Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Creating files in a unc shared drive.

Reply
Thread Tools

Creating files in a unc shared drive.

 
 
Tom
Guest
Posts: n/a
 
      08-16-2005
I have a web app that allowes you to upload files to a shared forlder and
also read them off a list of uploaded files.

I created a shared drive on the destination server, and using a mapped
virtual folder to the shared, I can view the files from the shared drive.

My problem is writing the files. We're using the html input control to
uplaod files. We're also using System.IO.FileStream Write method to do the
job. It works until we need to write to the shared drive.

I've looked at various threads and other listings, but can someone add some
code to do this? I'm not sure how to add a credentials object to the write
operation. I've configured my config file to impersonate.

Thanks
 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      08-16-2005
Hello Tom,

if you are accessing a non-local ressource while impersonating, this is called
delegation. You basically want to flow the client identity off the machine.
There are some config steps necessary.

check this site:
http://www.leastprivilege.com/Troubl...elegation.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I have a web app that allowes you to upload files to a shared forlder
> and also read them off a list of uploaded files.
>
> I created a shared drive on the destination server, and using a mapped
> virtual folder to the shared, I can view the files from the shared
> drive.
>
> My problem is writing the files. We're using the html input control to
> uplaod files. We're also using System.IO.FileStream Write method to do
> the job. It works until we need to write to the shared drive.
>
> I've looked at various threads and other listings, but can someone add
> some code to do this? I'm not sure how to add a credentials object to
> the write operation. I've configured my config file to impersonate.
>
> Thanks
>




 
Reply With Quote
 
 
 
 
Alex
Guest
Posts: n/a
 
      08-16-2005
Unfortunately, I can't use Kerberos, What I don't understand is, why can't I
use inmpersonation to connect to a shared drive on the same domain?

"Dominick Baier [DevelopMentor]" wrote:

> Hello Tom,
>
> if you are accessing a non-local ressource while impersonating, this is called
> delegation. You basically want to flow the client identity off the machine.
> There are some config steps necessary.
>
> check this site:
> http://www.leastprivilege.com/Troubl...elegation.aspx
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I have a web app that allowes you to upload files to a shared forlder
> > and also read them off a list of uploaded files.
> >
> > I created a shared drive on the destination server, and using a mapped
> > virtual folder to the shared, I can view the files from the shared
> > drive.
> >
> > My problem is writing the files. We're using the html input control to
> > uplaod files. We're also using System.IO.FileStream Write method to do
> > the job. It works until we need to write to the shared drive.
> >
> > I've looked at various threads and other listings, but can someone add
> > some code to do this? I'm not sure how to add a credentials object to
> > the write operation. I've configured my config file to impersonate.
> >
> > Thanks
> >

>
>
>
>

 
Reply With Quote
 
Paul Clement
Guest
Posts: n/a
 
      08-16-2005
On Mon, 15 Aug 2005 18:53:02 -0700, Tom <(E-Mail Removed).(nospam)> wrote:

I have a web app that allowes you to upload files to a shared forlder and
also read them off a list of uploaded files.

I created a shared drive on the destination server, and using a mapped
virtual folder to the shared, I can view the files from the shared drive.

My problem is writing the files. We're using the html input control to
uplaod files. We're also using System.IO.FileStream Write method to do the
job. It works until we need to write to the shared drive.

I've looked at various threads and other listings, but can someone add some
code to do this? I'm not sure how to add a credentials object to the write
operation. I've configured my config file to impersonate.

What level of authentication is your web application using? Are you enabling impersonation?


Paul
~~~~
Microsoft MVP (Visual Basic)
 
Reply With Quote
 
Alex
Guest
Posts: n/a
 
      08-16-2005
I use Windows authentication

> What level of authentication is your web application using? Are you enabling impersonation?
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)
>

 
Reply With Quote
 
Alex
Guest
Posts: n/a
 
      08-16-2005
This is what we ended up doing, and it seems to work:

We set the impersonate="false"
We set the user name and password in the <processModel> element to an active
directory user
We gave the user the proper permissions to the unc share

I'm not sure of the reasons, but I've been told to try and get it working
without Kerebose\delegation.

My only concern is the machine.config changes. I'm not sure how it affects
the other web sites we have....
 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      08-17-2005
It means all of the other web sites on the machine will have the worker
process running as your domain account too. This may or may not be a bad
thing, depending on what it can do.

What's the problem with Kerberos delegation? It is probably the best way to
solve this problem. The other good way is to put the code that does the UNC
access in a seperate component and set it up in COM+ to run as your domain
identity. That way only this piece of code has the special privileges. Of
course, this is more complicated to implement and deploy, but offers more
security.

Joe K.

"Alex" <(E-Mail Removed).(nospam)> wrote in message
news:(E-Mail Removed)...
> This is what we ended up doing, and it seems to work:
>
> We set the impersonate="false"
> We set the user name and password in the <processModel> element to an
> active
> directory user
> We gave the user the proper permissions to the unc share
>
> I'm not sure of the reasons, but I've been told to try and get it working
> without Kerebose\delegation.
>
> My only concern is the machine.config changes. I'm not sure how it affects
> the other web sites we have....



 
Reply With Quote
 
Alex
Guest
Posts: n/a
 
      08-17-2005
I'm not sure why my manager doesn't want to enable kerberos delegation in
iis. Running all sites under the user won't be a problem. It's a generic
system user who does have permissions to perform tasks.

Thanks
"Joe Kaplan (MVP - ADSI)" wrote:

> It means all of the other web sites on the machine will have the worker
> process running as your domain account too. This may or may not be a bad
> thing, depending on what it can do.
>
> What's the problem with Kerberos delegation? It is probably the best way to
> solve this problem. The other good way is to put the code that does the UNC
> access in a seperate component and set it up in COM+ to run as your domain
> identity. That way only this piece of code has the special privileges. Of
> course, this is more complicated to implement and deploy, but offers more
> security.
>
> Joe K.
>
> "Alex" <(E-Mail Removed).(nospam)> wrote in message
> news:(E-Mail Removed)...
> > This is what we ended up doing, and it seems to work:
> >
> > We set the impersonate="false"
> > We set the user name and password in the <processModel> element to an
> > active
> > directory user
> > We gave the user the proper permissions to the unc share
> >
> > I'm not sure of the reasons, but I've been told to try and get it working
> > without Kerebose\delegation.
> >
> > My only concern is the machine.config changes. I'm not sure how it affects
> > the other web sites we have....

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      08-17-2005
Fair enough. As long as you understand your options.

Joe K.

"Alex" <(E-Mail Removed).(nospam)> wrote in message
news:(E-Mail Removed)...
> I'm not sure why my manager doesn't want to enable kerberos delegation in
> iis. Running all sites under the user won't be a problem. It's a generic
> system user who does have permissions to perform tasks.
>
> Thanks
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> It means all of the other web sites on the machine will have the worker
>> process running as your domain account too. This may or may not be a bad
>> thing, depending on what it can do.
>>
>> What's the problem with Kerberos delegation? It is probably the best way
>> to
>> solve this problem. The other good way is to put the code that does the
>> UNC
>> access in a seperate component and set it up in COM+ to run as your
>> domain
>> identity. That way only this piece of code has the special privileges.
>> Of
>> course, this is more complicated to implement and deploy, but offers more
>> security.
>>
>> Joe K.
>>
>> "Alex" <(E-Mail Removed).(nospam)> wrote in message
>> news:(E-Mail Removed)...
>> > This is what we ended up doing, and it seems to work:
>> >
>> > We set the impersonate="false"
>> > We set the user name and password in the <processModel> element to an
>> > active
>> > directory user
>> > We gave the user the proper permissions to the unc share
>> >
>> > I'm not sure of the reasons, but I've been told to try and get it
>> > working
>> > without Kerebose\delegation.
>> >
>> > My only concern is the machine.config changes. I'm not sure how it
>> > affects
>> > the other web sites we have....

>>
>>
>>



 
Reply With Quote
 
Paul Clement
Guest
Posts: n/a
 
      08-17-2005
On Tue, 16 Aug 2005 08:01:03 -0700, "Alex" <(E-Mail Removed).(nospam)> wrote:

Unfortunately, I can't use Kerberos, What I don't understand is, why can't I
use inmpersonation to connect to a shared drive on the same domain?


Just an explanation for this:

Web apps that implement Integrated Windows security are authenticated via NTLM and IIS never
receives the credentials to delegate to the remote server.

You may have run across the following documentation:

http://msdn.microsoft.com/library/de...delegation.asp


Paul
~~~~
Microsoft MVP (Visual Basic)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems accessing files in ASP.NET using a UNC path Chris Newby ASP .Net 2 09-09-2005 02:46 PM
UNC path files from UNIX John Smith Java 7 05-18-2005 05:21 PM
Accessing Shared Folders on a computer in another domain using UNC Baron ASP .Net 3 04-29-2005 02:45 PM
Upload files to UNC network path from webserver Tom Wells ASP .Net 2 02-02-2005 10:59 PM
Trouble on creating a new web project - UNC share does not exist or you do not have access Simon Chung-Jen Chuang ASP .Net 1 08-23-2003 11:01 AM



Advertisments