ASP.NET using impersonation cannot access network shared drive

[benny]

I have a ASP.NET application with web.config specified:
<identity impersonate=true/>
<authentication mode="Windows" />

If I login to the client browser as JSMITH and have the server code trying to access a network shared drive via Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny error. JSMITH has full rights to access \\machineb\sharedriveb and its contents.

If the server code access a local folder with only access to JSMITH, I have no problems with JSMITH logging in via the client browser.

The only difference I see is that it cannot access network resources. My understanding is that ASP.NET will use the impersonated token to run the code and hence the impersonated token (JSMITH) has access to the resource.

Any suggestions?

[Jim Cheshire [MSFT]]

Hi Benny,

Your understanding is correct. ASP.NET is going to execute that thread
under the identity of the user who is authenticated in IIS. The problem
your having is likely that you are attempting to allow IIS to delegate your
credentials to the file server using NTLM authentication. That is
explicitly designed to fail in our architecture because it would allow
someone to spoof your identity.

The solution is to set up delegation which would then allow you to use
Kerberos authentication. That would allow you to have your credentials
delegated to the file server from IIS. Here's an article link:

[url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;810572[/url]

There's also considerable information about this and other security issues
in the "Building Secure ASP.NET Applications" book. Here's an excerpt:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht[/url]
ml/secnetlpMSDN.asp?frame=true

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
[email]jamesche@online.microsoft.com[/email]

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------

>Thread-Topic: ASP.NET using impersonation cannot access network shared

drive

>thread-index: AcRrdKc7uDtnUuFSSnWHM1/IpzWFHw==
>X-WBNR-Posting-Host: 63.166.226.115
>From: "=?Utf-8?B?YmVubnk=?=" <benny@discussions.microsoft.com>
>Subject: ASP.NET using impersonation cannot access network shared drive
>Date: Fri, 16 Jul 2004 13:37:03 -0700
>Lines: 11
>Message-ID: <6126BBFB-EBD2-43AC-B3E5-7E095F391E3F@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT NGXA03.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 10843

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have a ASP.NET application with web.config specified:
><identity impersonate=true/>
><authentication mode="Windows" />
>
>If I login to the client browser as JSMITH and have the server code trying

to access a network shared drive via
Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny
error. JSMITH has full rights to access \\machineb\sharedriveb and its
contents.

>
>If the server code access a local folder with only access to JSMITH, I

have no problems with JSMITH logging in via the client browser.

>
>The only difference I see is that it cannot access network resources. My

understanding is that ASP.NET will use the impersonated token to run the
code and hence the impersonated token (JSMITH) has access to the resource.

>
>Any suggestions?
>