none
Access 2003 MDB via ASP.NET 2.0 with Minimal Security RRS feed

  • Question

  • I have an ASP.NET web application which interfaces with an access database belonging to a legacy application that resides on a server seperate from by my web application. My web application is working fine at the moment but the problem is that I had to configure the application to run as a domain administrator user in order for it to work. Configuring it as anything less than a Domain Administrator will result in the following error:

     

    The Microsoft Jet database engine cannot open the file 'xxxxx'. It is already opened exclusively by another user, or you need permission to view its data.


     

    I need the web application to operate with as few rights as possible so I initially followed the recommendations for configuring impersonation with IIS setting up user permissions outlined here:

     

    http://support.microsoft.com/default.aspx?scid=kb;en-us;307901

     

     

    No luck though. I first tried to configure the web application server's IUSR_xxxx account with the proper permissions but wasn't able to see the user on the server holding the access db.

     

    I then created a user on the domain and gave it all of the permissions specified the in the microsoft knowlege base article but that still didn't work.

     

    After adding the new user to the Domain Admins group, everything works fine. Are they're any folders the KB article is missing? or any other steps that I'm not aware of?

    Monday, January 28, 2008 6:14 PM

All replies

  • Based upon the error I would suspect that there is still a permissions issue, probably at the group level, if that is what you're using to grant privileges to the domain user for the remote folder.

     

    The user must have full permissions to this folder in order to manage the corresponding .LDB file that is created when Access database is opened.

     

    Monday, January 28, 2008 8:03 PM
  •  

    I agree that there is still a permissions issue...

     

    At the moment, I'm configuring a single user.

     

    In hopes of getting this to work I'm trying to go from Admin permissions and reduce to the lightest permissions possible.

     

    The current configuration of the single user (with the exception of belonging to the Domain Admins group) which does NOT work is Full Control of the following folders:

     

    <root>\Windows\Temp

    <root>\Windows\System

    <root>\Windows\System32

    <root>\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files

    <root>\Windows\Microsoft.NET\Framework\v2.0.50727

    <legacyAppRoot>\db\<dbFileName>.mdb

    <legacyAppRoot>\db

     

     

    Given that and the info specified in the KB article, the created user should be able to create temp files where ever it needs to.

    Monday, January 28, 2008 8:16 PM
  • Are you using a UNC path to your database in your connection string?

    Monday, January 28, 2008 8:25 PM
  •  

    Yes.

     

    Here is the connection string:

     

    Provider=Microsoft.Jet.OLEDB.4.0;Data source=\\<serverIP>\<legacyAppRoot>\db\<dbFileName>.mdb

    Monday, January 28, 2008 8:33 PM
  • So just to confirm, the web application is currently running under the domain account, or is it running under the IUSR account (which is a machine local account)?

     

    Tuesday, January 29, 2008 1:14 PM
  •  

    Yes, the application is running under a specially created domain account and the server holding the Access database has been configured to allow that user to have full control of the folders I listed in my previous post. However, even with full control of those folders, the application is unable to access the database file unless the domain user is added to the Domain Admins group. No further configuration to the web application is necessary.
    Tuesday, January 29, 2008 2:21 PM
  • So you verified that the security policy properties as specified in the MS KB article are configured properly?

     

    Tuesday, January 29, 2008 3:32 PM
  •  

    Yes, the security policies are set.

     

    The only thing I didn't do was create a new share for the db folder because that shouldn't be unnecessary given a fully qualified path

    Tuesday, January 29, 2008 4:29 PM
  • Have to tried logging on locally to the web server using the domain account and then trying to access the remote resource using Windows Explorer and browsing through My Network Places?

     

    Tuesday, January 29, 2008 6:30 PM