CreateDirectory working inconsistantly from ASP.net

Discussion in 'ASP .Net Security' started by David Davies, Oct 25, 2004.

  1. David Davies

    David Davies Guest

    Please HELP !!

    I have a web page that is trying to create folders on a file server

    eg. \\SERVERNAME\F4\Projects\[New Folder Name]

    Users of the web site are authenticated with Windows Integrated Security.

    (have tried on W2003/IIS6 and W2k/IIS5 with no difference in behavoir)

    When a user connects to the using a browser on the same machine as the
    webserver the code works and is able to create the new folder.

    When the same user connects from a remote machine the CreateDirectory
    function generates the following Exception
    System.UnauthorizedAccessException
    "Access to the path \"TEST\" is denied."
    Source "mscorlib"
    StackTrace
    System.IO.__Error.WinIOError(Int32 errorCode, String str)
    at System.IO.Directory.InternalCreateDirectory(String fullPath, String
    path)\r\n
    ....

    I have tried to do this in 3 ways all with the same problem;
    A)
    DirectoryInfo di = Directory.CreateDirectory(newfullpath);

    B)
    DirectoryInfo root = new DirectoryInfo(rootPath);
    DirectoryInfo di = root.CreateSubdirectory(folderName);

    C)
    [DllImport("kernel32.dll")]
    static extern bool CreateDirectory(string lpPathName, IntPtr
    lpSecurityAttributes);
    ....
    bool result = CreateDirectory(path, IntPtr.Zero);
    DirectoryInfo di = DirectoryInfo(path);

    I have also checked that the Integrated Authentication is getting passed
    correcty into the application

    string origID = Thread.CurrentPrincipal.Identity.Name;
    string contextUser = HttpContext.Current.User.Identity.Name;

    Both call return the same user regardless if the call is from the server or
    a remote machine.
    Needless to say that the User has the required permissions to create the
    folder because they are able to do so as long as they do it from a browser on
    the server itself.

    If anyone can shed any light on what is going on here I would greatly
    appreciate it.

    Regards,
    David Davies
    Goldman Sachs
    David Davies, Oct 25, 2004
    #1
    1. Advertising

  2. David Davies

    Scott Allen Guest

    Hi David:

    You are facing the dreaded double hop NTLM issue. With integrated
    authentication the client's credentials can make exactly one network
    hop. When the browser authenticates to the web server from a remote
    machine the credentials make one hop and can't be used to make a
    second hop to the server with the file share (if the browser is on the
    same machine as the web server the call works because there is still
    only one hop involved).

    A few of the solutions are:

    1) Enable delegation
    http://support.microsoft.com/default.aspx?kbid=810572

    2) Impersonate with a specific username and password, i.e.
    <identity impersonate="true" userName="<name>" password="<password>"/>
    You can also do this programatically.

    3) Run the ASP.NET worker process under a domain account with
    permissions on both machines.

    There are some good tips for 2 & 3 here:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp

    HTH,

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Sun, 24 Oct 2004 20:51:02 -0700, David Davies
    <> wrote:

    >Please HELP !!
    >
    >I have a web page that is trying to create folders on a file server
    >
    > eg. \\SERVERNAME\F4\Projects\[New Folder Name]
    >
    >Users of the web site are authenticated with Windows Integrated Security.
    >
    >(have tried on W2003/IIS6 and W2k/IIS5 with no difference in behavoir)
    >
    >When a user connects to the using a browser on the same machine as the
    >webserver the code works and is able to create the new folder.
    >
    >When the same user connects from a remote machine the CreateDirectory
    >function generates the following Exception
    >System.UnauthorizedAccessException
    >"Access to the path \"TEST\" is denied."
    >Source "mscorlib"
    >StackTrace
    >System.IO.__Error.WinIOError(Int32 errorCode, String str)
    >at System.IO.Directory.InternalCreateDirectory(String fullPath, String
    >path)\r\n
    >...
    >
    >I have tried to do this in 3 ways all with the same problem;
    >A)
    >DirectoryInfo di = Directory.CreateDirectory(newfullpath);
    >
    >B)
    >DirectoryInfo root = new DirectoryInfo(rootPath);
    >DirectoryInfo di = root.CreateSubdirectory(folderName);
    >
    >C)
    >[DllImport("kernel32.dll")]
    >static extern bool CreateDirectory(string lpPathName, IntPtr
    >lpSecurityAttributes);
    >...
    >bool result = CreateDirectory(path, IntPtr.Zero);
    >DirectoryInfo di = DirectoryInfo(path);
    >
    >I have also checked that the Integrated Authentication is getting passed
    >correcty into the application
    >
    >string origID = Thread.CurrentPrincipal.Identity.Name;
    >string contextUser = HttpContext.Current.User.Identity.Name;
    >
    >Both call return the same user regardless if the call is from the server or
    >a remote machine.
    >Needless to say that the User has the required permissions to create the
    >folder because they are able to do so as long as they do it from a browser on
    >the server itself.
    >
    >If anyone can shed any light on what is going on here I would greatly
    >appreciate it.
    >
    >Regards,
    >David Davies
    >Goldman Sachs
    >
    Scott Allen, Oct 25, 2004
    #2
    1. Advertising

  3. David Davies

    David Davies Guest

    Many thanks Scott.

    2 and 3 are no feasable becasue the ability to create a directory must
    depend on the rights of the user.

    That leaves Delegation as the only option, I have followed the instructions
    in the kb you posted and waited a few hours to allow for propogation but it
    is still producing the same result.

    Is there any way to test Delegation is functioning ?

    Regards,
    David

    "Scott Allen" wrote:

    > Hi David:
    >
    > You are facing the dreaded double hop NTLM issue. With integrated
    > authentication the client's credentials can make exactly one network
    > hop. When the browser authenticates to the web server from a remote
    > machine the credentials make one hop and can't be used to make a
    > second hop to the server with the file share (if the browser is on the
    > same machine as the web server the call works because there is still
    > only one hop involved).
    >
    > A few of the solutions are:
    >
    > 1) Enable delegation
    > http://support.microsoft.com/default.aspx?kbid=810572
    >
    > 2) Impersonate with a specific username and password, i.e.
    > <identity impersonate="true" userName="<name>" password="<password>"/>
    > You can also do this programatically.
    >
    > 3) Run the ASP.NET worker process under a domain account with
    > permissions on both machines.
    >
    > There are some good tips for 2 & 3 here:
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
    >
    > HTH,
    >
    > --
    > Scott
    > http://www.OdeToCode.com/blogs/scott/
    >
    > On Sun, 24 Oct 2004 20:51:02 -0700, David Davies
    > <> wrote:
    >
    > >Please HELP !!
    > >
    > >I have a web page that is trying to create folders on a file server
    > >
    > > eg. \\SERVERNAME\F4\Projects\[New Folder Name]
    > >
    > >Users of the web site are authenticated with Windows Integrated Security.
    > >
    > >(have tried on W2003/IIS6 and W2k/IIS5 with no difference in behavoir)
    > >
    > >When a user connects to the using a browser on the same machine as the
    > >webserver the code works and is able to create the new folder.
    > >
    > >When the same user connects from a remote machine the CreateDirectory
    > >function generates the following Exception
    > >System.UnauthorizedAccessException
    > >"Access to the path \"TEST\" is denied."
    > >Source "mscorlib"
    > >StackTrace
    > >System.IO.__Error.WinIOError(Int32 errorCode, String str)
    > >at System.IO.Directory.InternalCreateDirectory(String fullPath, String
    > >path)\r\n
    > >...
    > >
    > >I have tried to do this in 3 ways all with the same problem;
    > >A)
    > >DirectoryInfo di = Directory.CreateDirectory(newfullpath);
    > >
    > >B)
    > >DirectoryInfo root = new DirectoryInfo(rootPath);
    > >DirectoryInfo di = root.CreateSubdirectory(folderName);
    > >
    > >C)
    > >[DllImport("kernel32.dll")]
    > >static extern bool CreateDirectory(string lpPathName, IntPtr
    > >lpSecurityAttributes);
    > >...
    > >bool result = CreateDirectory(path, IntPtr.Zero);
    > >DirectoryInfo di = DirectoryInfo(path);
    > >
    > >I have also checked that the Integrated Authentication is getting passed
    > >correcty into the application
    > >
    > >string origID = Thread.CurrentPrincipal.Identity.Name;
    > >string contextUser = HttpContext.Current.User.Identity.Name;
    > >
    > >Both call return the same user regardless if the call is from the server or
    > >a remote machine.
    > >Needless to say that the User has the required permissions to create the
    > >folder because they are able to do so as long as they do it from a browser on
    > >the server itself.
    > >
    > >If anyone can shed any light on what is going on here I would greatly
    > >appreciate it.
    > >
    > >Regards,
    > >David Davies
    > >Goldman Sachs
    > >

    >
    >
    David Davies, Oct 26, 2004
    #3
  4. David Davies

    Scott Allen Guest

    Hi David:

    I know of a troubleshooting paper:

    Troubleshooting Kerberos Delegation
    http://www.microsoft.com/downloads/...4f-e28a-4726-bffe-2f64ae2f59a2&displaylang=en

    It's quite extensive (lengthy) and includes links to some command line
    utilities and demonstrates how to turn on some auditing. Hopefully
    this can help out.

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/


    On Mon, 25 Oct 2004 20:27:02 -0700, David Davies
    <> wrote:

    >Many thanks Scott.
    >
    >2 and 3 are no feasable becasue the ability to create a directory must
    >depend on the rights of the user.
    >
    >That leaves Delegation as the only option, I have followed the instructions
    >in the kb you posted and waited a few hours to allow for propogation but it
    >is still producing the same result.
    >
    >Is there any way to test Delegation is functioning ?
    >
    >Regards,
    >David
    >
    >"Scott Allen" wrote:
    >
    Scott Allen, Oct 26, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hypomite

    CreateDirectory Permission Issue

    hypomite, Aug 27, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    415
    hypomite
    Aug 27, 2003
  2. GM
    Replies:
    2
    Views:
    2,234
  3. Eran Kampf
    Replies:
    7
    Views:
    6,245
    Eran Kampf
    Oct 13, 2004
  4. =?Utf-8?B?RGF2aWQgRGF2aWVz?=

    CreateDirectory working inconsistantly from ASP.net

    =?Utf-8?B?RGF2aWQgRGF2aWVz?=, Oct 25, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    2,317
    Scott Allen
    Oct 26, 2004
  5. Lonnie Princehouse
    Replies:
    0
    Views:
    290
    Lonnie Princehouse
    Apr 14, 2004
Loading...

Share This Page