Amazon SES starts enforcing the need for TLS1.2, which I believe is Sept 15th. I've put the code into the SendNewsletter method, but perhaps it should be in the Load method for the module containing this and the other methods. But I'll be delighted if I don't need any of this knowledge.
Unfortunately that didn't help. I was able to add DefaultAppPool to the user list, but I still continue to get the message about "Access to the path ... denied".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 59%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Your screenshot does not show the application path. Are you sure the path is correct?
\www.famnet.org.nz...\NewsletterEmail.htm
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 88%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
None of these solutions worked on my cooperate network, but I did find a solution.
Add the IUSR user for full permissions as mentioned, then add the IUSR user to the "IIS_IUSRS" group. My corporate network security is very tight and I cannot make new user accounts, but moving IUSR to this group made reading/writing an XML file to the web app folder work. No other solution worked for me.