Ask a Question related to ASP.NET Security, Design and Development.
-
sundeeps@niit.com #1
shared folder access
hi, i have a web application residing on a web server [w]
and a file server [s]. Both the servers are part of same
domain [d].
now, i want to access shared folders from my web
application but the access should be given to only those
users who has permission on shared folder.
I set up impersonate in my system and m using windows
authentication, but still i get access denied error.
Need help
sundeeps@niit.com Guest
-
Unable to Access Shared Folder (The Next Day)
Have a windows 2003 server with AD, and a few shared folders. After sharing a directory, client is able to access (share) the same day. However,... -
access to sql server from shared folder security error
hi all i generated windows application by vb.net file that connect to sql server . when copy exe file to shared folder and after run it... -
Limit on access to shared folder
You have reached the limit for Windows XP Pro. Windows XP Home is hardwired to a limit of 5. Windows XP Pro is hardwired to a limit of 10.... -
Mapping networked shared folder to local folder
Hello. I am setting-up a "cad server" (basically a shared folder located, \\cad\eoi\) for my draftspeople. The problem lies within the cad... -
Can I have local Shared Documents folder *NOT* shared on the Local Network
I finally have my local network working well enough (Thanks Steve W.!). I think I have learned that "network connection" does not get you anything... -
Steve Jansen #2 Re: shared folder access
I suggest reading the Patterns & Practices whitepaper "Authentication in
ASP.NET: .NET Security Guidance":
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp[/url]
Impersonation is not enough to accomplish what you want. You require
account delegation from your physical server running IIS to your physical
server hosting the file share.
Option 1
---------
Your first option is to use Basic Authentication in IIS over SSL. This way,
the inetinfo.exe process has your credentials in plaintext and can logon to
the remote file server on the end-users behalf.
Option 2
---------
Alternatively I have gotten this to work before with Windows Authenticaion,
but, it is not straightforward:
1) Enable Windows Authentication in IIS for your web app
2) If you create a virtual directory that maps to your UNC share, manually
delete the UNCUserName and UNCPassword metabase values using adsutil.vbs.
This will remove the UNC user token credentials (something that cannot be
done through inetmgr.exe). Doing so causes IIS to attempt delegation using
the current logon credentials.
3) Even though inetinfo.exe runs as LocalSystem, I had to create an AD
Service Principal Name. First, I had to set the option "Trust this computer
for delegation" for the IIS Computer AD object. Then, I had to issue the
setspn.exe command, which I remember being :
setspn -A HTTP/myhost.mydomain.com myserver
4) For IE clients, I had to add myhost.mydomain.com to the LocalIntranet
zone. I would guess this caused IE to use Kerberos authentication instead
of NTLM. It may have also had something to do with "Automatic Logon in
Intranet Zone only"
Connected IE clients should then browse the remote file share using their
credentials and appropriate ACLs. You should be able to confirm this by
enabling complete auditing of file access for your share and checking the
event viewer. I believe there are major performance implications for this,
due to the increased network activity of IIS performing delegation and UNC
file operations.
Option 3
---------
You can also set the UNCAuthenticationPassthrough metabase attribute to True
to accomplish this. The article @
[url]http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/default.aspx[/url]
provides a good discussion of this setting. However, the KB 286401 states
that this setting is not supported by MS.
-Steve Jansen
"sundeeps@niit.com" <anonymous@discussions.microsoft.com> wrote in message
news:06d601c39315$9f30aef0$a001280a@phx.gbl...> hi, i have a web application residing on a web server [w]
> and a file server [s]. Both the servers are part of same
> domain [d].
>
> now, i want to access shared folders from my web
> application but the access should be given to only those
> users who has permission on shared folder.
>
> I set up impersonate in my system and m using windows
> authentication, but still i get access denied error.
>
> Need help
Steve Jansen Guest
-
Re: shared folder access
Thanks Steve. Your options are really logical. However, i
tried with the basic autjentication as we r on intranet
and its ok for us to pass in plain text too.. but seems it
doesn't work.
also, i am not able to delete the UNC parameters too as
you did..
whitepaper "Authentication in>-----Original Message-----
>I suggest reading the Patterns & Practicesurl=/library/en-us/dnbda/html/authaspdotnet.asp>ASP.NET: .NET Security Guidance":
>[url]http://msdn.microsoft.com/library/default.asp?[/url]You require>
>Impersonation is not enough to accomplish what you want.to your physical>account delegation from your physical server running IISover SSL. This way,>server hosting the file share.
>
>Option 1
>---------
>Your first option is to use Basic Authentication in IISplaintext and can logon to>the inetinfo.exe process has your credentials inWindows Authenticaion,>the remote file server on the end-users behalf.
>
>Option 2
>---------
>Alternatively I have gotten this to work before withUNC share, manually>but, it is not straightforward:
>1) Enable Windows Authentication in IIS for your web app
>2) If you create a virtual directory that maps to yourusing adsutil.vbs.>delete the UNCUserName and UNCPassword metabase values(something that cannot be>This will remove the UNC user token credentialsattempt delegation using>done through inetmgr.exe). Doing so causes IIS toto create an AD>the current logon credentials.
>3) Even though inetinfo.exe runs as LocalSystem, I hadoption "Trust this computer>Service Principal Name. First, I had to set thehad to issue the>for delegation" for the IIS Computer AD object. Then, Ithe LocalIntranet>setspn.exe command, which I remember being :
>
>setspn -A HTTP/myhost.mydomain.com myserver
>
>
>4) For IE clients, I had to add myhost.mydomain.com toauthentication instead>zone. I would guess this caused IE to use Kerberoswith "Automatic Logon in>of NTLM. It may have also had something to doshare using their>Intranet Zone only"
>
>Connected IE clients should then browse the remote fileconfirm this by>credentials and appropriate ACLs. You should be able toand checking the>enabling complete auditing of file access for your shareimplications for this,>event viewer. I believe there are major performancedelegation and UNC>due to the increased network activity of IIS performingmetabase attribute to True>file operations.
>
>Option 3
>---------
>You can also set the UNCAuthenticationPassthroughefault.aspx>to accomplish this. The article @
>[url]http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d[/url]KB 286401 states>provides a good discussion of this setting. However, thewrote in message>that this setting is not supported by MS.
>
>-Steve Jansen
>
>"sundeeps@niit.com" <anonymous@discussions.microsoft.com>[w]>news:06d601c39315$9f30aef0$a001280a@phx.gbl...>> hi, i have a web application residing on a web server>>> and a file server [s]. Both the servers are part of same
>> domain [d].
>>
>> now, i want to access shared folders from my web
>> application but the access should be given to only those
>> users who has permission on shared folder.
>>
>> I set up impersonate in my system and m using windows
>> authentication, but still i get access denied error.
>>
>> Need help
>
>.
>Guest
-
Steve Jansen #4 Re: shared folder access
Did you use adsutil.vbs to delete the UNC parameters, or did you try to use
the GUI tool (inetmgr.exe)?
<anonymous@discussions.microsoft.com> wrote in message
news:0b0001c393ae$591ea900$a301280a@phx.gbl...> Thanks Steve. Your options are really logical. However, i
> tried with the basic autjentication as we r on intranet
> and its ok for us to pass in plain text too.. but seems it
> doesn't work.
>
> also, i am not able to delete the UNC parameters too as
> you did..
>> whitepaper "Authentication in> >-----Original Message-----
> >I suggest reading the Patterns & Practices> url=/library/en-us/dnbda/html/authaspdotnet.asp> >ASP.NET: .NET Security Guidance":
> >[url]http://msdn.microsoft.com/library/default.asp?[/url]> You require> >
> >Impersonation is not enough to accomplish what you want.> to your physical> >account delegation from your physical server running IIS> over SSL. This way,> >server hosting the file share.
> >
> >Option 1
> >---------
> >Your first option is to use Basic Authentication in IIS> plaintext and can logon to> >the inetinfo.exe process has your credentials in> Windows Authenticaion,> >the remote file server on the end-users behalf.
> >
> >Option 2
> >---------
> >Alternatively I have gotten this to work before with> UNC share, manually> >but, it is not straightforward:
> >1) Enable Windows Authentication in IIS for your web app
> >2) If you create a virtual directory that maps to your> using adsutil.vbs.> >delete the UNCUserName and UNCPassword metabase values> (something that cannot be> >This will remove the UNC user token credentials> attempt delegation using> >done through inetmgr.exe). Doing so causes IIS to> to create an AD> >the current logon credentials.
> >3) Even though inetinfo.exe runs as LocalSystem, I had> option "Trust this computer> >Service Principal Name. First, I had to set the> had to issue the> >for delegation" for the IIS Computer AD object. Then, I> the LocalIntranet> >setspn.exe command, which I remember being :
> >
> >setspn -A HTTP/myhost.mydomain.com myserver
> >
> >
> >4) For IE clients, I had to add myhost.mydomain.com to> authentication instead> >zone. I would guess this caused IE to use Kerberos> with "Automatic Logon in> >of NTLM. It may have also had something to do> share using their> >Intranet Zone only"
> >
> >Connected IE clients should then browse the remote file> confirm this by> >credentials and appropriate ACLs. You should be able to> and checking the> >enabling complete auditing of file access for your share> implications for this,> >event viewer. I believe there are major performance> delegation and UNC> >due to the increased network activity of IIS performing> metabase attribute to True> >file operations.
> >
> >Option 3
> >---------
> >You can also set the UNCAuthenticationPassthrough> efault.aspx> >to accomplish this. The article @
> >[url]http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d[/url]> KB 286401 states> >provides a good discussion of this setting. However, the> wrote in message> >that this setting is not supported by MS.
> >
> >-Steve Jansen
> >
> >"sundeeps@niit.com" <anonymous@discussions.microsoft.com>> [w]> >news:06d601c39315$9f30aef0$a001280a@phx.gbl...> >> hi, i have a web application residing on a web server> >> >> and a file server [s]. Both the servers are part of same
> >> domain [d].
> >>
> >> now, i want to access shared folders from my web
> >> application but the access should be given to only those
> >> users who has permission on shared folder.
> >>
> >> I set up impersonate in my system and m using windows
> >> authentication, but still i get access denied error.
> >>
> >> Need help
> >
> >.
> >
Steve Jansen Guest
-
sandy #5 Re: shared folder access
i tried using adsutil.vbs !
did you try to use>-----Original Message-----
>Did you use adsutil.vbs to delete the UNC parameters, ori>the GUI tool (inetmgr.exe)?
>
><anonymous@discussions.microsoft.com> wrote in message
>news:0b0001c393ae$591ea900$a301280a@phx.gbl...>> Thanks Steve. Your options are really logical. However,it>> tried with the basic autjentication as we r on intranet
>> and its ok for us to pass in plain text too.. but seemswant.>> doesn't work.
>>
>> also, i am not able to delete the UNC parameters too as
>> you did..
>>>> whitepaper "Authentication in>> >-----Original Message-----
>> >I suggest reading the Patterns & Practices>> url=/library/en-us/dnbda/html/authaspdotnet.asp>> >ASP.NET: .NET Security Guidance":
>> >[url]http://msdn.microsoft.com/library/default.asp?[/url]>> >
>> >Impersonation is not enough to accomplish what youIIS>> You require>> >account delegation from your physical server runningapp>> to your physical>> over SSL. This way,>> >server hosting the file share.
>> >
>> >Option 1
>> >---------
>> >Your first option is to use Basic Authentication in IIS>> plaintext and can logon to>> >the inetinfo.exe process has your credentials in>> Windows Authenticaion,>> >the remote file server on the end-users behalf.
>> >
>> >Option 2
>> >---------
>> >Alternatively I have gotten this to work before with>> >but, it is not straightforward:
>> >1) Enable Windows Authentication in IIS for your webI>> UNC share, manually>> >2) If you create a virtual directory that maps to your>> using adsutil.vbs.>> >delete the UNCUserName and UNCPassword metabase values>> (something that cannot be>> >This will remove the UNC user token credentials>> attempt delegation using>> >done through inetmgr.exe). Doing so causes IIS to>> to create an AD>> >the current logon credentials.
>> >3) Even though inetinfo.exe runs as LocalSystem, I had>> option "Trust this computer>> >Service Principal Name. First, I had to set the>> >for delegation" for the IIS Computer AD object. Then,to>> had to issue the>> the LocalIntranet>> >setspn.exe command, which I remember being :
>> >
>> >setspn -A HTTP/myhost.mydomain.com myserver
>> >
>> >
>> >4) For IE clients, I had to add myhost.mydomain.com to>> authentication instead>> >zone. I would guess this caused IE to use Kerberos>> with "Automatic Logon in>> >of NTLM. It may have also had something to do>> share using their>> >Intranet Zone only"
>> >
>> >Connected IE clients should then browse the remote file>> >credentials and appropriate ACLs. You should be ableshare>> confirm this by>> >enabling complete auditing of file access for yourthe>[url]http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d[/url]>> and checking the>> implications for this,>> >event viewer. I believe there are major performance>> delegation and UNC>> >due to the increased network activity of IIS performing>> metabase attribute to True>> >file operations.
>> >
>> >Option 3
>> >---------
>> >You can also set the UNCAuthenticationPassthrough>>>> >to accomplish this. The article @>> efault.aspx>> >provides a good discussion of this setting. However,<anonymous@discussions.microsoft.com>>> KB 286401 states>> >that this setting is not supported by MS.
>> >
>> >-Steve Jansen
>> >
>> >"sundeeps@niit.com"same>> wrote in message>> [w]>> >news:06d601c39315$9f30aef0$a001280a@phx.gbl...
>> >> hi, i have a web application residing on a web server>> >> and a file server [s]. Both the servers are part ofthose>> >> domain [d].
>> >>
>> >> now, i want to access shared folders from my web
>> >> application but the access should be given to only>>> >> users who has permission on shared folder.
>> >>
>> >> I set up impersonate in my system and m using windows
>> >> authentication, but still i get access denied error.
>> >>
>> >> Need help
>> >
>> >
>> >.
>> >
>
>.
>sandy Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
