IIS Configuration and Permissions for remote file attachments
While setting up some advanced capabilities of DovetailAgent, we ran into some IIS/Windows permission issues. This post is to capture and share some of the learnings.
To start with, Kevin Miller has a good post on installing Classic ASP web application on IIS7.
The “advanced” capabilities I’m referring to was setting up file attachment uploads, and saving those files off to a permanent file storage area, accessed by a UNC drive such as \\fileServer\attachments
Environment: Windows Server 2008, Dovetail Agent 4.3
The way file uploads work is that the file is first uploaded to the web server where DovetailAgent is running. Then, the application moves the file to the permanent storage location, which is commonly a share on a different server. The application also creates directories and subdirectories where needed. So if your base attachment directory is\\fileServer\attachments, a file may actually get stored in \\fileServer\attachments\case\12345\file.ext
As I mentioned earlier, if you’re using IIS7, review the post on installing Classic ASP web application on IIS7.
Permission Denied Error
If you’ve done all of this, and you try to upload a file attachment, you may encounter a Permission Denied error (from the attachment2.asp page).
This can happen because the anonymous IIS user does not have permission to access the remote file share, such as\\fileServer\attachments.
We want the user that is executing the web app to be able to write to that remote directory. Here’s one way to set this up.
- Create a domain user that has access to this file share.
- Use this domain user as the application user for the web app.
Lets say we create a user called mydomain\dovetail_app
File Server Config
On the \\fileServer, be sure that the domain user has read and write permissions to the attachments directory. This is best achieved by setting the NTFS permissions (as opposed to setting permissions on the share itself).
Web Server Config
We can then set the Identity of the Application Pool to this user. Right-click on the application pool, and choose Advanced Properties. Set the Identity to be the domain user
Make sure your DovetailAgent application belongs to the application pool:
Click the Authentication icon for the application:
Right-click on the Anonymous Authentication item:
Set the Anonymous Authentication Credentials to be the Application Pool Identity:
Now, the app will run as the same user as the application pool, which is the domain user that we configured the app pool identity as earlier.
You should now be able to successfully upload file attachments.
When downloading a file attachment, the DovetailAgent application transforms the physical file path into a URL. As part of the initial install steps for DovetailAgent, as part of Configure the Web Server, an attachments virtual directory / application is setup.
This should be an application, not just a virtual directory. If necessary, right-click on the attachments virtual directory (within IIS Manager) and choose Convert to Application.
The physical path of this application will be the remote file share, such as \\fileServer\attachments.
Set the Application Pool
Be sure to add this application to the same Application Pool as DovetailAgent. (same as we did earlier for the Agent application)
Set the Anonymous Credentials
Be sure to set the Anonymous Authentication Credentials to be the Application Pool Identity. (same as we did earlier for the Agent application)
You should now be able to successfully download file attachments as well.
No doubt, there’s a bunch of configuration to do. But hopefully this post will help.