gaining access to a share

[Lachlan James]

Hi,

I want to create a folder on a network share from within
my ASP.NET application. The app uses a custom
authentication mechanism which creates a Principal object
after looking up an external system.

It seems whenever the Directory.CreateDirectory() method
executes I get an UnauthorizedAccessException exception. I
suspect this is because the ASPNET account is a local
account which is unknown to the computer where the share
resides.

How can I progamatically gain access to that share to
create the dir?

I do not want to configure impersonation in the web.config
as I fear this is less secure.

Thanks, Lachlan

[Paul Clement]

On Mon, 14 Feb 2005 08:04:42 -0800, "Lachlan James" <anonymous@discussions.microsoft.com> wrote:

¤ Hi,
¤
¤ I want to create a folder on a network share from within
¤ my ASP.NET application. The app uses a custom
¤ authentication mechanism which creates a Principal object
¤ after looking up an external system.
¤
¤ It seems whenever the Directory.CreateDirectory() method
¤ executes I get an UnauthorizedAccessException exception. I
¤ suspect this is because the ASPNET account is a local
¤ account which is unknown to the computer where the share
¤ resides.
¤
¤ How can I progamatically gain access to that share to
¤ create the dir?
¤
¤ I do not want to configure impersonation in the web.config
¤ as I fear this is less secure.

You need to understand how delegation works so you can choose which authentication method best suits
your configuration:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconaspnetdelegation.asp[/url]
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]


Paul ~~~ [email]pclement@ameritech.net[/email]
Microsoft MVP (Visual Basic)

[Lachlan James]

Hi Paul,

Thanks for your reply. Unfortunately we are using a custom
authentication system for this particular application
because the built in ones don't fulfil our needs. This
means using windows authentication & impersonation is not
possible. Besides that, it is not recommended to do it
that way for security reasons.

However towards the end of the article you posted it
mentioned using COM+ serviced components to achieve this,
so that's what I have done. I have a serviced component
which I call from my asp.net app. The serviced component
runs under a custom account which has access to the
network share. This is the easiest & most secure way to do
this I think.

For anyone else that is interested in doing this, below is
a great article which explains how to do it and why it is
the only viable option.

[url]http://www.15seconds.com/issue/030926.htm[/url]

Lachlan

>-----Original Message-----
>On Mon, 14 Feb 2005 08:04:42 -0800, "Lachlan James"

<anonymous@discussions.microsoft.com> wrote:

>
>¤ Hi,
>¤
>¤ I want to create a folder on a network share from

within

>¤ my ASP.NET application. The app uses a custom
>¤ authentication mechanism which creates a Principal

object

>¤ after looking up an external system.
>¤
>¤ It seems whenever the Directory.CreateDirectory()

method

>¤ executes I get an UnauthorizedAccessException

exception. I

>¤ suspect this is because the ASPNET account is a local
>¤ account which is unknown to the computer where the

share

>¤ resides.
>¤
>¤ How can I progamatically gain access to that share to
>¤ create the dir?
>¤
>¤ I do not want to configure impersonation in the

web.config

>¤ as I fear this is less secure.
>
>You need to understand how delegation works so you can

choose which authentication method best suits

>your configuration:
>
>[url]http://msdn.microsoft.com/library/default.asp?[/url]

url=/library/en-us/vsent7/html/vxconaspnetdelegation.asp

>[url]http://support.microsoft.com/default.aspx?scid=kb;en-[/url]

us;810572

>
>
>Paul ~~~ [email]pclement@ameritech.net[/email]
>Microsoft MVP (Visual Basic)
>.
>

[Paul Clement]

On Tue, 15 Feb 2005 03:36:08 -0800, "Lachlan James" <anonymous@discussions.microsoft.com> wrote:

¤ Hi Paul,
¤
¤ Thanks for your reply. Unfortunately we are using a custom
¤ authentication system for this particular application
¤ because the built in ones don't fulfil our needs. This
¤ means using windows authentication & impersonation is not
¤ possible. Besides that, it is not recommended to do it
¤ that way for security reasons.
¤
¤ However towards the end of the article you posted it
¤ mentioned using COM+ serviced components to achieve this,
¤ so that's what I have done. I have a serviced component
¤ which I call from my asp.net app. The serviced component
¤ runs under a custom account which has access to the
¤ network share. This is the easiest & most secure way to do
¤ this I think.
¤
¤ For anyone else that is interested in doing this, below is
¤ a great article which explains how to do it and why it is
¤ the only viable option.
¤
¤ [url]http://www.15seconds.com/issue/030926.htm[/url]
¤
¤ Lachlan

Yes I still use this type of mechanism for ASP and Visual Basic 6.0 components, although I kind of
moved away from COM+ since I moved to .NET.


Paul ~~~ [email]pclement@ameritech.net[/email]
Microsoft MVP (Visual Basic)