Hi Grant,

Sorry to hear you're having problems.

Are you saying Umbraco is altering your Windows permissions? If so I'd find that very very strange and the only thing I can think of would be some 3rd party code which runs on the save event, even then it would be the first time I've ever heard of it. In essence an Umbraco site is just a standard ASP.NET website and doesn't do anything that would alter Windows permissions AFAIK.

Could there be anything else on your server causing permission problems, do you have any non Umbraco sites running, are they having any problems? Did anyone install anything on the server, are you using a Control Panel (Plesk?)

Rich

Rich, thank you for the response...

• Based on my previous post, it seems it could only have been Umbraco changing the settings (I manually change them, 'save' in Umbraco then it breaks.)
• There is no third party code running, the site is a primitive one and goes to no such extent as to hooking into save and publish events.
• There aren't any other third party elements, such as Contour - it's a basic site.
• We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues.
• We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)
• The server is not the problem, we are not using a Control Panel.

In the meantime, a colleague of mine took the same steps I did, but on the Users group permissions (as opposed to the CreatorUser mentioned above) and this seems to have resolved the issue (we can access the site, and save + publish without issue) - but I am concerned that this doesn't help us determine what originally changed the permissions to disable access, and hence why it happened. And it still doesn't offer any answer as to how the other user settings were changing on save.

The has been published for a while now and no development been done since deployment - only the client using their Umbraco CMS.

Hiya,

The user account that actually edits the access config file is the one that ASP.Net runs under (usually either NETWORK SERVICE, or the App Pool Identity account if you're on IIS7). If that account doesn't have access to the file, it'll give the error. That user account needs to have read/write/modify access on the App_Data folder for Umbraco to work properly, as that's where it saves all the XML caches. I'm not sure why you were cerating another user, as that wouldn't have any effect on Umbraco, unless the website app pool was running as that user!

As for the permissions changing, that's not something Umbraco has the ability to do, to change the windows user permissions, Umbraco would have to be running under Administrator Privelidges, which it normally wouldn't be (and there's no code in the Umbraco code base that I've ever seen to do this). My best bet for the cause of the permissions change would be someone changing something on the server. If its a shared box, the hosting company could have applied server wide permissions changes as part of an update/security fix, which may have altered stuff.

Basically someone has changed the permissions on the server so that the App Pool identity account no longer has access to write to App_Data. I would check with the host/adminstrator of the server to see if anyone has done anything that would have changed the permissions on the site. To be on the safe side, you may also want to check if media items can be saved through the media library, as if they changed the permissions, they may have killed the ability to write/modify to that folder to.

Hope that helps and that you get to the bottom of who changed the permissions!

Tim, you're side-stepping the problem here:

"I'm not sure why you were cerating another user, as that wouldn't have any effect on Umbraco, unless the website app pool was running as that user!"

No, we didn't create any user - the users are already there by default in Permissions (probably due to inheriting roles), but this is as standard on creating a site, no extra configuration or extra users added. Furthermore, the application pool is running under NetworkService.

"As for the permissions changing, that's not something Umbraco has the ability to do"

One moment everything is OK, we click 'save' in Umbraco and we ge the error, and upon checking, the user permissions are changed. No one changed the user permissions manually and no server-wide update was applied, the site hasn't even been touched by anyone other than the client using the CMS until they reported this problem. But at this point it is reproducible! Two points include the fact that the user permissions were altered without any human intervention with the server (FACT), and the fact that you say "Umbraco can't do that", - well, frankly, I could shoot you a video to prove that it can, and does (FACT). Also, our server is our own, dedicated box.

"Basically someone has changed the permissions on the server so that the App Pool identity account no longer has access to write to App_Data"

This is an entirely presumptuous assertion with absolutely no basis in fact - NetworkService DOES NOT change at all, so that blows your theory out of the water for starters; something DID change the User permissions which made this break (and, as above, it wasn't us!); and I can actually reproduce this by applying the permissions to CreatorUser, hitting Save in Umbraco, then watching it break, then checking the server to see that, indeed, the permissions I just added have been removed!

As I said, please don't provide invalid assertions that are nothing more than foolish presumptions - nothing has changed on our end - if yo ucare to look into the issue seriously from the Umbraco end, or help us do so, then please do, but please refrain from this nonsense.

Hi Grant,

Appologies, I misread your O.P. and thought you'd CREATED, a creator owner user account. Although my original point, that it's the network service account that needs the permissions is still valid. I wasn't sidestepping the issue, I was just offering you some possible reasons why the permissions might have changed on the server. If you'd mentioned it was a dedicated server, I wouldn't have suggested that it ay have been the hosting company.

Not quite sure why you're being rude to someone who's trying to help, but hey ho. Lets have a look at the issue:

Based on the information that you provided, network service (for whatever reason) DOES NOT (or did not if you've fixed it now) have access to write/modify the App_Data folder. I know this because when you save and publish a document in Umbraco, the system writes to the umbraco.config XML file that is stored in the App_Data folder. If it can't do that, and you get a permissions error, then someone (or something) has changed the user permissions for network service. Most cases where this occurs is down to human intervention. Windows permissions don't magically change themselves! Another option could be a MS security patch or the server lockdown tool, both of which are capable of changing user permissions on the server (including the network service account).

If you reset the permissions for the app_data folder so that the network service user can write/and modify to it, does save and publish work? Once you've done that, can you save and publish other pages? If the answer is yes, then try and set the permissions for the page as your client did, and see if that works. If it does, then it's obviously not Umbraco resetting the user permissions. If it does throw the same error, write down the steps to reproduce, with as much detail as possible, and log it as a bug on umbraco.codeplex.com so that the core team are aware of the issue and can look into it.

Hope that helps!

Tim, firstly, apologies for coming across as rude - I am simply trying to be as direct as possible and, frustrations aside, it isn't my intention.

"I know this because when you save and publish a document in Umbraco, the system writes to the umbraco.config XML file that is stored in the App_Data folder. If it can't do that, and you get a permissions error, then someone (or something) has changed the user permissions for network service."

Again, upon getting the error and looking at NetworkService, the permissions for that are not changed. Enabling permissions for the other user (for which they have been removed) resolves the issue (temporarily.) I'm 100% certain that MS security patches are not being installed each time we hit the 'save' button, likewise with the security lockdown tool being invoked.

"If you reset the permissions for the app_data folder so that the network service user can write/and modify to it, does save and publish work?"

Again, the NetworkService permissions do not change. Once I add the permissions for the other user, I can access Umbraco again within requiring the login with Windows Authentication; if I hit 'save' again (or 'save and publish') then the permissions are removed from that user - but not NetworkService.

"If the answer is yes, then try and set the permissions for the page as your client did"

The client didn't try to change any page permissions, nor did we.

Grant, 

I do have to point out that this forum is not an official support channel and you did come across as being rude.

Anyone posting here does so voluntarily.

As for the issue itself, to try and get a better picture:

Do you have other Umbraco sites running on the same Win2k server? Is it IIS5?

I ask because I have not run Umbraco on anything older than Win2k3 and am unsure of the compatibility on Win2k.

Jay

Jay, I'm not sure if you want me to apologise to you now too? Well, either way, apologies for you suffering my impoliteness by-proxy.

Just to note, I'm anyone, and I'm only posting here by necessity.

We run IIS6, and, to answer your other questions, may I politely refer you to my second post:

         "We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues.

• We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)"

Grant,

No need to apologise to me.

Useful to know it is Win 2003.

And do you have other sites on the same server? This may help rule out any server wide config issues.

Does the site run under it's own app pool?

Jay

The fact you get the Windows Authentication dialog - have you checked the IIS authentication settings?

Jay, yes, IIS auth settings don't change between issues, and they match up well with other sites (including Umbraco ones.)

At risk of being rude, though that is entirely perceptual, and with respect, you obviously aren't reading my replies:

                "We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues."

            "We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)"

The site does run within its own application pool.

I had read your reply but it didn't confirm if this site was on the *same* server as other Umbraco sites.

Jay,

At risk of being rude, though that would be entirely perceptual, and with respect, you're asking questions that have been covered multiple times in this very thread; it is hard to hold respect for people's time when my own seemingly isn't respected, and my input neglected.

So, again, may I politely refer you to my second post:

         "We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues.

• We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)"
• The site is running under its own application pool.

If you right click on the "App_Data" folder click properties, and select the "security" tab, does the network services account show up in the list? If so, click it and see what permissions it has selected for the folder. Does it have "Read", "Write" and "Modify" ticked? If it doesn't, edit the account and make sure those three items are checked. Check the same permissions for the umbraco.config and access.config files inside the folder (it should inherit the permissions from the parent folder, but best to double check). If the account isn't in the list, add it and make sure it has those permissions. Let me know!

Tim, NetworkService has "Full Control" on the elements you specify to check - and this doesn't change, even between the error and the 'fix'.

In regards to file/folder permissions changing themselves:

Maybe try checking the Event Logs on the server to see if there's anything interesting in there?
You may be able to set up monitoring to see:
1) If anyone else has, or is, logged onto that server
2) If anyone (or an process) is altering file/folder permissions. If so, you can lookup the date/time against your own actions to see if theres a correlation.

If not, there's probably a fair amount of software available online (or you might always use some) that can monitor all aspects of your server, including file permission changes, etc.

Drew,

This is a live deployment server with up to 100 sites running, which, for the most part (some dodgy programming aside!), are entirely stable - we know that no-one has has been on the server (no-one else can) and we simply never have had such permission altering software running, we simply can't afford to have intrusive software likfe that running - also, for it to happen in between button clicks (correlating precisely to my actions explained above) is much more than coincidental, and would seem to need a process reacting to events when a button in Umbraco is clicked (which we don't have.)

Thanks, though, and I'm keeping my eyes open on the event logs.

PS: Rudness aside, it seems karma doesn't mind ;) (shouldn't I actually have to do something useful to gain that?)

At the expense of dragging up an ugly thread ;) ...

I just had the exact same thing with a client site which was hosted by a third party on a shared server.  Everything was fine until saving/publishing a node, then BAM it gave a YSOD saying there was insufficient permissions on the App_Data/umbraco.config file - both front-end and back office.  Permissions were apparently fine and visually correct - having been checked, double-checked and triple-checked by numerous people, but until the app pool was restarted it would just error.  On restarting the app pool it would be back to normal but each time a node was saved/published it did the same thing again instantly: YSOD permissions errors.

Although I frustratingly didn't have access to the server directly, the issue was eventually fixed by the server admin by removing all permissions and re-applying them from scratch.

There's a bug in there somewhere or an issue in the way in which the permissions are applied somehow, but it is ultimately permissions related - starting with a clean slate in this case flushed it out.

I hope this helps ease frustrations if anyone comes across the same issue in future.

Hi Dan adn Co.

I have the exact same problem as Dan describes. when publishing a certain node (I can actually save it without publishing) on the customers own production server (it works perfect on our own development server) I get the: 

Website\App_Data\umbraco.config' is denied.

restarting the app in IIS makes it work again until I try and publish this node again

and NETWORK SERVICE is for sure set with full right. 

Is anyone closer to an explanation / solution of this problem since this thread was last created?

And Dan, Im not 100% I understand what you did:  what did you do delete the "NETWORK SERVICE" on the folder and apply them once again?

Best Regards :-)

Nicolai

Hi Nicolai,

I was never able to access the server directly - the client's server admin eventually did it.  So I don't know exactly what was done unfortunately.

Sorry I can't be of more help.

HI

Thx for replying Dan!

I actually managed to get it working. But... I still cant expalin what happens. I changed the AppPool used, and then it worked. (it must be some rights stuff, even though and cant put a finger on where. - and strange that restart the app makes it work ??) - (changing the app pool created problems other places, but these where easyier to sovle than this one ;-)

best regards

Nicolai

is working on a reply...