Creating files in a unc shared drive.

[Tom]

I have a web app that allowes you to upload files to a shared forlder and
also read them off a list of uploaded files.

I created a shared drive on the destination server, and using a mapped
virtual folder to the shared, I can view the files from the shared drive.

My problem is writing the files. We're using the html input control to
uplaod files. We're also using System.IO.FileStream Write method to do the
job. It works until we need to write to the shared drive.

I've looked at various threads and other listings, but can someone add some
code to do this? I'm not sure how to add a credentials object to the write
operation. I've configured my config file to impersonate.

Thanks

 

[Dominick Baier [DevelopMentor]]

Hello Tom,

if you are accessing a non-local ressource while impersonating, this is called
delegation. You basically want to flow the client identity off the machine.
There are some config steps necessary.

check this site:
http://www.leastprivilege.com/TroubleshootingKerberosDelegation.aspx

 

[Alex]

Unfortunately, I can't use Kerberos, What I don't understand is, why can't I
use inmpersonation to connect to a shared drive on the same domain?

 

[Paul Clement]

¤ I have a web app that allowes you to upload files to a shared forlder and
¤ also read them off a list of uploaded files.
¤
¤ I created a shared drive on the destination server, and using a mapped
¤ virtual folder to the shared, I can view the files from the shared drive.
¤
¤ My problem is writing the files. We're using the html input control to
¤ uplaod files. We're also using System.IO.FileStream Write method to do the
¤ job. It works until we need to write to the shared drive.
¤
¤ I've looked at various threads and other listings, but can someone add some
¤ code to do this? I'm not sure how to add a credentials object to the write
¤ operation. I've configured my config file to impersonate.

What level of authentication is your web application using? Are you enabling impersonation?


Paul
~~~~
Microsoft MVP (Visual Basic)

 

[Alex]

I use Windows authentication

 

[Alex]

This is what we ended up doing, and it seems to work:

We set the impersonate="false"
We set the user name and password in the <processModel> element to an active
directory user
We gave the user the proper permissions to the unc share

I'm not sure of the reasons, but I've been told to try and get it working
without Kerebose\delegation.

My only concern is the machine.config changes. I'm not sure how it affects
the other web sites we have....

 

[Joe Kaplan \(MVP - ADSI\)]

It means all of the other web sites on the machine will have the worker
process running as your domain account too. This may or may not be a bad
thing, depending on what it can do.

What's the problem with Kerberos delegation? It is probably the best way to
solve this problem. The other good way is to put the code that does the UNC
access in a seperate component and set it up in COM+ to run as your domain
identity. That way only this piece of code has the special privileges. Of
course, this is more complicated to implement and deploy, but offers more
security.

Joe K.

 

[Alex]

I'm not sure why my manager doesn't want to enable kerberos delegation in
iis. Running all sites under the user won't be a problem. It's a generic
system user who does have permissions to perform tasks.

Thanks

 

[Joe Kaplan \(MVP - ADSI\)]

Fair enough. As long as you understand your options.

Joe K.

 

[Paul Clement]

¤ Unfortunately, I can't use Kerberos, What I don't understand is, why can't I
¤ use inmpersonation to connect to a shared drive on the same domain?
¤

Just an explanation for this:

Web apps that implement Integrated Windows security are authenticated via NTLM and IIS never
receives the credentials to delegate to the remote server.

You may have run across the following documentation:

http://msdn.microsoft.com/library/d...y/en-us/vsent7/html/vxconaspnetdelegation.asp


Paul
~~~~
Microsoft MVP (Visual Basic)