ASP.NET using impersonation cannot access network shared drive

[benny]

I have a ASP.NET application with web.config specified:
<identity impersonate=true/>
<authentication mode="Windows" />

If I login to the client browser as JSMITH and have the server code trying to access a network shared drive via Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny error. JSMITH has full rights to access \\machineb\sharedriveb and its contents.

If the server code access a local folder with only access to JSMITH, I have no problems with JSMITH logging in via the client browser.

The only difference I see is that it cannot access network resources. My understanding is that ASP.NET will use the impersonated token to run the code and hence the impersonated token (JSMITH) has access to the resource.

Any suggestions?

 

[Jim Cheshire [MSFT]]

Hi Benny,

Your understanding is correct. ASP.NET is going to execute that thread
under the identity of the user who is authenticated in IIS. The problem
your having is likely that you are attempting to allow IIS to delegate your
credentials to the file server using NTLM authentication. That is
explicitly designed to fail in our architecture because it would allow
someone to spoof your identity.

The solution is to set up delegation which would then allow you to use
Kerberos authentication. That would allow you to have your credentials
delegated to the file server from IIS. Here's an article link:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;810572

There's also considerable information about this and other security issues
in the "Building Secure ASP.NET Applications" book. Here's an excerpt:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/secnetlpMSDN.asp?frame=true

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------

Thread-Topic: ASP.NET using impersonation cannot access network shared drive
thread-index: AcRrdKc7uDtnUuFSSnWHM1/IpzWFHw==
X-WBNR-Posting-Host: 63.166.226.115
From: "=?Utf-8?B?YmVubnk=?=" <[email protected]>
Subject: ASP.NET using impersonation cannot access network shared drive
Date: Fri, 16 Jul 2004 13:37:03 -0700
Lines: 11
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:10843
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

I have a ASP.NET application with web.config specified:
<identity impersonate=true/>
<authentication mode="Windows" />

If I login to the client browser as JSMITH and have the server code trying

to access a network shared drive via
Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny
error. JSMITH has full rights to access \\machineb\sharedriveb and its
contents.

If the server code access a local folder with only access to JSMITH, I

have no problems with JSMITH logging in via the client browser.

The only difference I see is that it cannot access network resources. My

understanding is that ASP.NET will use the impersonated token to run the
code and hence the impersonated token (JSMITH) has access to the resource.