asp.net, basic authentication, file access

[jzink]

I have a asp.net application that is configured to
use "basic authentication". The application needs to have
access to delete a file in let's say directory
d:\inetpub\wwwroot\myApp\reports. Do I need to grant
access to the ASPNET account or to the accounts of the
users who will be accessing the site ?

I put the following line of code in
Thread.CurrentPrincipal.Identity.Name.ToString() and it
returns the id of the person logged in.



thanks for your help

 

[Andrea D'Onofrio [MSFT]]

If you have turned the impersonation on the .net code will run under the
identity of he users who will be accessing the site, else the .net code will
run under the ASPNET account (this is a default) identity.

HtH,
Andrea

 

[JZink]

I don't believe I have impersonation turned on. Here is
my machine.config entries:
<identity impersonate="false" userName="" password=""/>

<processModel
enable="true"
timeout="Infinite"
idleTimeout="Infinite"
shutdownTimeout="0:00:05"
requestLimit="Infinite"
requestQueueLimit="5000"
restartQueueLimit="10"
memoryLimit="60"
webGarden="false"
cpuMask="0xffffffff"
userName="machine"
password="AutoGenerate"
logLevel="Errors"
clientConnectedCheck="0:00:05"
comAuthenticationLevel="Connect"
comImpersonationLevel="Impersonate"
responseDeadlockInterval="00:03:00"
maxWorkerThreads="20"
maxIoThreads="20"
/>

However, if I place this code in an aspx page:
Thread.CurrentPrincipal.Identity.Name.ToString()
I see the id of the person being authenticated.

 

[Holly Mazerolle]

You will want to grant access to the ASPNET account for deleting the file.
If you want only the authenticated user to have the ability to delete the
file then you could simply set impersonation to true and set permissions
for that logged on user. If you do this and you are still having problems,
a good way to troubleshoot would be to use filemon while you repro any
errors. You can download it from www.sysinternals.com. It will show you
what user is accessing what files and whether the access was successful or
not.

This posting is provided "AS IS" with no warranties, and confers no rights.

Holly

 

[jzink]

I do not have impersonation set to true, yet when I put
this code into my aspx page:
Response.Write (
Thread.CurrentPrincipal.Identity.Name.ToString() )
it will write out the name of the user who was
authenticated not ASPNET. What am I missing ???

 

[Hernan de Lahitte]

If you want to see the identity of the worker process, that is, the account
that will be used to access your protected resource, you should use
System.Security.Principal.WindowsIdentity.GetCurrent().Name.

This will return, in you case, the ASPNET account if you turn off
impersonation, or your logged on user account if you turn on impersonation.

 

[jzink]

I changed the aspx code to print out
System.Security.Principal.WindowsIdentity.GetCurrent().Name
and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
see aspnet ???

 

[Hernan de Lahitte]

This is the default AppPoll Account for W2K3. This might be you case. The
ASPNET account is the default for an XP box or lower.

 

[jzink]

what do you mean by appPoll account and how come I don't
see nt authority\network service as a user in computer
management\users ??

 

[Hernan de Lahitte]

With AppPool, I refer to the Application Pool that has Windows 2003. To
check this, go to the IIS Management Console snap-in and in the Application
Pools folder, right click the DefaultAppPool node (This is the default
Application Pool for all Web Sites). In the Properties/Identity tab option,
you will see you selected Application Pool Identity.This should be the
Network Service or in the canonical format, "NT AUTHORITY\NETWORK SERVICE".
As you ponted out, you won't see this account with the Users manager. This
is a predefined system account, like the System (TCB) account. The Network
Service account is a low priviledge account so if you change this account in
the AppPool Identity option for another with more priviledges, be carefull
with a possible "Elevation of Priviledge Threat".

 

[Holly Mazerolle]

So in your case since you are on Win2003 and you are not using
impersonation the NT Authority\Network Service account will be who is
accessing the location you are attempting to delete files from. As I
mentioned before you may want to consider impersonation so that you only
give permission to a specific domain account.

This posting is provided "AS IS" with no warranties, and confers no rights.

Holly