Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET using impersonation cannot access network shared drive

Reply
Thread Tools

ASP.NET using impersonation cannot access network shared drive

 
 
benny
Guest
Posts: n/a
 
      07-16-2004
I have a ASP.NET application with web.config specified:
<identity impersonate=true/>
<authentication mode="Windows" />

If I login to the client browser as JSMITH and have the server code trying to access a network shared drive via Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny error. JSMITH has full rights to access \\machineb\sharedriveb and its contents.

If the server code access a local folder with only access to JSMITH, I have no problems with JSMITH logging in via the client browser.

The only difference I see is that it cannot access network resources. My understanding is that ASP.NET will use the impersonated token to run the code and hence the impersonated token (JSMITH) has access to the resource.

Any suggestions?
 
Reply With Quote
 
 
 
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      07-16-2004
Hi Benny,

Your understanding is correct. ASP.NET is going to execute that thread
under the identity of the user who is authenticated in IIS. The problem
your having is likely that you are attempting to allow IIS to delegate your
credentials to the file server using NTLM authentication. That is
explicitly designed to fail in our architecture because it would allow
someone to spoof your identity.

The solution is to set up delegation which would then allow you to use
Kerberos authentication. That would allow you to have your credentials
delegated to the file server from IIS. Here's an article link:

http://support.microsoft.com/default...B;EN-US;810572

There's also considerable information about this and other security issues
in the "Building Secure ASP.NET Applications" book. Here's an excerpt:

http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/secnetlpMSDN.asp?frame=true

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
http://www.velocityreviews.com/forums/(E-Mail Removed)

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------
>Thread-Topic: ASP.NET using impersonation cannot access network shared

drive
>thread-index: AcRrdKc7uDtnUuFSSnWHM1/IpzWFHw==
>X-WBNR-Posting-Host: 63.166.226.115
>From: "=?Utf-8?B?YmVubnk=?=" <(E-Mail Removed)>
>Subject: ASP.NET using impersonation cannot access network shared drive
>Date: Fri, 16 Jul 2004 13:37:03 -0700
>Lines: 11
>Message-ID: <(E-Mail Removed)>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT NGXA03.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 10843
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have a ASP.NET application with web.config specified:
><identity impersonate=true/>
><authentication mode="Windows" />
>
>If I login to the client browser as JSMITH and have the server code trying

to access a network shared drive via
Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny
error. JSMITH has full rights to access \\machineb\sharedriveb and its
contents.
>
>If the server code access a local folder with only access to JSMITH, I

have no problems with JSMITH logging in via the client browser.
>
>The only difference I see is that it cannot access network resources. My

understanding is that ASP.NET will use the impersonated token to run the
code and hence the impersonated token (JSMITH) has access to the resource.
>
>Any suggestions?
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to check whether a drive is a network drive or drive from attached hard-disk shailesh Python 1 03-28-2007 12:57 PM
Cannot access shared folders over network =?Utf-8?B?UGF0cmljaWE=?= Wireless Networking 4 02-18-2007 10:30 PM
Cannot view/access new laptop shared folder on network T5 Wireless Networking 3 03-20-2006 08:52 PM
Access shared drive using FORM based authentication Yehuda Vernik ASP .Net Security 0 10-25-2004 03:15 PM
Cannot refer to an instance member of a class from within a shared method or shared member initializer without an explicit instance of the class. DJ Dev ASP .Net 3 02-08-2004 04:19 PM



Advertisments