How to allow IIS web app file download to a server in another VLAN

Question

Hi, I am trying to develop an ASP.NET web application that consists of saving xml file to a server (shared folder) in another VLAN. I can see the file being saved successfully when I tried to run in debug mode (in my PC) but the file cannot be saved when I published the app to a server (same VLAN as my PC) and configured to run via IIS manager. I am not sure what is the issue. Only the file saving part is not working. The shared folder can be accessed via file explorer without any issue.

Any help is greatly appreciated. Thank you.

Answer 1

Does the production server have ability to read, and more imprortant write files to that other server on the same network? If the 2 servers in question are not part of a domain (ad) network, then you need to create a user, say "web1" user on the web server. Then create a user on the 2nd server - same name + password, and make sure that user can then read/write files on the 2nd server.

Now, for the app-pool, use this option:

So, now when your server with IIS tries to read/write files, it will use the "user" you created on that IIS server. As long as the SAME user + password exists on the 2nd server, then you should be ok.

As noted, regardless of above, your server with IIS will need the ability to read/write/see/use files on the 2nd server. So, you could I suppose open up the 2nd server as 100% public, or add rights from ii_user to the 2nd server. However, I find in most cases, it simply better to create a logon on both servers, and give that logon the rights to the folder in question.

Answer 2

Hi @Roefatin, Ridzuan

May you need to set the identity of the application pool to an account that has access to this shared folder. Or add IIS server account into user group of the server that contain shared folder, Give this user access right on shared folder. As mentioned above by community members, try setting the application pool identity to a custom account using your domain\username and password.

1. Go to the particular Application Pools and click on Advanced Settings.
2. Click on Identity and click on Custom account and click on Set…
3. Put window's current login User name, Password and Confirm password.
4. Click OK and recycle the Application pool by right-clicking and clicking on Recycle.

Best Regard，

TengFei Xie

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Let's say that your web site is defined in C:\Inetpub\wwwroot. When IIS receives a request from a user to browse a page, it needs to read your .htm pages and .jpg images. The account it uses to access the file system depends on how you configured your site.

If your web site uses anonymous authentication, then IIS uses the IUSR account. So the NTFS permissions on the wwwroot folder need to grant read access to the IUSR account either explicitly or via group like Users.

If the site authenticates the client user, then the IIS worker process account is used. Typically that would be the IIS_IUSRS group on the permissions. If the site authenticates and impersonates the client then you need to grant access to some group that identifies the client user accounts. Sometimes "everyone" is used in that case.

https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/understanding-identities

In any event, none of those accounts have access to network shares on another computer. The solution to your question depends on how you have your site configured and if you are in an Active Directory domain or not.

There are numerous sites on the net that describe potential solutions.

https://www.bing.com/search?q=asp.net+access+%22file+share%22+impersonate