CreateDirectory working inconsistantly from ASP.net

[David Davies]

Please HELP !!

I have a web page that is trying to create folders on a file server

eg. \\SERVERNAME\F4\Projects\[New Folder Name]

Users of the web site are authenticated with Windows Integrated Security.

(have tried on W2003/IIS6 and W2k/IIS5 with no difference in behavoir)

When a user connects to the using a browser on the same machine as the
webserver the code works and is able to create the new folder.

When the same user connects from a remote machine the CreateDirectory
function generates the following Exception
System.UnauthorizedAccessException
"Access to the path \"TEST\" is denied."
Source "mscorlib"
StackTrace
System.IO.__Error.WinIOError(Int32 errorCode, String str)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String
path)\r\n
....

I have tried to do this in 3 ways all with the same problem;
A)
DirectoryInfo di = Directory.CreateDirectory(newfullpath);

B)
DirectoryInfo root = new DirectoryInfo(rootPath);
DirectoryInfo di = root.CreateSubdirectory(folderName);

C)
[DllImport("kernel32.dll")]
static extern bool CreateDirectory(string lpPathName, IntPtr
lpSecurityAttributes);
....
bool result = CreateDirectory(path, IntPtr.Zero);
DirectoryInfo di = DirectoryInfo(path);

I have also checked that the Integrated Authentication is getting passed
correcty into the application

string origID = Thread.CurrentPrincipal.Identity.Name;
string contextUser = HttpContext.Current.User.Identity.Name;

Both call return the same user regardless if the call is from the server or
a remote machine.
Needless to say that the User has the required permissions to create the
folder because they are able to do so as long as they do it from a browser on
the server itself.

If anyone can shed any light on what is going on here I would greatly
appreciate it.

Regards,
David Davies
Goldman Sachs

[Scott Allen]

Hi David:

You are facing the dreaded double hop NTLM issue. With integrated
authentication the client's credentials can make exactly one network
hop. When the browser authenticates to the web server from a remote
machine the credentials make one hop and can't be used to make a
second hop to the server with the file share (if the browser is on the
same machine as the web server the call works because there is still
only one hop involved).

A few of the solutions are:

1) Enable delegation
[url]http://support.microsoft.com/default.aspx?kbid=810572[/url]

2) Impersonate with a specific username and password, i.e.
<identity impersonate="true" userName="<name>" password="<password>"/>
You can also do this programatically.

3) Run the ASP.NET worker process under a domain account with
permissions on both machines.

There are some good tips for 2 & 3 here:
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp[/url]

HTH,

--
Scott
[url]http://www.OdeToCode.com/blogs/scott/[/url]

On Sun, 24 Oct 2004 20:51:02 -0700, David Davies
<DavidDavies@discussions.microsoft.com> wrote:

>Please HELP !!
>
>I have a web page that is trying to create folders on a file server
>
> eg. \\SERVERNAME\F4\Projects\[New Folder Name]
>
>Users of the web site are authenticated with Windows Integrated Security.
>
>(have tried on W2003/IIS6 and W2k/IIS5 with no difference in behavoir)
>
>When a user connects to the using a browser on the same machine as the
>webserver the code works and is able to create the new folder.
>
>When the same user connects from a remote machine the CreateDirectory
>function generates the following Exception
>System.UnauthorizedAccessException
>"Access to the path \"TEST\" is denied."
>Source "mscorlib"
>StackTrace
>System.IO.__Error.WinIOError(Int32 errorCode, String str)
>at System.IO.Directory.InternalCreateDirectory(String fullPath, String
>path)\r\n
>...
>
>I have tried to do this in 3 ways all with the same problem;
>A)
>DirectoryInfo di = Directory.CreateDirectory(newfullpath);
>
>B)
>DirectoryInfo root = new DirectoryInfo(rootPath);
>DirectoryInfo di = root.CreateSubdirectory(folderName);
>
>C)
>[DllImport("kernel32.dll")]
>static extern bool CreateDirectory(string lpPathName, IntPtr
>lpSecurityAttributes);
>...
>bool result = CreateDirectory(path, IntPtr.Zero);
>DirectoryInfo di = DirectoryInfo(path);
>
>I have also checked that the Integrated Authentication is getting passed
>correcty into the application
>
>string origID = Thread.CurrentPrincipal.Identity.Name;
>string contextUser = HttpContext.Current.User.Identity.Name;
>
>Both call return the same user regardless if the call is from the server or
>a remote machine.
>Needless to say that the User has the required permissions to create the
>folder because they are able to do so as long as they do it from a browser on
>the server itself.
>
>If anyone can shed any light on what is going on here I would greatly
>appreciate it.
>
>Regards,
>David Davies
>Goldman Sachs
>

[David Davies]

Many thanks Scott.

2 and 3 are no feasable becasue the ability to create a directory must
depend on the rights of the user.

That leaves Delegation as the only option, I have followed the instructions
in the kb you posted and waited a few hours to allow for propogation but it
is still producing the same result.

Is there any way to test Delegation is functioning ?

Regards,
David

"Scott Allen" wrote:

> Hi David:
>
> You are facing the dreaded double hop NTLM issue. With integrated
> authentication the client's credentials can make exactly one network
> hop. When the browser authenticates to the web server from a remote
> machine the credentials make one hop and can't be used to make a
> second hop to the server with the file share (if the browser is on the
> same machine as the web server the call works because there is still
> only one hop involved).
>
> A few of the solutions are:
>
> 1) Enable delegation
> [url]http://support.microsoft.com/default.aspx?kbid=810572[/url]
>
> 2) Impersonate with a specific username and password, i.e.
> <identity impersonate="true" userName="<name>" password="<password>"/>
> You can also do this programatically.
>
> 3) Run the ASP.NET worker process under a domain account with
> permissions on both machines.
>
> There are some good tips for 2 & 3 here:
> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp[/url]
>
> HTH,
>
> --
> Scott
> [url]http://www.OdeToCode.com/blogs/scott/[/url]
>
> On Sun, 24 Oct 2004 20:51:02 -0700, David Davies
> <DavidDavies@discussions.microsoft.com> wrote:
>

> >Please HELP !!
> >
> >I have a web page that is trying to create folders on a file server
> >
> > eg. \\SERVERNAME\F4\Projects\[New Folder Name]
> >
> >Users of the web site are authenticated with Windows Integrated Security.
> >
> >(have tried on W2003/IIS6 and W2k/IIS5 with no difference in behavoir)
> >
> >When a user connects to the using a browser on the same machine as the
> >webserver the code works and is able to create the new folder.
> >
> >When the same user connects from a remote machine the CreateDirectory
> >function generates the following Exception
> >System.UnauthorizedAccessException
> >"Access to the path \"TEST\" is denied."
> >Source "mscorlib"
> >StackTrace
> >System.IO.__Error.WinIOError(Int32 errorCode, String str)
> >at System.IO.Directory.InternalCreateDirectory(String fullPath, String
> >path)\r\n
> >...
> >
> >I have tried to do this in 3 ways all with the same problem;
> >A)
> >DirectoryInfo di = Directory.CreateDirectory(newfullpath);
> >
> >B)
> >DirectoryInfo root = new DirectoryInfo(rootPath);
> >DirectoryInfo di = root.CreateSubdirectory(folderName);
> >
> >C)
> >[DllImport("kernel32.dll")]
> >static extern bool CreateDirectory(string lpPathName, IntPtr
> >lpSecurityAttributes);
> >...
> >bool result = CreateDirectory(path, IntPtr.Zero);
> >DirectoryInfo di = DirectoryInfo(path);
> >
> >I have also checked that the Integrated Authentication is getting passed
> >correcty into the application
> >
> >string origID = Thread.CurrentPrincipal.Identity.Name;
> >string contextUser = HttpContext.Current.User.Identity.Name;
> >
> >Both call return the same user regardless if the call is from the server or
> >a remote machine.
> >Needless to say that the User has the required permissions to create the
> >folder because they are able to do so as long as they do it from a browser on
> >the server itself.
> >
> >If anyone can shed any light on what is going on here I would greatly
> >appreciate it.
> >
> >Regards,
> >David Davies
> >Goldman Sachs
> >

>
>

[Scott Allen]

Hi David:

I know of a troubleshooting paper:

Troubleshooting Kerberos Delegation
[url]http://www.microsoft.com/downloads/details.aspx?FamilyID=99b0f94f-e28a-4726-bffe-2f64ae2f59a2&displaylang=en[/url]

It's quite extensive (lengthy) and includes links to some command line
utilities and demonstrates how to turn on some auditing. Hopefully
this can help out.

--
Scott
[url]http://www.OdeToCode.com/blogs/scott/[/url]


On Mon, 25 Oct 2004 20:27:02 -0700, David Davies
<DavidDavies@discussions.microsoft.com> wrote:

>Many thanks Scott.
>
>2 and 3 are no feasable becasue the ability to create a directory must
>depend on the rights of the user.
>
>That leaves Delegation as the only option, I have followed the instructions
>in the kb you posted and waited a few hours to allow for propogation but it
>is still producing the same result.
>
>Is there any way to test Delegation is functioning ?
>
>Regards,
>David
>
>"Scott Allen" wrote:
>