Access denied in SMDagentApplication.log file
Hi ,
I am seeing below errors in SMDagentApplication.log file
com.sap.smd.wily.hostagent.action.SapOsColAction.launchDaemon(SapOsColAction.java:446)
... 15 more
Nov 12, 2009 7:32:45 AM [Thread[SAP GC|QEM_J00_server0,5,main]] Error com.sap.smd.wily.hostagent.action.GcScannerAction - scanInitial(): scan for file E:\usr\sap\QEM\JC00\j2ee\..\work\std_server0.outterminated: E:\usr\sap\QEM\JC00\j2ee\..\work\std_server0.out (Access is denied)Nov 12, 2009 7:32:45 AM [Thread[SAP GC|QEM_J00_server0,5,main]] Error com.sap.smd.wily.hostagent.action.GcScannerAction - doRun(): Action temporarily stopped: SAP GC|QEM_J00_server0
[EXCEPTION]
com.sap.smd.wily.hostagent.TransientException: java.io.FileNotFoundException: E:\usr\sap\QEM\JC00\j2ee\..\work\std_server0.out (Access is denied)
at com.sap.smd.wily.hostagent.action.AbstractAction.handleError(AbstractAction.java:322)
Managed system is on windows and smdadm user is in Administrator group.Please let me know if anybody has an idea.
Regards,
Tushar
Hi Tushar,
I know its quite an old message, but we too get a similar error message as you got during the Wily Introscope agent setup.
The user daaadm is part of Administrators group but still the Access Denied error.
Could you please share which additional OS roles you added to the diagnostics agent OS user?
Best Regards,
Srikishan
Similar Messages
-
I get an access denied error when logging into extension builder 2.1 on Flash Builder 4.6
I get an access denied error when logging into extension builder. The error is: You are not eligible to use CSIDE1 services due to the Service Eligibility Requirements.. Very frustrating since there is no other option than to read the adobe legal docs.
Before this started happening I was prompted to put in my birthday (WHO KNOWS WHY ADOBE NEEDS MY BIRTHDAY). I filled it in wrong and now this....
PLEASE HELPOk this problem is fixed.
Info for anyone else who faces this problem.
Apparently when adobe designed the extension builder installer package, they decided to get cute and try to figure out what version of the software, the extension builder package files should be installed into. So if you have FB4, FB4.6, and FB.7 there is no telling where it will go. Also if you try moving these folders somewhere else out of the applications directory, the installer will still find them on the system. I finally figured this out by watching my system log and seeing
11/22/13 12:13:46.258 AM cp[70909]: Cannot make directory /Applications/Adobe Flash Builder 4.6/Adobe Flash Builder 4.6.app
Location: /Users/myuser/Downloads/Adobe Flash Builder 4.6-adobegarbage/plugins/com.adobe.cside.ui_2.1.0.201304282312/icons: No such file or directory
After removing every single instance of places the package installer was trying to use. It finally resolved to the correct FB4.6 location. Why adobe could'nt spend a little extra time add a destination selector in the package installer is beyond me, but hey i only wasted 3 days trying to figure this out.... Sadly it isnt the first time i've wasted copius amounts of time fighting Flashbuilder problems.
Halligrimur, thank you for your help. It did lead to me solving the problem. -
Access denied. Error in File C:\WINDOWS\TEMP\
I have searched on Google and all over this forum and none of the solutions have fixed my problem.
Crystal Version: Crsytal.Net for Visual Studio.Net 2005
Server: Windows Server 2003
Error:
Access denied. Error in File C:\WINDOWS\TEMP\JuryDutyReport {D6296178-3E72-483E-B876-2DFC03D00841}.rpt: Access to report file denied. Another program may be using it.
When I run my app locally through the Web Server that comes with ASP.Net, everything is fine, it is only when I deploy the application to the Windows 2003 Server that I get the error.
I'm using impersonation in my ASP.Net application. I have given that domain user full access to 'C:\Windows\Temp'', the export folder and even the folder where the Crystal Report resides on the Server. When I run the application on the Web Server, I actually see the ".rpt" get created in the "C:\Windows\Temp" folder but yet it still says there is a permissions error.
What is bizarre is that the code below that just sends the file to the printer automatically works:
private void PrintJuryDutyReport(DataSet ds)
//create report document
ReportDocument crDoc = new ReportDocument();
//load, set datasource and print options
crDoc.Load(Server.MapPath("~/Reports/JuryDutyReport.rpt"));
crDoc.SetDataSource(ds); //set datasource
crDoc.PrintOptions.PrinterName = ddlPrinters.SelectedValue.ToString(); //set printername
crDoc.PrintOptions.PaperOrientation = PaperOrientation.Portrait; //set paper orientation
crDoc.SetParameterValue("ParamUsername", User.Identity.Name); //set parameter
crDoc.PrintToPrinter(1, false, 0, 0); //send to printer
I have to change the code to export to a PDF and this code doesn't work:
private void PrintJuryDutyReport(DataSet ds)
//report document
ReportDocument crDoc = new ReportDocument();
string myfile = @"G:\COPFS\COPFSPROD\ReportsTemp\MyPDF.pdf";
//load, set datasource and print options
crDoc.Load(Server.MapPath("~/Reports/JuryDutyReport.rpt"));
crDoc.SetDataSource(ds); //set datasource
crDoc.SetParameterValue("ParamUsername", User.Identity.Name); //set parameter
//export through http
crDoc.ExportToDisk(ExportFormatType.PortableDocFormat, myfile);
crDoc.Close();
crDoc.Dispose();
Response.ClearContent();
Response.ClearHeaders();
Response.ContentType = "Application/pdf";
Response.AppendHeader("content-disposition", "attachment; filename=" + myfile);
Response.WriteFile(myfile);
Response.Flush();
Response.Close();
Any help is greatly appreciated as I have to present this to end users tomorrow.Don, thanks for the response.
As a last ditch effort, I granted "modify" to the Network Service Account on C:\Windows\Temp and that fixed the error.
There are two things that are troubling about this:
1) I'm impersonating a domain user in my ASP.Net application and when the PDF is created, the owner is that domain user, so I know impersonation is working. So I wonder if ASP.Net picks and chooses what account it runs under at different times?
2) It is a little scary for the Network Service Account to have this access but that people seem to be fine with it.
http://aspadvice.com/blogs/rjdudley/archive/2005/03/14/2566.aspx -
Can FTP-access to field point log file interrupt the running program?
Can FTP-access to field point log file interrupt the running program?
We have a problem where our factory process control program on a Field Pointer suddenly stops the process. We are running the development system on a PC, wich deploys the program on the Field point, with user interface on the PC. Quite often the process stops for no apparent reason. I'm not sure right now if the control program on the Field Point is still running or if it stops. We use FTP from a distant PC (over VPN) directly to the Field Point to check if the process is running, by looking for date and size of log files produced during running process. I've never opened och copied any log file during process run, because this I'm sure this would cause problems for new log entries to be written. But can the mere looking at the log folder via XP-pros ftp-functionality cause the Field Point to have problems writing data to a log file?
I'm not sure how windows XP pro handles "my network places" when it comes to FTP, it look that it keeps some kind of local copy of the folders, or at least the files opened.
Next version of the program will have only basic functionality on the Field Point, leaving logging etc. to another program on the PC, but right now we are stuck with this system.
Ola AIt turned out that the problem lies in the harware of the production machine, it was not a labiew-program problem at all!
Ola -
HAL - Unabled to write or access Vignette's HAL log file (access denied)
Hi everybody,
In Vignette in the EXE, in "LOGGING" tab,
I choose "Enabled logging" "Log Messages to"
"File" \mfqhaldv01\RAPFIN\DEVL\TRAITEMENT\RAPFIN02_BALVER.log
if I have a access denied on this file, how can I do to know if I have a problem I can't get any information because I don't have access to.
What can I do to see the error message ?
Thanks & Regards.
Eric.One, I would see about getting access to that share. If you can not, I would save off the copy of hte .prp and run it or create a new .exe with a logging path you can access. This has to be done in the HAL studio.....hopefully can just reconfigure and get the file that way.
-
Access denied while loading jar files from client
I am creating a platform
that can be started by JWS
and then load plug-ins from client drive.
I've signed my platform (packaged as a jar file),
and set up the security tag in my jnlp,
so that it can access client files.
The plug-ins are packaged as jar files.
And in one of the plug-ins, there is a class that has a JFileChooser field.
While initializing this field, the AccessControlException is thrown.
I can't figure out what is wrong,
So I tried to sign the plug-in, but the problem stands still.
PS. I have made my own ClassLoader,
and this platform works well without JWS.
Please help me, thanks.
Below is the error message:
Java Web Start 1.4.2 主控台,已啟動 Fri Jul 02 01:31:17 CST 2004
Java 2 Runtime Environment:版本 1.4.2,作者:Sun Microsystems Inc.
/*my own log message*/
2004/7/2 上午 01:31:23 pluginmanager.Activater activate /*this is my own classloader*/
配置: activate jar=\Plugins\Common.jar /*load plug-in Common.jar*/
2004/7/2 上午 01:31:23 pluginmanager.Activater activate
細緻: collect resources /*collect other jar files needed by Common.jar*/
2004/7/2 上午 01:31:23 pluginmanager.Activater activate
細緻: load plugin=\Plugins\Common.jar
2004/7/2 上午 01:31:23 pluginmanager.Activater activate
細緻: activating class name=filemanager.FileManager /*instantiate plug-in component*/
java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at java.io.Win32FileSystem.getUserPath(Unknown Source)
... /*cut*/
at javax.swing.JFileChooser.<init>(Unknown Source)
at filemanager.Open.<init>(Open.java:20)
at filemanager.FileManager.<init>(FileManager.java:38)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
... /*cut*/
at java.lang.Class.newInstance(Unknown Source)
at pluginmanager.Activater.activate(Activater.java:120)
at pluginmanager.PluginManager$ActivateAction.actionPerformed(PluginManager.java:53)When running under Java Web Start, a security manager is installed.
Since you have created your own classloader, you are responsible for assigning permissions to the classes you load.
You can change you class loader to extend SecureClassLoader, then override getPermissions:
protected PermissionCollection getPermissions(CodeSource codesource) {
PermissionCollection perms = super.getPermissions(codesource);
/* add whatever permissions you want your code to hance*/
perms.add( ... );
/* or just add all-permissions */
perms.add(new AllPermission());
or - you can just remove the Security Manager:
System.setSecurityManager(null);
/Dietz -
Access denied creating new folders/files as administrator, UAC disabled
I'm having some issues with a 2008 R2 server. It's a standalone server used for file storage only, no domains no AD or policies have been applied to it.
I have recently been getting access denied errors trying to create new files or folders on the data drive. I'm logged in as local administrator and have full access to everything.
I've spent the last 3 days searching for a solution but so far have not found one. Solutions so far have almost always suggested turning off UAC and resetting permissions on the affected files and folders but that has not solved the issue, UAC was already
disabled and I've tried creating a new user group and adding the admin account to it, I've also removed all inherited permissions and manually specified all users and groups and 'everyone' as full access to no avail.
This did happen once before in the past with one network share and I can't remember what I did back then to solve it but somehow I did, but now all files and folders are having the issue on all network shares and drives (the server has 8 hard drives installed).
I can move and rename files and folders fine without problems but I cannot create any new folders or files of any kind without getting access denied, I'm really stumped at this one and hoping someone here will be able to suggest a fix that I haven't already
tried.
I have scoured the event logs but there's no sign of the issue there either.
Any help appreciated.Hi,
Did you access the network drive from a workstation? If so, what is the system operation on the workstation? Please give everyone group “full control” share permission to check the results. You could try to create a new shared folder and give local administrator
“full control” ntfs permissions and share permissions to check if the issue still exists.
Best Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Getting access denied error while importing file using input type="file"
Hi All,
I am using struts application wherein I need to import file for some purpose.I have used input type="file" for the same which goes like:
<input type="file" id="uploadFile" name="uploadFile" size="50">
I have the import button on which I have used onClick event to call javascript function submitValues() used to validate all the fields from the page which goes like:
<input type="button" name="select" value="Import" class="CSSButton" onClick="javascript:submitValues();">
The JS function then in turn submits the form and calls the action.The problem is sometimes even when the correct path is specified for the file to be imported results in access denied error.This error comes sometimes and other times it works fine.But when this error comes,I need to relogin into the application and then it works fine.I am using IE7 for this.
Any idea why I am getting access denied error while importing? Has it got something to do with IE7 version or with the input type="file" which is being used here?
Thanks for any help if anyone can provide.
Edited by: passionateforjava on Mar 4, 2009 2:18 AMvishnuS1984 wrote:
Hi Friends,
I have gone through scores of examples and i am failing to understand the right thing to be done to copy a file from one directory to another. Here is my class...So let's see... C:\GetMe1 is a directory on your machine, right? And this is what you are doing with that directory:
public static void copyFiles(File src, File dest) throws IOException
// dest is a 'File' object but represents the C:\GetMe1 directory, right?
fout = new FileOutputStream (dest);If it's a directory, where in your code are you appending the source file name to the path, before trying to open an output stream on it? You're not.
BTW, this is awful:
catch (IOException e)
IOException wrapper = new IOException("copyFiles: Unable to copy file: " +
src.getAbsolutePath() + "to" + dest.getAbsolutePath()+".");
wrapper.initCause(e);
wrapper.setStackTrace(e.getStackTrace());
throw wrapper;
}1) You're hiding the original IOException and replacing it with your own? For what good purpose?
2) Even if you had a good reason to do that, this would be simpler and better:
throw new IOException("your custom message goes here", e);
rather than explicitly invokign initCause and setStackTrace. Yuck! -
Access Denied when Open Offline File.
Dear All,
User has Network Share (with full permission to access files and Folders), I have configure it as an Offline folder (Always available).
Problem is that when on network he can access and open all the files. But when he goes offline (No Network), he can open all the Folders but when he tried to open some files few of them are giving errors. "Access Denied"
Encryption is not enable.
Can anyone please suggest the resolution.
Thanks
Kamran
Best RegardsHi,
Please make sure all these file are enabled offline.
Please see if this article is helpful to you:
Users may receive an "Access is denied" error message if you make files and folders available for offline use
http://support.microsoft.com/kb/275461
Meanwhile, try this:
1.Make sure that your files and folder have been synchronized. Reinitializing the cache prior to synchronizing will
cause you to lose any data that isn’t synchronized.
2.Click Start, type regedit in the Start Search box, and then press
ENTER.
If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.
3.Locate the following registry subkey, and then right-click it:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CSC
4.Point to New, and then click Key.
5.Type Parameters in the box.
6.Right-click Parameters, point to New, and then click DWORD (32-bit)Value.
7.Type FormatDatabase, and then press ENTER.
8.Right-click FormatDatabase, and then click Modify.
9.In the Value data box, type 1, and then click OK.
10.Exit Registry Editor, and then restart the computer.
Karen Hu
TechNet Community Support -
Access denied when I move files from MacBook to desktop
When move files from my MacBook Pro to my G5 desktop, I can't open them. I get an "access denied" message. I can fix the problem by going to "info" and changing the access, but how can I fix this so it doesn't happen at all? I don't want to have the hassle of resetting the access for each file every time I swap files back and forth between the laptop and desktop.
Ask and you will receive:
You can do the same thing in terminal using the chmod command, but it requires a bit more of a learning curve.
Leo server has a Built in GUI that allows you to do the same thing as Sandbox, I really feel Apple should have included something similar in the consumer version of Leo, since we are forced to deal with ACL's in Leo whether we want to or not. They are turned on by default and can only be turned off temporarily (fsaclctl command) as they will resume automatically at the next reboot.
Of course you must master the basics before attempting
ACL's from the command line.
Here are some links to some Leo ACL and command line documents:
http://www.afp548.com/filemgmt/index.php?id=40
http://manuals.info.apple.com/enUS/Command_Line_Adminv10.5.pdf
http://manuals.info.apple.com/enUS/File_Services_Adminv10.5.pdf
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/chmod.1. html
These tools will guide you in your quest.
And don't forget grasshopper: "wax on - wax off"
Kj -
TestStand: Access Denied to testexec.ini file
When changing search directories, or any station property, I get an access denied error, and the changes to the search directories don't get saved.
Hello Shay,
If you are using Windows 2000/NT and your drive in which TestStand is located is partinoned as NTFS, you can set security permissions on folder or on a file basis. You should check your security settings for the folder \Cfg. This folder contains all the INI files that store the station options, and search directory settings. You may have the folder set to deny write access, when it should be set to full control. You can access the security options by right-clicking on the file/folder and selecting Properties from the context menu. Hope this helps. -
Access Denied when uploading a file
Just changed web hosting providers.
I'm using Contribute 4. This problem only seems to happen
when I'm linking a new file from our network (ie PDF file) into a
Webpage to be published with the Webpage.
I link the file, hit publish, get "Access Denied" and the
Webpage is in edit mode. But if I go browse to the Webpage, the
file successfully published and uploaded the PDF file. So it's like
it's throwing the error directly after publishing the PDF file. I
then just go into my draft Webpage and cancel the draft. Sounds
like a weird permissions problem. Anybody ever have this
happen?If you created the file(s) and then made sure the streams were closed and no other process/program was using the file(s), then it should delete.
If you didn't create the files, you should look at the security policy on your system. -
Access denied error -- while copying file to a specific directory
Hi Friends,
I have gone through scores of examples and i am failing to understand the right thing to be done to copy a file from one directory to another. Here is my class
package ZipTest;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
public class TestCopy {
* @param args
public static void main(String[] args) {
// TODO Auto-generated method stub
File source = new File("C:\\mkyong\\test_1.txt");
File desc = new File("C:\\GetMe1");
try {
copyFiles(source,desc);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
public static void copyFiles(File src, File dest) throws IOException
if (!src.exists())
throw new IOException("copyFiles: Can not find source: " + src.getAbsolutePath()+".");
else if (!src.canRead())
throw new IOException("copyFiles: No right to source: " + src.getAbsolutePath()+".");
if (src.isDirectory())
if (!dest.exists())
if (!dest.mkdirs())
throw new IOException("copyFiles: Could not create direcotry: " + dest.getAbsolutePath() + ".");
String list[] = src.list();
for (int i = 0; i < list.length; i++)
File dest1 = new File(dest, list);
File src1 = new File(src, list[i]);
copyFiles(src1 , dest1);
else
FileInputStream fin = null;
FileOutputStream fout = null;
byte[] buffer = new byte[4096];
int bytesRead;
try
fin = new FileInputStream(src);
fout = new FileOutputStream (dest);
while ((bytesRead = fin.read(buffer)) >= 0)
fout.write(buffer,0,bytesRead);
catch (IOException e)
IOException wrapper = new IOException("copyFiles: Unable to copy file: " +
src.getAbsolutePath() + "to" + dest.getAbsolutePath()+".");
wrapper.initCause(e);
wrapper.setStackTrace(e.getStackTrace());
throw wrapper;
finally
if (fin != null) { fin.close(); }
if (fout != null) { fin.close(); }
But i am getting the following errorjava.io.IOException: copyFiles: Unable to copy file: C:\mkyong\test_1.txttoC:\GetMe1.
at java.io.FileOutputStream.open(Native Method)
at java.io.FileOutputStream.<init>(FileOutputStream.java:179)
at java.io.FileOutputStream.<init>(FileOutputStream.java:131)
at ZipTest.TestCopy.copyFiles(TestCopy.java:68)
at ZipTest.TestCopy.main(TestCopy.java:18)
Caused by: java.io.FileNotFoundException: C:\GetMe1 (Access is denied)
... 5 more
It would be really helpful to have your guidance.
Thanks & Regards
VSvishnuS1984 wrote:
Hi Friends,
I have gone through scores of examples and i am failing to understand the right thing to be done to copy a file from one directory to another. Here is my class...So let's see... C:\GetMe1 is a directory on your machine, right? And this is what you are doing with that directory:
public static void copyFiles(File src, File dest) throws IOException
// dest is a 'File' object but represents the C:\GetMe1 directory, right?
fout = new FileOutputStream (dest);If it's a directory, where in your code are you appending the source file name to the path, before trying to open an output stream on it? You're not.
BTW, this is awful:
catch (IOException e)
IOException wrapper = new IOException("copyFiles: Unable to copy file: " +
src.getAbsolutePath() + "to" + dest.getAbsolutePath()+".");
wrapper.initCause(e);
wrapper.setStackTrace(e.getStackTrace());
throw wrapper;
}1) You're hiding the original IOException and replacing it with your own? For what good purpose?
2) Even if you had a good reason to do that, this would be simpler and better:
throw new IOException("your custom message goes here", e);
rather than explicitly invokign initCause and setStackTrace. Yuck! -
Access denied when putting a file in the System32 folder.
Hi,
I have this code in de Program.cs:
TrialMaker t = new TrialMaker("TMTest1",
Application.StartupPath + "\\RegFile.reg",
Environment.GetFolderPath(Environment.SpecialFolder.System) +
"\\TMSetp.dbf",
"Phone: +98 21 88281536\nMobile: +98 912 2881860",
5, 10, "745");
It must put a file called TMSetp.dbf in the system32-folder of the Windwows-folder.
But I get error: Access to the path 'C:\Windows\system32\TMSetp.dbf' is denied.
What can I do about this problem?
Greetings,
Peter KiersIt must put a file called TMSetp.dbf in the system32-folder of the Windwows-folder.
But I get error: Access to the path 'C:\Windows\system32\TMSetp.dbf' is denied.
What can I do about this problem?
Either:
1. Run your code in a process that has sufficient permission to write
to that directory, or
2. Write the file elsewhere - where you have permission.
Dave -
This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
EFS operations occur on the computer storing the files.
EFS files are decrypted then transmitted in plaintext to the client's computer
This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
2) SOLVE by setting up WebDAV (efs files accessed through web folders)
EFS operations occur on the client's local computer
EFS files remain encrypted during transmission to the client's local computer where it is decrypted
This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
a) START ... CMD
b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
1 click START and type "Turn Windows Features On or Off" and open the link
a) scroll down to "Internet Information Services" and expand it.
b) put a tick in: "Web Management Tools" \ "IIS Management Console"
c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
f) click ok
g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
a) on the "Anonymous Authentication" and click "Disable"
b) on the "Windows Authentication" and click "Enable"
NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
It can be by changing registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
BasicAuthLevel=2
c) on the "Windows Authentication" click "Advanced Settings"
set Extended Protection to "Required"
NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
a) on the right side, under Actions, click "Add Allow Rule"
b) set this to "all users". This will control who can view the "Default Site" through a web browser
NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
a) on the right side, under Actions, click "Edit Feature Settings"
b) tick the box "Allow double escaping"
*THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
a) set the Alias to something sensible eg "D_Drive", set the physical path
b) it is essential you click "connect as" and set
this to a local user (on fileserver),
if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
NB: the user account selected here must have the required EFS certificates installed.
See
here and
here
NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
The work around is on the \\fileserver create an NTFS symbollic link
e.g. to share the entire contents of "D:\",
on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
in cmd in this folder create an NTFS symbolic link to "D:\"
so in cmd type "cd c:\inetpub\wwwroot"
then in cmd type "mklink /D D_Drive D:\"
NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
b) if some exist review existing allow or deny.
Take care to not only review the "allow access to" settings
but also review "permissions" (read/write/source)
NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
a) On Windows 7 you need only change one tiny registry value:
- click START, type "regedit", open link
-browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
-on the EDIT menu click NEW, then click DWORD Value
-Type "DisableEFSOnWebDav" to name it (no speech marks)
-on the EDIT menu, click MODIFY, type 1, then click OK
-You MUST now restart this computer for the registry change to take effect.
b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
It should show the default "IIS7" image.
If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
e.g. http://localhost/D_drive
If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
eg if your server's computer name is "fileserver" go to "http://fileserver:80"
It should show the default "IIS7" image. If not, check firewall and port blocking.
Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
a) click the "Connections" tab at the top
b) click the "LAN Settings" button at the bottom right
c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
a) click START, type "regedit", open link
b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
c) click on "FileSizeLimitInBytes"
d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
a) click on "Security" (top) and then "Custom level" (bottom)
b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
SUCH an easy fix. SUCH an annoying problem on a clientpc
NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
e.g. CMD: net use * "http://fileserver:80/C_drive"
If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
a) On a clientpc, map network drive to http://fileserver/
b) navigate to a folder you know on the \\flieserver is encrypted with EFS
c) create a new folder, create a new file.
IF it throws an error, check carefully you mapped to the WebDAV and not file share
i.e. mapped to "http://fileserver" not "\\fileserver"
Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
a) see the last comment at the very bottom of
this page:
Points to consider:
- NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
It is implimented above, see (11) above
Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
This one took me a long time to track down to "network location".
Win 7 uses network locations "Home" / "Work" / "Public".
If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
FIX = either set IP address manually and specify a gateway
FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?
Maybe you are looking for
-
How can I return my ipad 1 to pre OS5?
how can I return my ipad 1 to pre OS5? Ive been reading the forums all over the place to find the solution to my ipad 1 continually crashing. it does it mainly in safari and the app store. Its really annoying when you're halfway through composing a l
-
Report generation for Substances
Hi Everybody, I am trying to generate the word report from the substance information. For that i setup WWI and now i am able to create report templates and also able to generate the word reports in the Specification workbench. But t
-
Hello, I don't how can I change the name of a file ?. Somebody can help me, please? For example : c:\out\prove1.csv to c:\out\prove1_09112007_163001.csv Thanks
-
Class object in other files not found on solaris
hi, I am trying to compile a Java program on Solaris 8 machine with JDK1.4.2_02 the program "AAA.java" creates objects of classes "BBB.java" and "CCC.java" All these files are in the same folder "DDD". I haven't included them in a package "DDD". Same
-
XL Reports - EXCEL msg -You can only open the document as Read Only
READ ONLY notification from MS EXCEL when two people try to run the same XLR report at the same time. Here is what is going on: u2022 Person A runs an XLR report (SAP client running on a Local Machine) u2022 Person B runs the same XLR report