«

hi, i have a web application residing on a web server [w]
and a file server [s]. Both the servers are part of same
domain [d].

now, i want to access shared folders from my web
application but the access should be given to only those
users who has permission on shared folder.

I set up impersonate in my system and m using windows
authentication, but still i get access denied error.

Need help

I suggest reading the Patterns & Practices whitepaper "Authentication in
ASP.NET: .NET Security Guidance":
http://msdn.microsoft.com/library/de...haspdotnet.asp

Impersonation is not enough to accomplish what you want. You require
account delegation from your physical server running IIS to your physical
server hosting the file share.

Option 1
---------
Your first option is to use Basic Authentication in IIS over SSL. This way,
the inetinfo.exe process has your credentials in plaintext and can logon to
the remote file server on the end-users behalf.

Option 2
---------
Alternatively I have gotten this to work before with Windows Authenticaion,
but, it is not straightforward:
1) Enable Windows Authentication in IIS for your web app
2) If you create a virtual directory that maps to your UNC share, manually
delete the UNCUserName and UNCPassword metabase values using adsutil.vbs.
This will remove the UNC user token credentials (something that cannot be
done through inetmgr.exe). Doing so causes IIS to attempt delegation using
the current logon credentials.
3) Even though inetinfo.exe runs as LocalSystem, I had to create an AD
Service Principal Name. First, I had to set the option "Trust this computer
for delegation" for the IIS Computer AD object. Then, I had to issue the
setspn.exe command, which I remember being :

setspn -A HTTP/myhost.mydomain.com myserver


4) For IE clients, I had to add myhost.mydomain.com to the LocalIntranet
zone. I would guess this caused IE to use Kerberos authentication instead
of NTLM. It may have also had something to do with "Automatic Logon in
Intranet Zone only"

Connected IE clients should then browse the remote file share using their
credentials and appropriate ACLs. You should be able to confirm this by
enabling complete auditing of file access for your share and checking the
event viewer. I believe there are major performance implications for this,
due to the increased network activity of IIS performing delegation and UNC
file operations.

Option 3
---------
You can also set the UNCAuthenticationPassthrough metabase attribute to True
to accomplish this. The article @
http://msdn.microsoft.com/msdnmag/is...2/default.aspx
provides a good discussion of this setting. However, the KB 286401 states
that this setting is not supported by MS.

-Steve Jansen

"" <> wrote in message
news:06d601c39315$9f30aef0$...
> hi, i have a web application residing on a web server [w]
> and a file server [s]. Both the servers are part of same
> domain [d].
>
> now, i want to access shared folders from my web
> application but the access should be given to only those
> users who has permission on shared folder.
>
> I set up impersonate in my system and m using windows
> authentication, but still i get access denied error.
>
> Need help

Thanks Steve. Your options are really logical. However, i
tried with the basic autjentication as we r on intranet
and its ok for us to pass in plain text too.. but seems it
doesn't work.

also, i am not able to delete the UNC parameters too as
you did..

>-----Original Message-----
>I suggest reading the Patterns & Practices
whitepaper "Authentication in
>ASP.NET: .NET Security Guidance":
>http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnbda/html/authaspdotnet.asp
>
>Impersonation is not enough to accomplish what you want.
You require
>account delegation from your physical server running IIS
to your physical
>server hosting the file share.
>
>Option 1
>---------
>Your first option is to use Basic Authentication in IIS
over SSL. This way,
>the inetinfo.exe process has your credentials in
plaintext and can logon to
>the remote file server on the end-users behalf.
>
>Option 2
>---------
>Alternatively I have gotten this to work before with
Windows Authenticaion,
>but, it is not straightforward:
>1) Enable Windows Authentication in IIS for your web app
>2) If you create a virtual directory that maps to your
UNC share, manually
>delete the UNCUserName and UNCPassword metabase values
using adsutil.vbs.
>This will remove the UNC user token credentials
(something that cannot be
>done through inetmgr.exe). Doing so causes IIS to
attempt delegation using
>the current logon credentials.
>3) Even though inetinfo.exe runs as LocalSystem, I had
to create an AD
>Service Principal Name. First, I had to set the
option "Trust this computer
>for delegation" for the IIS Computer AD object. Then, I
had to issue the
>setspn.exe command, which I remember being :
>
>setspn -A HTTP/myhost.mydomain.com myserver
>
>
>4) For IE clients, I had to add myhost.mydomain.com to
the LocalIntranet
>zone. I would guess this caused IE to use Kerberos
authentication instead
>of NTLM. It may have also had something to do
with "Automatic Logon in
>Intranet Zone only"
>
>Connected IE clients should then browse the remote file
share using their
>credentials and appropriate ACLs. You should be able to
confirm this by
>enabling complete auditing of file access for your share
and checking the
>event viewer. I believe there are major performance
implications for this,
>due to the increased network activity of IIS performing
delegation and UNC
>file operations.
>
>Option 3
>---------
>You can also set the UNCAuthenticationPassthrough
metabase attribute to True
>to accomplish this. The article @
>http://msdn.microsoft.com/msdnmag/is...0/websecure2/d
efault.aspx
>provides a good discussion of this setting. However, the
KB 286401 states
>that this setting is not supported by MS.
>
>-Steve Jansen
>
>"" <>
wrote in message
>news:06d601c39315$9f30aef0$...
>> hi, i have a web application residing on a web server
[w]
>> and a file server [s]. Both the servers are part of same
>> domain [d].
>>
>> now, i want to access shared folders from my web
>> application but the access should be given to only those
>> users who has permission on shared folder.
>>
>> I set up impersonate in my system and m using windows
>> authentication, but still i get access denied error.
>>
>> Need help
>
>
>.
>

Did you use adsutil.vbs to delete the UNC parameters, or did you try to use
the GUI tool (inetmgr.exe)?

<> wrote in message
news:0b0001c393ae$591ea900$...
> Thanks Steve. Your options are really logical. However, i
> tried with the basic autjentication as we r on intranet
> and its ok for us to pass in plain text too.. but seems it
> doesn't work.
>
> also, i am not able to delete the UNC parameters too as
> you did..
>
> >-----Original Message-----
> >I suggest reading the Patterns & Practices
> whitepaper "Authentication in
> >ASP.NET: .NET Security Guidance":
> >http://msdn.microsoft.com/library/default.asp?
> url=/library/en-us/dnbda/html/authaspdotnet.asp
> >
> >Impersonation is not enough to accomplish what you want.
> You require
> >account delegation from your physical server running IIS
> to your physical
> >server hosting the file share.
> >
> >Option 1
> >---------
> >Your first option is to use Basic Authentication in IIS
> over SSL. This way,
> >the inetinfo.exe process has your credentials in
> plaintext and can logon to
> >the remote file server on the end-users behalf.
> >
> >Option 2
> >---------
> >Alternatively I have gotten this to work before with
> Windows Authenticaion,
> >but, it is not straightforward:
> >1) Enable Windows Authentication in IIS for your web app
> >2) If you create a virtual directory that maps to your
> UNC share, manually
> >delete the UNCUserName and UNCPassword metabase values
> using adsutil.vbs.
> >This will remove the UNC user token credentials
> (something that cannot be
> >done through inetmgr.exe). Doing so causes IIS to
> attempt delegation using
> >the current logon credentials.
> >3) Even though inetinfo.exe runs as LocalSystem, I had
> to create an AD
> >Service Principal Name. First, I had to set the
> option "Trust this computer
> >for delegation" for the IIS Computer AD object. Then, I
> had to issue the
> >setspn.exe command, which I remember being :
> >
> >setspn -A HTTP/myhost.mydomain.com myserver
> >
> >
> >4) For IE clients, I had to add myhost.mydomain.com to
> the LocalIntranet
> >zone. I would guess this caused IE to use Kerberos
> authentication instead
> >of NTLM. It may have also had something to do
> with "Automatic Logon in
> >Intranet Zone only"
> >
> >Connected IE clients should then browse the remote file
> share using their
> >credentials and appropriate ACLs. You should be able to
> confirm this by
> >enabling complete auditing of file access for your share
> and checking the
> >event viewer. I believe there are major performance
> implications for this,
> >due to the increased network activity of IIS performing
> delegation and UNC
> >file operations.
> >
> >Option 3
> >---------
> >You can also set the UNCAuthenticationPassthrough
> metabase attribute to True
> >to accomplish this. The article @
> >http://msdn.microsoft.com/msdnmag/is...0/websecure2/d
> efault.aspx
> >provides a good discussion of this setting. However, the
> KB 286401 states
> >that this setting is not supported by MS.
> >
> >-Steve Jansen
> >
> >"" <>
> wrote in message
> >news:06d601c39315$9f30aef0$...
> >> hi, i have a web application residing on a web server
> [w]
> >> and a file server [s]. Both the servers are part of same
> >> domain [d].
> >>
> >> now, i want to access shared folders from my web
> >> application but the access should be given to only those
> >> users who has permission on shared folder.
> >>
> >> I set up impersonate in my system and m using windows
> >> authentication, but still i get access denied error.
> >>
> >> Need help
> >
> >
> >.
> >

i tried using adsutil.vbs !

>-----Original Message-----
>Did you use adsutil.vbs to delete the UNC parameters, or
did you try to use
>the GUI tool (inetmgr.exe)?
>
><> wrote in message
>news:0b0001c393ae$591ea900$...
>> Thanks Steve. Your options are really logical. However,
i
>> tried with the basic autjentication as we r on intranet
>> and its ok for us to pass in plain text too.. but seems
it
>> doesn't work.
>>
>> also, i am not able to delete the UNC parameters too as
>> you did..
>>
>> >-----Original Message-----
>> >I suggest reading the Patterns & Practices
>> whitepaper "Authentication in
>> >ASP.NET: .NET Security Guidance":
>> >http://msdn.microsoft.com/library/default.asp?
>> url=/library/en-us/dnbda/html/authaspdotnet.asp
>> >
>> >Impersonation is not enough to accomplish what you
want.
>> You require
>> >account delegation from your physical server running
IIS
>> to your physical
>> >server hosting the file share.
>> >
>> >Option 1
>> >---------
>> >Your first option is to use Basic Authentication in IIS
>> over SSL. This way,
>> >the inetinfo.exe process has your credentials in
>> plaintext and can logon to
>> >the remote file server on the end-users behalf.
>> >
>> >Option 2
>> >---------
>> >Alternatively I have gotten this to work before with
>> Windows Authenticaion,
>> >but, it is not straightforward:
>> >1) Enable Windows Authentication in IIS for your web
app
>> >2) If you create a virtual directory that maps to your
>> UNC share, manually
>> >delete the UNCUserName and UNCPassword metabase values
>> using adsutil.vbs.
>> >This will remove the UNC user token credentials
>> (something that cannot be
>> >done through inetmgr.exe). Doing so causes IIS to
>> attempt delegation using
>> >the current logon credentials.
>> >3) Even though inetinfo.exe runs as LocalSystem, I had
>> to create an AD
>> >Service Principal Name. First, I had to set the
>> option "Trust this computer
>> >for delegation" for the IIS Computer AD object. Then,
I
>> had to issue the
>> >setspn.exe command, which I remember being :
>> >
>> >setspn -A HTTP/myhost.mydomain.com myserver
>> >
>> >
>> >4) For IE clients, I had to add myhost.mydomain.com to
>> the LocalIntranet
>> >zone. I would guess this caused IE to use Kerberos
>> authentication instead
>> >of NTLM. It may have also had something to do
>> with "Automatic Logon in
>> >Intranet Zone only"
>> >
>> >Connected IE clients should then browse the remote file
>> share using their
>> >credentials and appropriate ACLs. You should be able
to
>> confirm this by
>> >enabling complete auditing of file access for your
share
>> and checking the
>> >event viewer. I believe there are major performance
>> implications for this,
>> >due to the increased network activity of IIS performing
>> delegation and UNC
>> >file operations.
>> >
>> >Option 3
>> >---------
>> >You can also set the UNCAuthenticationPassthrough
>> metabase attribute to True
>> >to accomplish this. The article @
>>
>http://msdn.microsoft.com/msdnmag/is...0/websecure2/d
>> efault.aspx
>> >provides a good discussion of this setting. However,
the
>> KB 286401 states
>> >that this setting is not supported by MS.
>> >
>> >-Steve Jansen
>> >
>> >""
<>
>> wrote in message
>> >news:06d601c39315$9f30aef0$...
>> >> hi, i have a web application residing on a web server
>> [w]
>> >> and a file server [s]. Both the servers are part of
same
>> >> domain [d].
>> >>
>> >> now, i want to access shared folders from my web
>> >> application but the access should be given to only
those
>> >> users who has permission on shared folder.
>> >>
>> >> I set up impersonate in my system and m using windows
>> >> authentication, but still i get access denied error.
>> >>
>> >> Need help
>> >
>> >
>> >.
>> >
>
>
>.
>