|
| | | 
Grand Poo-Bah
Group: Administrators
Last Login: 11/4/2008 8:29:36 AM
Posts: 255, Visits: 13,331 |
| On a default installation of Windows and PDS there should be no permission issues. Problems may start occurring when permissions have been removed in certain environments, explicitly denying access to the resources below by default. In that case the permissions need to be explicitly added.
The table below lists which NTFS permissions are needed on which resources for which accounts. Please keep in mind that this is currently a work in progress – use it but feel free to let me know if something doesn’t look right or you needed to add additional permissions in your environment Resource | PDS Admin | PDS Service | PDS Service | PDS FileSync | | Runs as
local IUSR_Computer account | On Windows 2000 Runs as local ASPNET account | On Windows 2003 Runs as local “Network Service” account | Runs as SYSTEM (local system account) | PDS Admin: C:\Program Files\Calyx Software\Point Data Server\admin\*.* + subdirectories | | Read & Execute | | | | PDS Service: C:\Program Files\Calyx Software\Point Data Server\service\*.* + subdirectories | | | Read & Execute | Read & Execute | | PDS FileSync: C:\Program Files\Calyx Software\Point Data Server\filesync\*.* + “db” directory | | | | | Read & Execute | Root Folder Path: C:\Program Files\Calyx Software\Point Data Server\filesync\DataFolders\*.* + Subdirs | | R+W at Root | Read | Read | Full Control | Temporary Path: C:\Program Files\Calyx Software\Point Data Server\filesync\TempLoanFiles\*.* + Subdirs | | | Full Control | Full Control | Full Control | Custom Fields Path: C:\Program Files\Calyx Software\Point Data Server\filesync\CustomFields\*.CSF | | | Full Control | Full Control | Full Control | WINPAPI.INI file in Windows Path: C:\Windows\WINPAPI.INI | | Read | | | Read | .Net Path: C:\Windows\Microsoft.NET\Framework\v1.1.4322\ | | Read | Read | Read | Read | ASP.Net Temporary Path: C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files | | Full Control | Full Control | Full Control | | Windows Temporary Path: C:\Windows\Temp | | Full Control | Full Control | Full Control | Full Control |
Notes: - Paths might be different in your environment; apply the permissions accordingly.
- I listed the default accounts that are used by the PDS components when running code (e.g. PDS Admin runs as “IUSR_Computername”, PDS FileSync runs as the local system account “SYSTEM”, etc…). These accounts may have changed, so you’ll need to give the right permissions to the right accounts (see below for instructions on how to determine which account is used by which PDS component).
- NTFS permissions are changed by running File Explorer, right-clicking on the relevant directory or file and choosing Properties, then choosing the "Security" tab.
Here’s how to determine which accounts are being used by which PDS components: The PDS Service is an ASP.Net web service, and it will run under different credentials depending on how your system is setup. The first thing to do is to establish which credentials it's really running under. On the machine where the PDS Service is running: 1) In notepad, open up the file Web.Config in the PDS Service directory (typically C:\Program Files\Calyx Software\Point Data Server\PDSService). 2) Look for the line <identity impersonate="true"/> 3) If you found the line above: PDS Service is running as the user defined in IIS. This is typically IUSR_Computername, but you should double check it by running the IIS Manager > Right click on the "service" virtual directory > Properties > Directory Security tab > Authentication and access control / Edit > Verify that "Enable anynymous access" is checked - check the User name (typically IUSR_Computername). 4) If you didn't find the "impersonate" line from step 2: the PDS Service is running under the default ASP.Net account: • In Windows 2000 this is the "ASPNET" account.
• In Windows 2003 this is the "Network Service" account. Once you know which account PDS Service is running under, make sure this account has the correct NTFS permissions on the resources listed above. Do the same for the PDS Admin site. For the PDS FileSync windows service you can check under Control Panel > Administrative Tools > Services > CalyxPDSFileSync > Log on as (it should be “Local System Account” which appears as “SYSTEM” in the NTFS dialogs).
Disclaimer: this post carries no explicit or implied warranty. Nor is there any guarantee that the information contained in this post is accurate. It is offered in the hopes of helping others, but you use it at your own risk. The author will not be liable for any damages that occur as a result of using this post.
|
| |
| | | Forum Member
Group: Forum Members
Last Login: 6/26/2008 8:06:49 AM
Posts: 36, Visits: 64 |
| | Just as a note, everywhere that full control is noted above, I have successfully applied modify permissions instead. Using modify is a bit more secure and gives the account only those permissions necessary to update the data within the folders. |
| |
| | |
Grand Poo-Bah
Group: Administrators
Last Login: 11/4/2008 8:29:36 AM
Posts: 255, Visits: 13,331 |
| | Thanks JHawley, as mentioned above, this is a work in progress. I won't change the permissions from "Full Control" to "Modify" until our QA team has had a chance to test this. On a separate note I added the following permission today: "read" on the file C:\Windows\WINPAPI.INI
Disclaimer: this post carries no explicit or implied warranty. Nor is there any guarantee that the information contained in this post is accurate. It is offered in the hopes of helping others, but you use it at your own risk. The author will not be liable for any damages that occur as a result of using this post.
|
| |
|
|