ASP.NET using impersonation cannot access network shared drive

Discussion in 'ASP .Net Security' started by benny, Jul 16, 2004.

  1. benny

    benny Guest

    I have a ASP.NET application with web.config specified:
    <identity impersonate=true/>
    <authentication mode="Windows" />

    If I login to the client browser as JSMITH and have the server code trying to access a network shared drive via Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny error. JSMITH has full rights to access \\machineb\sharedriveb and its contents.

    If the server code access a local folder with only access to JSMITH, I have no problems with JSMITH logging in via the client browser.

    The only difference I see is that it cannot access network resources. My understanding is that ASP.NET will use the impersonated token to run the code and hence the impersonated token (JSMITH) has access to the resource.

    Any suggestions?
    benny, Jul 16, 2004
    #1
    1. Advertising

  2. Hi Benny,

    Your understanding is correct. ASP.NET is going to execute that thread
    under the identity of the user who is authenticated in IIS. The problem
    your having is likely that you are attempting to allow IIS to delegate your
    credentials to the file server using NTLM authentication. That is
    explicitly designed to fail in our architecture because it would allow
    someone to spoof your identity.

    The solution is to set up delegation which would then allow you to use
    Kerberos authentication. That would allow you to have your credentials
    delegated to the file server from IIS. Here's an article link:

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;810572

    There's also considerable information about this and other security issues
    in the "Building Secure ASP.NET Applications" book. Here's an excerpt:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
    ml/secnetlpMSDN.asp?frame=true

    Jim Cheshire [MSFT]
    MCP+I, MCSE, MCSD, MCDBA
    Microsoft Developer Support


    This post is provided "AS-IS" with no warranties and confers no rights.


    --------------------
    >Thread-Topic: ASP.NET using impersonation cannot access network shared

    drive
    >thread-index: AcRrdKc7uDtnUuFSSnWHM1/IpzWFHw==
    >X-WBNR-Posting-Host: 63.166.226.115
    >From: "=?Utf-8?B?YmVubnk=?=" <>
    >Subject: ASP.NET using impersonation cannot access network shared drive
    >Date: Fri, 16 Jul 2004 13:37:03 -0700
    >Lines: 11
    >Message-ID: <>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="Utf-8"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >Content-Class: urn:content-classes:message
    >Importance: normal
    >Priority: normal
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:10843
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >I have a ASP.NET application with web.config specified:
    ><identity impersonate=true/>
    ><authentication mode="Windows" />
    >
    >If I login to the client browser as JSMITH and have the server code trying

    to access a network shared drive via
    Directory.GetFiles("\\\\machineb\\sharedriveb"), I get an access deny
    error. JSMITH has full rights to access \\machineb\sharedriveb and its
    contents.
    >
    >If the server code access a local folder with only access to JSMITH, I

    have no problems with JSMITH logging in via the client browser.
    >
    >The only difference I see is that it cannot access network resources. My

    understanding is that ASP.NET will use the impersonated token to run the
    code and hence the impersonated token (JSMITH) has access to the resource.
    >
    >Any suggestions?
    >
    Jim Cheshire [MSFT], Jul 16, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James N
    Replies:
    3
    Views:
    5,296
    James N
    Jul 18, 2003
  2. James N
    Replies:
    1
    Views:
    795
    Jeff Trotman
    Jul 18, 2003
  3. shailesh
    Replies:
    1
    Views:
    776
    Tim Golden
    Mar 28, 2007
  4. James N

    ASP.NET application cannot access network drive

    James N, Jul 16, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    151
    James N
    Jul 16, 2003
  5. king
    Replies:
    1
    Views:
    274
Loading...

Share This Page