Access network resources from ASP.NET

D

Dima Semensky

Hi!

after extensive research of this topic, I'm still not sure what is
"official" way to do it.

Task:

1. User submits some request to ASP.NET application and the app should
write the result to a network share.
2. Integrated Authentication must be used
3. No open password are allowed to be specified in any config files
4. Can't assign special domain user as Local Administrator

Problem:

With default setup, it is not possible due to security reasons.

Related topics:
- impersonation
- machine.config - processModel.userName
- IUSR_MACHINE user
- delagation

Here is where I'm stuck: I'd like to use impersonation like this:
<identity impersonate="true" userName="Bob" password="pwd" />

but this topic explains that it's not possible:
http://groups.google.com/groups?q=i...t.*&selm=uzT4T##wCHA.2680@TK2MSFTNGP09&rnum=1

Any ideas?

Dima Semenskyy.
 
J

Jim Cheshire [MSFT]

Dima,

What you are doing is possible. What Mitch is talking about in his post is
delegation of credentials. Essentially, this means that if you are
browsing the site and using your credentials sent by the browser, those
same credentials cannot be used to access another resource on a machine
remote to the Web server. In that scenario, the Web server is delegating
your credentials, and such is prevented when using NTLM authentication. If
all of the boxes are using Windows 2000 or later, you can use Kerberos and
delegation to get around that.

However, what you really want to do is impersonate this user just to run a
certain section of code and to write to the network resource. In that
case, code-level impersonation using PInvoke to call LogonUser is the
perfect solution.

Here is an article that explains how to do that:
306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
 
A

AlKa

THANK YOU JIM!!!

I looked for it (306158 INFO) for a long long time ... I love you!

Alessandro

Jim Cheshire said:
Dima,

What you are doing is possible. What Mitch is talking about in his post is
delegation of credentials. Essentially, this means that if you are
browsing the site and using your credentials sent by the browser, those
same credentials cannot be used to access another resource on a machine
remote to the Web server. In that scenario, the Web server is delegating
your credentials, and such is prevented when using NTLM authentication. If
all of the boxes are using Windows 2000 or later, you can use Kerberos and
delegation to get around that.

However, what you really want to do is impersonate this user just to run a
certain section of code and to write to the network resource. In that
case, code-level impersonation using PInvoke to call LogonUser is the
perfect solution.

Here is an article that explains how to do that:
306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Dima Semensky" <[email protected]>
Subject: Access network resources from ASP.NET
Date: Thu, 23 Oct 2003 10:55:28 -0400
Lines: 34
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <O#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: 208.18.161.2
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7296
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Hi!

after extensive research of this topic, I'm still not sure what is
"official" way to do it.

Task:

1. User submits some request to ASP.NET application and the app should
write the result to a network share.
2. Integrated Authentication must be used
3. No open password are allowed to be specified in any config files
4. Can't assign special domain user as Local Administrator

Problem:

With default setup, it is not possible due to security reasons.

Related topics:
- impersonation
- machine.config - processModel.userName
- IUSR_MACHINE user
- delagation

Here is where I'm stuck: I'd like to use impersonation like this:
<identity impersonate="true" userName="Bob" password="pwd" />

but this topic explains that it's not possible:
http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+n
Click to expand...
ame+or+bad+password.++group:microsoft.public.dotnet.*&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23wCHA.2680%40TK2MSFTNGP
09&rnum=1

Any ideas?

Dima Semenskyy.
Click to expand...
Click to expand...
 
J

Jim Cheshire [MSFT]

Alessandro,

Thanks for the sentiment. Glad to have resolved your issue. :)

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "AlKa" <me@office>
References: <O#[email protected]>
Click to expand...
Subject: Re: Access network resources from ASP.NET
Date: Sun, 9 Nov 2003 00:29:10 +0100
Lines: 99
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#SdS#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: host106-159.pool217222.interbusiness.it 217.222.159.106
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7476
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

THANK YOU JIM!!!

I looked for it (306158 INFO) for a long long time ... I love you!

Alessandro

Jim Cheshire said:
Dima,

What you are doing is possible. What Mitch is talking about in his post is
delegation of credentials. Essentially, this means that if you are
browsing the site and using your credentials sent by the browser, those
same credentials cannot be used to access another resource on a machine
remote to the Web server. In that scenario, the Web server is delegating
your credentials, and such is prevented when using NTLM authentication. If
all of the boxes are using Windows 2000 or later, you can use Kerberos and
delegation to get around that.

However, what you really want to do is impersonate this user just to run a
certain section of code and to write to the network resource. In that
case, code-level impersonation using PInvoke to call LogonUser is the
perfect solution.

Here is an article that explains how to do that:
306158 INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/?id=306158

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
From: "Dima Semensky" <[email protected]>
Subject: Access network resources from ASP.NET
Date: Thu, 23 Oct 2003 10:55:28 -0400
Lines: 34
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <O#[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: 208.18.161.2
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7296
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Hi!

after extensive research of this topic, I'm still not sure what is
"official" way to do it.

Task:

1. User submits some request to ASP.NET application and the app should
write the result to a network share.
2. Integrated Authentication must be used
3. No open password are allowed to be specified in any config files
4. Can't assign special domain user as Local Administrator

Problem:

With default setup, it is not possible due to security reasons.

Related topics:
- impersonation
- machine.config - processModel.userName
- IUSR_MACHINE user
- delagation

Here is where I'm stuck: I'd like to use impersonation like this:
<identity impersonate="true" userName="Bob" password="pwd" />

but this topic explains that it's not possible:
Click to expand...

http://groups.google.com/groups?q=impersonate+Logon+failure:+unknown+user+ n
ame+or+bad+password.++group:microsoft.public.dotnet.*&hl=en&lr=&ie=UTF-8&oe =UTF-8&group=microsoft.public.dotnet.*&selm=uzT4T%23%23wCHA.2680%40TK2MSFTNG P
09&rnum=1

Any ideas?

Dima Semenskyy.
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Accessing remote network resources from ASP.NET applications 2
Access network share from ASP.NET 4
accessing remote resources from ASP.NET app 3
Asp.net Impersonation:Accessing file Server from https 0
Impersonation and Network Share 1
How to access to SQL with Integrated Security from ASP.Net app 0
Saving a file on a network folder from ASP.Net Web application 1
ASP.NET Impersonation to access Oracle database... 1

Members online

No members online now.
Total: 29 (members: 0, guests: 29)
Robots: 439

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,048
Latest member
verona

Latest Threads

Top