Accessing Virtural directory on remote machine

T

TurboT

I have a .net application that I need to write to a directory on a different
server.

1. When the dotnet application runs I have initial setup with iss using a
virtual directory on same machine. This works fine.

2. Virtual directory to another machine (created the authentication account
and saved in iss virtual directory setup) - does not work.
3. Tried a persistant mapped drive T: with saved credentials which are on
the DACL of the remote machine. - does not work.

This is in a DMZ workgroup environment. Any ideas how I can get this to
work. Is this possible with DOTNET?

Thanks,

Turbot
 
D

Dominick Baier [DevelopMentor]

Hello TurboT,

Which Version of IIS are you using?

under which account does your worker process run?
 
T

TurboT

Hello Dominick,

We are testing on both IIS 5 and IIS6 worlds. Same results.

Worker Process - Default DOTNET account?? How could I check this. (I am
the network person working with the dotnet developer)

Thanks
 
T

TurboT

We are investigating passing and "impersonation" account with the code..

Any ideas on this?
 
D

Dominick Baier [DevelopMentor]

Hello TurboT,

well - the asp.net app runs under an account -

that differs with the IIS version used - i can only recommend using IIS6

under IIS6 the default account is NETWORK SERVICE - if this account talks
to a machine in a domain environment it will used the machine account, e.g.
SERVER$
in non-domains it will be ANONYMOUS

you can run the worker process under a custom account . this is configured
in the application pool settings - then this account needs access to the
resources..
 
T

TurboT

Dominick, Let me see if I understand.

1. If you are running in IIS6, then by default your code is running as
"Network Service". I believe it is actaully gaining these rights through
the IIS_WPG group.
Network Service is the security context that DOTNET runs on a local machine.
Between machines it is anonymous in a workgroup so in effect no
authentication is passed, but within a domain environment rights are passed
through the machine account.

So.

Q1 - defining a virtural directory in IIS6 under the DOTNET application -
will run as Network Service if the virtural directory is on this server? -
This does work.. and BTW the code that is calling access to the virtural
directory is a server.mappath in the code. (Is this right?)
Q2. - if the same definition as above but the virtual directory is remote
(by doing this I have to put credentials in IIS6 to access the virtual
directory on server B) When are these credentials ever used? and if
therefore dotnet never looks at this virtual directory definition it
itherefore is trying to access the remote virtual directory as anonymous
(same as a http webpage?).

I guess if I throw IIS5 out of the picture and decide to make this work on
IIS6 I am still a little confused on the detail. ie. If I have two Win 2003
servers in a workgroup, one is running the IIS6 services other has a
directory required for R/W and shared as ServerB\Data? This is still
anonymous access by default even in IIS6? Does IIS6 have to be running on
both servers?

Thanks Dominick for any clarrification and your time.


Turbot
 
K

Ken Schaefer

I think we're all getting a little confused here.

a) ASP.NET runs (by default) as Network Service, because that's the default
account configured for Web Application Pools in IIS 6.0. To set a different
account, open the IIS Manager, locate the Web App Pool hosting your web
application/web site, and enter a different user account.

b) Mapped drive letters are not going to work. Drive letters are mapped for
the logged on user only - not for any other account. So, if you logon and
map a drive letter, then Network Service is not going to see that drive
letter

c) IF you want to use a fixed identity to connect to the remote share, then:
i) create a user account, with the same name, on both machines. Set the
same password
ii) in IIS Manager, create a virtual directory that points to a UNC
share
iii) specify the credentials that you created in (i) as the credentials
to be used when connecting to the remote share

d) However, if you are forcing the user to authenticate, and wish the user's
credentials to flow through to the backend server, then you need to read
this document:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

Cheers
Ken


: Dominick, Let me see if I understand.
:
: 1. If you are running in IIS6, then by default your code is running as
: "Network Service". I believe it is actaully gaining these rights through
: the IIS_WPG group.
: Network Service is the security context that DOTNET runs on a local
machine.
: Between machines it is anonymous in a workgroup so in effect no
: authentication is passed, but within a domain environment rights are
passed
: through the machine account.
:
: So.
:
: Q1 - defining a virtural directory in IIS6 under the DOTNET application -
: will run as Network Service if the virtural directory is on this
erver? -
: This does work.. and BTW the code that is calling access to the virtural
: directory is a server.mappath in the code. (Is this right?)
: Q2. - if the same definition as above but the virtual directory is remote
: (by doing this I have to put credentials in IIS6 to access the virtual
: directory on server B) When are these credentials ever used? and if
: therefore dotnet never looks at this virtual directory definition it
: itherefore is trying to access the remote virtual directory as anonymous
: (same as a http webpage?).
:
: I guess if I throw IIS5 out of the picture and decide to make this work on
: IIS6 I am still a little confused on the detail. ie. If I have two Win
2003
: servers in a workgroup, one is running the IIS6 services other has a
: directory required for R/W and shared as ServerB\Data? This is still
: anonymous access by default even in IIS6? Does IIS6 have to be running on
: both servers?
:
: Thanks Dominick for any clarrification and your time.
:
:
: Turbot
:
:
:
:
: "Dominick Baier [DevelopMentor]" <[email protected]>
: wrote in message : > Hello TurboT,
: >
: > well - the asp.net app runs under an account -
: > that differs with the IIS version used - i can only recommend using IIS6
: >
: > under IIS6 the default account is NETWORK SERVICE - if this account
talks
: > to a machine in a domain environment it will used the machine account,
: > e.g. SERVER$
: > in non-domains it will be ANONYMOUS
: >
: > you can run the worker process under a custom account . this is
configured
: > in the application pool settings - then this account needs access to the
: > resources..
: >
: > ---------------------------------------
: > Dominick Baier - DevelopMentor
: > http://www.leastprivilege.com
: >
: >> Hello Dominick,
: >>
: >> We are testing on both IIS 5 and IIS6 worlds. Same results.
: >>
: >> Worker Process - Default DOTNET account?? How could I check this. (I
: >> am the network person working with the dotnet developer)
: >>
: >> Thanks
: >>
: >> "Dominick Baier [DevelopMentor]"
: >> : >>
: >>> Hello TurboT,
: >>>
: >>> Which Version of IIS are you using?
: >>>
: >>> under which account does your worker process run?
: >>>
: >>> ---------------------------------------
: >>> Dominick Baier - DevelopMentor
: >>> http://www.leastprivilege.com
: >>>> I have a .net application that I need to write to a directory on a
: >>>> different server.
: >>>>
: >>>> 1. When the dotnet application runs I have initial setup with iss
: >>>> using a virtual directory on same machine. This works fine.
: >>>>
: >>>> 2. Virtual directory to another machine (created the authentication
: >>>> account
: >>>> and saved in iss virtual directory setup) - does not work.
: >>>> 3. Tried a persistant mapped drive T: with saved credentials which
: >>>> are
: >>>> on
: >>>> the DACL of the remote machine. - does not work.
: >>>> This is in a DMZ workgroup environment. Any ideas how I can get
: >>>> this
: >>>> to work. Is this possible with DOTNET?
: >>>> Thanks,
: >>>>
: >>>> Turbot
: >>>>
: >
: >
:
:
 
T

TurboT

Ken thank you.. just a little more clarrification.

I have done exactly what you have mentioned. and in this document.

1. same local account and password on both machines.
2. same credentials for UNC in virtual directory definition

I am wondering if we are using the incorrect code to reference this
directory. I believe it is server.mappath in the code..??


Ken Schaefer said:
I think we're all getting a little confused here.

a) ASP.NET runs (by default) as Network Service, because that's the
default
account configured for Web Application Pools in IIS 6.0. To set a
different
account, open the IIS Manager, locate the Web App Pool hosting your web
application/web site, and enter a different user account.

b) Mapped drive letters are not going to work. Drive letters are mapped
for
the logged on user only - not for any other account. So, if you logon and
map a drive letter, then Network Service is not going to see that drive
letter

c) IF you want to use a fixed identity to connect to the remote share,
then:
i) create a user account, with the same name, on both machines. Set the
same password
ii) in IIS Manager, create a virtual directory that points to a UNC
share
iii) specify the credentials that you created in (i) as the credentials
to be used when connecting to the remote share

d) However, if you are forcing the user to authenticate, and wish the
user's
credentials to flow through to the backend server, then you need to read
this document:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

Cheers
Ken


: Dominick, Let me see if I understand.
:
: 1. If you are running in IIS6, then by default your code is running as
: "Network Service". I believe it is actaully gaining these rights
through
: the IIS_WPG group.
: Network Service is the security context that DOTNET runs on a local
machine.
: Between machines it is anonymous in a workgroup so in effect no
: authentication is passed, but within a domain environment rights are
passed
: through the machine account.
:
: So.
:
: Q1 - defining a virtural directory in IIS6 under the DOTNET
application -
: will run as Network Service if the virtural directory is on this
erver? -
: This does work.. and BTW the code that is calling access to the virtural
: directory is a server.mappath in the code. (Is this right?)
: Q2. - if the same definition as above but the virtual directory is
remote
: (by doing this I have to put credentials in IIS6 to access the virtual
: directory on server B) When are these credentials ever used? and if
: therefore dotnet never looks at this virtual directory definition it
: itherefore is trying to access the remote virtual directory as anonymous
: (same as a http webpage?).
:
: I guess if I throw IIS5 out of the picture and decide to make this work
on
: IIS6 I am still a little confused on the detail. ie. If I have two Win
2003
: servers in a workgroup, one is running the IIS6 services other has a
: directory required for R/W and shared as ServerB\Data? This is still
: anonymous access by default even in IIS6? Does IIS6 have to be running
on
: both servers?
:
: Thanks Dominick for any clarrification and your time.
:
:
: Turbot
:
:
:
:
: "Dominick Baier [DevelopMentor]" <[email protected]>
: wrote in message
: > Hello TurboT,
: >
: > well - the asp.net app runs under an account -
: > that differs with the IIS version used - i can only recommend using
IIS6
: >
: > under IIS6 the default account is NETWORK SERVICE - if this account
talks
: > to a machine in a domain environment it will used the machine account,
: > e.g. SERVER$
: > in non-domains it will be ANONYMOUS
: >
: > you can run the worker process under a custom account . this is
configured
: > in the application pool settings - then this account needs access to
the
: > resources..
: >
: > ---------------------------------------
: > Dominick Baier - DevelopMentor
: > http://www.leastprivilege.com
: >
: >> Hello Dominick,
: >>
: >> We are testing on both IIS 5 and IIS6 worlds. Same results.
: >>
: >> Worker Process - Default DOTNET account?? How could I check this.
(I
: >> am the network person working with the dotnet developer)
: >>
: >> Thanks
: >>
: >> "Dominick Baier [DevelopMentor]"
: >> : >>
: >>> Hello TurboT,
: >>>
: >>> Which Version of IIS are you using?
: >>>
: >>> under which account does your worker process run?
: >>>
: >>> ---------------------------------------
: >>> Dominick Baier - DevelopMentor
: >>> http://www.leastprivilege.com
: >>>> I have a .net application that I need to write to a directory on a
: >>>> different server.
: >>>>
: >>>> 1. When the dotnet application runs I have initial setup with iss
: >>>> using a virtual directory on same machine. This works fine.
: >>>>
: >>>> 2. Virtual directory to another machine (created the authentication
: >>>> account
: >>>> and saved in iss virtual directory setup) - does not work.
: >>>> 3. Tried a persistant mapped drive T: with saved credentials which
: >>>> are
: >>>> on
: >>>> the DACL of the remote machine. - does not work.
: >>>> This is in a DMZ workgroup environment. Any ideas how I can get
: >>>> this
: >>>> to work. Is this possible with DOTNET?
: >>>> Thanks,
: >>>>
: >>>> Turbot
: >>>>
: >
: >
:
:
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top