Accessing Virtural directory on remote machine

Discussion in 'ASP .Net Security' started by TurboT, Oct 31, 2005.

  1. TurboT

    TurboT Guest

    I have a .net application that I need to write to a directory on a different
    server.

    1. When the dotnet application runs I have initial setup with iss using a
    virtual directory on same machine. This works fine.

    2. Virtual directory to another machine (created the authentication account
    and saved in iss virtual directory setup) - does not work.
    3. Tried a persistant mapped drive T: with saved credentials which are on
    the DACL of the remote machine. - does not work.

    This is in a DMZ workgroup environment. Any ideas how I can get this to
    work. Is this possible with DOTNET?

    Thanks,

    Turbot
     
    TurboT, Oct 31, 2005
    #1
    1. Advertising

  2. Hello TurboT,

    Which Version of IIS are you using?

    under which account does your worker process run?


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I have a .net application that I need to write to a directory on a
    > different server.
    >
    > 1. When the dotnet application runs I have initial setup with iss
    > using a virtual directory on same machine. This works fine.
    >
    > 2. Virtual directory to another machine (created the authentication
    > account
    > and saved in iss virtual directory setup) - does not work.
    > 3. Tried a persistant mapped drive T: with saved credentials which are
    > on
    > the DACL of the remote machine. - does not work.
    > This is in a DMZ workgroup environment. Any ideas how I can get this
    > to work. Is this possible with DOTNET?
    >
    > Thanks,
    >
    > Turbot
    >
     
    Dominick Baier [DevelopMentor], Oct 31, 2005
    #2
    1. Advertising

  3. TurboT

    TurboT Guest

    Hello Dominick,

    We are testing on both IIS 5 and IIS6 worlds. Same results.

    Worker Process - Default DOTNET account?? How could I check this. (I am
    the network person working with the dotnet developer)

    Thanks


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello TurboT,
    >
    > Which Version of IIS are you using?
    >
    > under which account does your worker process run?
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I have a .net application that I need to write to a directory on a
    >> different server.
    >>
    >> 1. When the dotnet application runs I have initial setup with iss
    >> using a virtual directory on same machine. This works fine.
    >>
    >> 2. Virtual directory to another machine (created the authentication
    >> account
    >> and saved in iss virtual directory setup) - does not work.
    >> 3. Tried a persistant mapped drive T: with saved credentials which are
    >> on
    >> the DACL of the remote machine. - does not work.
    >> This is in a DMZ workgroup environment. Any ideas how I can get this
    >> to work. Is this possible with DOTNET?
    >>
    >> Thanks,
    >>
    >> Turbot
    >>

    >
    >
     
    TurboT, Oct 31, 2005
    #3
  4. TurboT

    TurboT Guest

    We are investigating passing and "impersonation" account with the code..

    Any ideas on this?

    "TurboT" <> wrote in message
    news:...
    > Hello Dominick,
    >
    > We are testing on both IIS 5 and IIS6 worlds. Same results.
    >
    > Worker Process - Default DOTNET account?? How could I check this. (I am
    > the network person working with the dotnet developer)
    >
    > Thanks
    >
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    >> Hello TurboT,
    >>
    >> Which Version of IIS are you using?
    >>
    >> under which account does your worker process run?
    >>
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >>> I have a .net application that I need to write to a directory on a
    >>> different server.
    >>>
    >>> 1. When the dotnet application runs I have initial setup with iss
    >>> using a virtual directory on same machine. This works fine.
    >>>
    >>> 2. Virtual directory to another machine (created the authentication
    >>> account
    >>> and saved in iss virtual directory setup) - does not work.
    >>> 3. Tried a persistant mapped drive T: with saved credentials which are
    >>> on
    >>> the DACL of the remote machine. - does not work.
    >>> This is in a DMZ workgroup environment. Any ideas how I can get this
    >>> to work. Is this possible with DOTNET?
    >>>
    >>> Thanks,
    >>>
    >>> Turbot
    >>>

    >>
    >>

    >
    >
     
    TurboT, Oct 31, 2005
    #4
  5. Hello TurboT,

    why?
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > We are investigating passing and "impersonation" account with the
    > code..
    >
    > Any ideas on this?
    >
    > "TurboT" <> wrote in message
    > news:...
    >
    >> Hello Dominick,
    >>
    >> We are testing on both IIS 5 and IIS6 worlds. Same results.
    >>
    >> Worker Process - Default DOTNET account?? How could I check this.
    >> (I am the network person working with the dotnet developer)
    >>
    >> Thanks
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello TurboT,
    >>>
    >>> Which Version of IIS are you using?
    >>>
    >>> under which account does your worker process run?
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> I have a .net application that I need to write to a directory on a
    >>>> different server.
    >>>>
    >>>> 1. When the dotnet application runs I have initial setup with iss
    >>>> using a virtual directory on same machine. This works fine.
    >>>>
    >>>> 2. Virtual directory to another machine (created the authentication
    >>>> account
    >>>> and saved in iss virtual directory setup) - does not work.
    >>>> 3. Tried a persistant mapped drive T: with saved credentials which
    >>>> are
    >>>> on
    >>>> the DACL of the remote machine. - does not work.
    >>>> This is in a DMZ workgroup environment. Any ideas how I can get
    >>>> this
    >>>> to work. Is this possible with DOTNET?
    >>>> Thanks,
    >>>>
    >>>> Turbot
    >>>>
     
    Dominick Baier [DevelopMentor], Oct 31, 2005
    #5
  6. Hello TurboT,

    well - the asp.net app runs under an account -

    that differs with the IIS version used - i can only recommend using IIS6

    under IIS6 the default account is NETWORK SERVICE - if this account talks
    to a machine in a domain environment it will used the machine account, e.g.
    SERVER$
    in non-domains it will be ANONYMOUS

    you can run the worker process under a custom account . this is configured
    in the application pool settings - then this account needs access to the
    resources..

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello Dominick,
    >
    > We are testing on both IIS 5 and IIS6 worlds. Same results.
    >
    > Worker Process - Default DOTNET account?? How could I check this. (I
    > am the network person working with the dotnet developer)
    >
    > Thanks
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello TurboT,
    >>
    >> Which Version of IIS are you using?
    >>
    >> under which account does your worker process run?
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I have a .net application that I need to write to a directory on a
    >>> different server.
    >>>
    >>> 1. When the dotnet application runs I have initial setup with iss
    >>> using a virtual directory on same machine. This works fine.
    >>>
    >>> 2. Virtual directory to another machine (created the authentication
    >>> account
    >>> and saved in iss virtual directory setup) - does not work.
    >>> 3. Tried a persistant mapped drive T: with saved credentials which
    >>> are
    >>> on
    >>> the DACL of the remote machine. - does not work.
    >>> This is in a DMZ workgroup environment. Any ideas how I can get
    >>> this
    >>> to work. Is this possible with DOTNET?
    >>> Thanks,
    >>>
    >>> Turbot
    >>>
     
    Dominick Baier [DevelopMentor], Oct 31, 2005
    #6
  7. TurboT

    TurboT Guest

    Dominick, Let me see if I understand.

    1. If you are running in IIS6, then by default your code is running as
    "Network Service". I believe it is actaully gaining these rights through
    the IIS_WPG group.
    Network Service is the security context that DOTNET runs on a local machine.
    Between machines it is anonymous in a workgroup so in effect no
    authentication is passed, but within a domain environment rights are passed
    through the machine account.

    So.

    Q1 - defining a virtural directory in IIS6 under the DOTNET application -
    will run as Network Service if the virtural directory is on this server? -
    This does work.. and BTW the code that is calling access to the virtural
    directory is a server.mappath in the code. (Is this right?)
    Q2. - if the same definition as above but the virtual directory is remote
    (by doing this I have to put credentials in IIS6 to access the virtual
    directory on server B) When are these credentials ever used? and if
    therefore dotnet never looks at this virtual directory definition it
    itherefore is trying to access the remote virtual directory as anonymous
    (same as a http webpage?).

    I guess if I throw IIS5 out of the picture and decide to make this work on
    IIS6 I am still a little confused on the detail. ie. If I have two Win 2003
    servers in a workgroup, one is running the IIS6 services other has a
    directory required for R/W and shared as ServerB\Data? This is still
    anonymous access by default even in IIS6? Does IIS6 have to be running on
    both servers?

    Thanks Dominick for any clarrification and your time.


    Turbot




    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello TurboT,
    >
    > well - the asp.net app runs under an account -
    > that differs with the IIS version used - i can only recommend using IIS6
    >
    > under IIS6 the default account is NETWORK SERVICE - if this account talks
    > to a machine in a domain environment it will used the machine account,
    > e.g. SERVER$
    > in non-domains it will be ANONYMOUS
    >
    > you can run the worker process under a custom account . this is configured
    > in the application pool settings - then this account needs access to the
    > resources..
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hello Dominick,
    >>
    >> We are testing on both IIS 5 and IIS6 worlds. Same results.
    >>
    >> Worker Process - Default DOTNET account?? How could I check this. (I
    >> am the network person working with the dotnet developer)
    >>
    >> Thanks
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello TurboT,
    >>>
    >>> Which Version of IIS are you using?
    >>>
    >>> under which account does your worker process run?
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> I have a .net application that I need to write to a directory on a
    >>>> different server.
    >>>>
    >>>> 1. When the dotnet application runs I have initial setup with iss
    >>>> using a virtual directory on same machine. This works fine.
    >>>>
    >>>> 2. Virtual directory to another machine (created the authentication
    >>>> account
    >>>> and saved in iss virtual directory setup) - does not work.
    >>>> 3. Tried a persistant mapped drive T: with saved credentials which
    >>>> are
    >>>> on
    >>>> the DACL of the remote machine. - does not work.
    >>>> This is in a DMZ workgroup environment. Any ideas how I can get
    >>>> this
    >>>> to work. Is this possible with DOTNET?
    >>>> Thanks,
    >>>>
    >>>> Turbot
    >>>>

    >
    >
     
    TurboT, Nov 1, 2005
    #7
  8. TurboT

    Ken Schaefer Guest

    I think we're all getting a little confused here.

    a) ASP.NET runs (by default) as Network Service, because that's the default
    account configured for Web Application Pools in IIS 6.0. To set a different
    account, open the IIS Manager, locate the Web App Pool hosting your web
    application/web site, and enter a different user account.

    b) Mapped drive letters are not going to work. Drive letters are mapped for
    the logged on user only - not for any other account. So, if you logon and
    map a drive letter, then Network Service is not going to see that drive
    letter

    c) IF you want to use a fixed identity to connect to the remote share, then:
    i) create a user account, with the same name, on both machines. Set the
    same password
    ii) in IIS Manager, create a virtual directory that points to a UNC
    share
    iii) specify the credentials that you created in (i) as the credentials
    to be used when connecting to the remote share

    d) However, if you are forcing the user to authenticate, and wish the user's
    credentials to flow through to the backend server, then you need to read
    this document:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx

    Cheers
    Ken


    "TurboT" <> wrote in message
    news:%...
    : Dominick, Let me see if I understand.
    :
    : 1. If you are running in IIS6, then by default your code is running as
    : "Network Service". I believe it is actaully gaining these rights through
    : the IIS_WPG group.
    : Network Service is the security context that DOTNET runs on a local
    machine.
    : Between machines it is anonymous in a workgroup so in effect no
    : authentication is passed, but within a domain environment rights are
    passed
    : through the machine account.
    :
    : So.
    :
    : Q1 - defining a virtural directory in IIS6 under the DOTNET application -
    : will run as Network Service if the virtural directory is on this
    erver? -
    : This does work.. and BTW the code that is calling access to the virtural
    : directory is a server.mappath in the code. (Is this right?)
    : Q2. - if the same definition as above but the virtual directory is remote
    : (by doing this I have to put credentials in IIS6 to access the virtual
    : directory on server B) When are these credentials ever used? and if
    : therefore dotnet never looks at this virtual directory definition it
    : itherefore is trying to access the remote virtual directory as anonymous
    : (same as a http webpage?).
    :
    : I guess if I throw IIS5 out of the picture and decide to make this work on
    : IIS6 I am still a little confused on the detail. ie. If I have two Win
    2003
    : servers in a workgroup, one is running the IIS6 services other has a
    : directory required for R/W and shared as ServerB\Data? This is still
    : anonymous access by default even in IIS6? Does IIS6 have to be running on
    : both servers?
    :
    : Thanks Dominick for any clarrification and your time.
    :
    :
    : Turbot
    :
    :
    :
    :
    : "Dominick Baier [DevelopMentor]" <>
    : wrote in message news:...
    : > Hello TurboT,
    : >
    : > well - the asp.net app runs under an account -
    : > that differs with the IIS version used - i can only recommend using IIS6
    : >
    : > under IIS6 the default account is NETWORK SERVICE - if this account
    talks
    : > to a machine in a domain environment it will used the machine account,
    : > e.g. SERVER$
    : > in non-domains it will be ANONYMOUS
    : >
    : > you can run the worker process under a custom account . this is
    configured
    : > in the application pool settings - then this account needs access to the
    : > resources..
    : >
    : > ---------------------------------------
    : > Dominick Baier - DevelopMentor
    : > http://www.leastprivilege.com
    : >
    : >> Hello Dominick,
    : >>
    : >> We are testing on both IIS 5 and IIS6 worlds. Same results.
    : >>
    : >> Worker Process - Default DOTNET account?? How could I check this. (I
    : >> am the network person working with the dotnet developer)
    : >>
    : >> Thanks
    : >>
    : >> "Dominick Baier [DevelopMentor]"
    : >> <> wrote in message
    : >> news:...
    : >>
    : >>> Hello TurboT,
    : >>>
    : >>> Which Version of IIS are you using?
    : >>>
    : >>> under which account does your worker process run?
    : >>>
    : >>> ---------------------------------------
    : >>> Dominick Baier - DevelopMentor
    : >>> http://www.leastprivilege.com
    : >>>> I have a .net application that I need to write to a directory on a
    : >>>> different server.
    : >>>>
    : >>>> 1. When the dotnet application runs I have initial setup with iss
    : >>>> using a virtual directory on same machine. This works fine.
    : >>>>
    : >>>> 2. Virtual directory to another machine (created the authentication
    : >>>> account
    : >>>> and saved in iss virtual directory setup) - does not work.
    : >>>> 3. Tried a persistant mapped drive T: with saved credentials which
    : >>>> are
    : >>>> on
    : >>>> the DACL of the remote machine. - does not work.
    : >>>> This is in a DMZ workgroup environment. Any ideas how I can get
    : >>>> this
    : >>>> to work. Is this possible with DOTNET?
    : >>>> Thanks,
    : >>>>
    : >>>> Turbot
    : >>>>
    : >
    : >
    :
    :
     
    Ken Schaefer, Nov 1, 2005
    #8
  9. TurboT

    TurboT Guest

    Ken thank you.. just a little more clarrification.

    I have done exactly what you have mentioned. and in this document.

    1. same local account and password on both machines.
    2. same credentials for UNC in virtual directory definition

    I am wondering if we are using the incorrect code to reference this
    directory. I believe it is server.mappath in the code..??


    "Ken Schaefer" <> wrote in message
    news:...
    >I think we're all getting a little confused here.
    >
    > a) ASP.NET runs (by default) as Network Service, because that's the
    > default
    > account configured for Web Application Pools in IIS 6.0. To set a
    > different
    > account, open the IIS Manager, locate the Web App Pool hosting your web
    > application/web site, and enter a different user account.
    >
    > b) Mapped drive letters are not going to work. Drive letters are mapped
    > for
    > the logged on user only - not for any other account. So, if you logon and
    > map a drive letter, then Network Service is not going to see that drive
    > letter
    >
    > c) IF you want to use a fixed identity to connect to the remote share,
    > then:
    > i) create a user account, with the same name, on both machines. Set the
    > same password
    > ii) in IIS Manager, create a virtual directory that points to a UNC
    > share
    > iii) specify the credentials that you created in (i) as the credentials
    > to be used when connecting to the remote share
    >
    > d) However, if you are forcing the user to authenticate, and wish the
    > user's
    > credentials to flow through to the backend server, then you need to read
    > this document:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
    >
    > Cheers
    > Ken
    >
    >
    > "TurboT" <> wrote in message
    > news:%...
    > : Dominick, Let me see if I understand.
    > :
    > : 1. If you are running in IIS6, then by default your code is running as
    > : "Network Service". I believe it is actaully gaining these rights
    > through
    > : the IIS_WPG group.
    > : Network Service is the security context that DOTNET runs on a local
    > machine.
    > : Between machines it is anonymous in a workgroup so in effect no
    > : authentication is passed, but within a domain environment rights are
    > passed
    > : through the machine account.
    > :
    > : So.
    > :
    > : Q1 - defining a virtural directory in IIS6 under the DOTNET
    > application -
    > : will run as Network Service if the virtural directory is on this
    > erver? -
    > : This does work.. and BTW the code that is calling access to the virtural
    > : directory is a server.mappath in the code. (Is this right?)
    > : Q2. - if the same definition as above but the virtual directory is
    > remote
    > : (by doing this I have to put credentials in IIS6 to access the virtual
    > : directory on server B) When are these credentials ever used? and if
    > : therefore dotnet never looks at this virtual directory definition it
    > : itherefore is trying to access the remote virtual directory as anonymous
    > : (same as a http webpage?).
    > :
    > : I guess if I throw IIS5 out of the picture and decide to make this work
    > on
    > : IIS6 I am still a little confused on the detail. ie. If I have two Win
    > 2003
    > : servers in a workgroup, one is running the IIS6 services other has a
    > : directory required for R/W and shared as ServerB\Data? This is still
    > : anonymous access by default even in IIS6? Does IIS6 have to be running
    > on
    > : both servers?
    > :
    > : Thanks Dominick for any clarrification and your time.
    > :
    > :
    > : Turbot
    > :
    > :
    > :
    > :
    > : "Dominick Baier [DevelopMentor]" <>
    > : wrote in message
    > news:...
    > : > Hello TurboT,
    > : >
    > : > well - the asp.net app runs under an account -
    > : > that differs with the IIS version used - i can only recommend using
    > IIS6
    > : >
    > : > under IIS6 the default account is NETWORK SERVICE - if this account
    > talks
    > : > to a machine in a domain environment it will used the machine account,
    > : > e.g. SERVER$
    > : > in non-domains it will be ANONYMOUS
    > : >
    > : > you can run the worker process under a custom account . this is
    > configured
    > : > in the application pool settings - then this account needs access to
    > the
    > : > resources..
    > : >
    > : > ---------------------------------------
    > : > Dominick Baier - DevelopMentor
    > : > http://www.leastprivilege.com
    > : >
    > : >> Hello Dominick,
    > : >>
    > : >> We are testing on both IIS 5 and IIS6 worlds. Same results.
    > : >>
    > : >> Worker Process - Default DOTNET account?? How could I check this.
    > (I
    > : >> am the network person working with the dotnet developer)
    > : >>
    > : >> Thanks
    > : >>
    > : >> "Dominick Baier [DevelopMentor]"
    > : >> <> wrote in message
    > : >> news:...
    > : >>
    > : >>> Hello TurboT,
    > : >>>
    > : >>> Which Version of IIS are you using?
    > : >>>
    > : >>> under which account does your worker process run?
    > : >>>
    > : >>> ---------------------------------------
    > : >>> Dominick Baier - DevelopMentor
    > : >>> http://www.leastprivilege.com
    > : >>>> I have a .net application that I need to write to a directory on a
    > : >>>> different server.
    > : >>>>
    > : >>>> 1. When the dotnet application runs I have initial setup with iss
    > : >>>> using a virtual directory on same machine. This works fine.
    > : >>>>
    > : >>>> 2. Virtual directory to another machine (created the authentication
    > : >>>> account
    > : >>>> and saved in iss virtual directory setup) - does not work.
    > : >>>> 3. Tried a persistant mapped drive T: with saved credentials which
    > : >>>> are
    > : >>>> on
    > : >>>> the DACL of the remote machine. - does not work.
    > : >>>> This is in a DMZ workgroup environment. Any ideas how I can get
    > : >>>> this
    > : >>>> to work. Is this possible with DOTNET?
    > : >>>> Thanks,
    > : >>>>
    > : >>>> Turbot
    > : >>>>
    > : >
    > : >
    > :
    > :
    >
    >
     
    TurboT, Nov 1, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. UJ
    Replies:
    2
    Views:
    435
  2. ad
    Replies:
    0
    Views:
    392
  3. UJ
    Replies:
    2
    Views:
    429
  4. Tim Chandler
    Replies:
    0
    Views:
    228
    Tim Chandler
    Oct 7, 2003
  5. Mohammad Khan
    Replies:
    0
    Views:
    111
    Mohammad Khan
    Nov 17, 2005
Loading...

Share This Page