Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > System.UnauthorizedAccessException

Reply
Thread Tools

System.UnauthorizedAccessException

 
 
Manuel
Guest
Posts: n/a
 
      06-05-2009
Hi,

a asp.net web page developed using visual studio 2008 with .net framework
3.5 can not access to a network file
\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\ NTMAIL\Received\i0067758.zip
When I debug the application using visual studio on my local machine it
works correctly but when I publish the application a
System.UnauthorizedAccessException occurs

Please help
 
Reply With Quote
 
 
 
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      06-08-2009
Hi Manuel,

>a asp.net web page developed using visual studio 2008 with .net framework
>3.5 can not access to a network file
>\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its \NTMAIL\Received\i0067758.

zip
>When I debug the application using visual studio on my local machine it
>works correctly but when I publish the application a
>System.UnauthorizedAccessException occurs


It's a double hop issue. When you debug your application in Visual Studio
the thread's identity is your domain account, which has access permission
to the shared file. However, when you host your application on IIS the
default identity of the thread is the NetworkService account (IIS 6+). To
use the domain account to access the file one way is to use Basic
authentication and turn on impersonation
(http://msdn.microsoft.com/en-us/libr...18(VS.71).aspx).

More documentations about double hop and solution:

http://blogs.msdn.com/nunos/archive/.../12/88468.aspx
http://drowningintechnicaldebt.com/b.../2006/12/06/Th
e-_1C20_Double-Hop_1D20_-Issue.aspx
http://weblogs.asp.net/avnerk/archiv...22/232967.aspx
http://support.microsoft.com/kb/910449
http://support.microsoft.com/kb/891031
http://support.microsoft.com/kb/810572
http://support.microsoft.com/service...red/asp/view.a
sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
http://www.velocityreviews.com/forums/(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




 
Reply With Quote
 
 
 
 
Manuel
Guest
Posts: n/a
 
      06-08-2009
Hello Allen,

I have a cast exception at runtime

System.Security.Principal.WindowsImpersonationCont ext impersonationContext;

impersonationContext =
((System.Security.Principal.WindowsIdentity)HttpCo ntext.Current.User.Identity).Impersonate();

please help
thank you


"Allen Chen [MSFT]" wrote:

> Hi Manuel,
>
> >a asp.net web page developed using visual studio 2008 with .net framework
> >3.5 can not access to a network file
> >\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its \NTMAIL\Received\i0067758.

> zip
> >When I debug the application using visual studio on my local machine it
> >works correctly but when I publish the application a
> >System.UnauthorizedAccessException occurs

>
> It's a double hop issue. When you debug your application in Visual Studio
> the thread's identity is your domain account, which has access permission
> to the shared file. However, when you host your application on IIS the
> default identity of the thread is the NetworkService account (IIS 6+). To
> use the domain account to access the file one way is to use Basic
> authentication and turn on impersonation
> (http://msdn.microsoft.com/en-us/libr...18(VS.71).aspx).
>
> More documentations about double hop and solution:
>
> http://blogs.msdn.com/nunos/archive/.../12/88468.aspx
> http://drowningintechnicaldebt.com/b.../2006/12/06/Th
> e-_1C20_Double-Hop_1D20_-Issue.aspx
> http://weblogs.asp.net/avnerk/archiv...22/232967.aspx
> http://support.microsoft.com/kb/910449
> http://support.microsoft.com/kb/891031
> http://support.microsoft.com/kb/810572
> http://support.microsoft.com/service...red/asp/view.a
> sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml
>
> Regards,
> Allen Chen
> Microsoft Online Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> (E-Mail Removed).
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/en-us/subs...#notifications.
>
> Note: MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 2 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions. Issues of this
> nature are best handled working with a dedicated Microsoft Support Engineer
> by contacting Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
>

 
Reply With Quote
 
Allen Chen [MSFT]
Guest
Posts: n/a
 
      06-09-2009
Hi Manuel,

>I have a cast exception at runtime


Could you provide the detailed description of this exception?

If you want to use Basic Authentication to resolve this issue you can try
this:

1. Enable Basic Authentication for this web site in IIS and disable other
authentication.

2. Add following setting in web.config:
<system.web>
<identity impersonate="true"/>

..
</system.web>

Could you try above way to see if it works?

Regards,
Allen Chen
Microsoft Online Support

 
Reply With Quote
 
Tony201
Guest
Posts: n/a
 
      06-09-2009
Manuel,

In order for you to impersonate over a double hop, you need to setup
delegation for your app pool account and create (if they don't already exist)
SPNs for your application and the file server. The application SPN should
look like HTTP/FQDN_of_website and the file server SPNs should look something
like CIFS/servername.

Tony

"Manuel" wrote:

> Hello Allen,
>
> I have a cast exception at runtime
>
> System.Security.Principal.WindowsImpersonationCont ext impersonationContext;
>
> impersonationContext =
> ((System.Security.Principal.WindowsIdentity)HttpCo ntext.Current.User.Identity).Impersonate();
>
> please help
> thank you
>
>
> "Allen Chen [MSFT]" wrote:
>
> > Hi Manuel,
> >
> > >a asp.net web page developed using visual studio 2008 with .net framework
> > >3.5 can not access to a network file
> > >\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its \NTMAIL\Received\i0067758.

> > zip
> > >When I debug the application using visual studio on my local machine it
> > >works correctly but when I publish the application a
> > >System.UnauthorizedAccessException occurs

> >
> > It's a double hop issue. When you debug your application in Visual Studio
> > the thread's identity is your domain account, which has access permission
> > to the shared file. However, when you host your application on IIS the
> > default identity of the thread is the NetworkService account (IIS 6+). To
> > use the domain account to access the file one way is to use Basic
> > authentication and turn on impersonation
> > (http://msdn.microsoft.com/en-us/libr...18(VS.71).aspx).
> >
> > More documentations about double hop and solution:
> >
> > http://blogs.msdn.com/nunos/archive/.../12/88468.aspx
> > http://drowningintechnicaldebt.com/b.../2006/12/06/Th
> > e-_1C20_Double-Hop_1D20_-Issue.aspx
> > http://weblogs.asp.net/avnerk/archiv...22/232967.aspx
> > http://support.microsoft.com/kb/910449
> > http://support.microsoft.com/kb/891031
> > http://support.microsoft.com/kb/810572
> > http://support.microsoft.com/service...red/asp/view.a
> > sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml
> >
> > Regards,
> > Allen Chen
> > Microsoft Online Support
> >
> > Delighting our customers is our #1 priority. We welcome your comments and
> > suggestions about how we can improve the support we provide to you. Please
> > feel free to let my manager know what you think of the level of service
> > provided. You can send feedback directly to my manager at:
> > (E-Mail Removed).
> >
> > ==================================================
> > Get notification to my posts through email? Please refer to
> > http://msdn.microsoft.com/en-us/subs...#notifications.
> >
> > Note: MSDN Managed Newsgroup support offering is for non-urgent issues
> > where an initial response from the community or a Microsoft Support
> > Engineer within 2 business day is acceptable. Please note that each follow
> > up response may take approximately 2 business days as the support
> > professional working with you may need further investigation to reach the
> > most efficient resolution. The offering is not appropriate for situations
> > that require urgent, real-time or phone-based interactions. Issues of this
> > nature are best handled working with a dedicated Microsoft Support Engineer
> > by contacting Microsoft Customer Support Services (CSS) at
> > http://msdn.microsoft.com/en-us/subs.../aa948874.aspx
> > ==================================================
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
> >
> >
> >

 
Reply With Quote
 
Manuel
Guest
Posts: n/a
 
      06-09-2009
It works well, thank you very much !

"Allen Chen [MSFT]" wrote:

> Hi Manuel,
>
> >I have a cast exception at runtime

>
> Could you provide the detailed description of this exception?
>
> If you want to use Basic Authentication to resolve this issue you can try
> this:
>
> 1. Enable Basic Authentication for this web site in IIS and disable other
> authentication.
>
> 2. Add following setting in web.config:
> <system.web>
> <identity impersonate="true"/>
>
> ..
> </system.web>
>
> Could you try above way to see if it works?
>
> Regards,
> Allen Chen
> Microsoft Online Support
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments