Creating files in a unc shared drive.

Discussion in 'ASP .Net Security' started by Tom, Aug 16, 2005.

  1. Tom

    Tom Guest

    I have a web app that allowes you to upload files to a shared forlder and
    also read them off a list of uploaded files.

    I created a shared drive on the destination server, and using a mapped
    virtual folder to the shared, I can view the files from the shared drive.

    My problem is writing the files. We're using the html input control to
    uplaod files. We're also using System.IO.FileStream Write method to do the
    job. It works until we need to write to the shared drive.

    I've looked at various threads and other listings, but can someone add some
    code to do this? I'm not sure how to add a credentials object to the write
    operation. I've configured my config file to impersonate.

    Thanks
     
    Tom, Aug 16, 2005
    #1
    1. Advertising

  2. Hello Tom,

    if you are accessing a non-local ressource while impersonating, this is called
    delegation. You basically want to flow the client identity off the machine.
    There are some config steps necessary.

    check this site:
    http://www.leastprivilege.com/TroubleshootingKerberosDelegation.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I have a web app that allowes you to upload files to a shared forlder
    > and also read them off a list of uploaded files.
    >
    > I created a shared drive on the destination server, and using a mapped
    > virtual folder to the shared, I can view the files from the shared
    > drive.
    >
    > My problem is writing the files. We're using the html input control to
    > uplaod files. We're also using System.IO.FileStream Write method to do
    > the job. It works until we need to write to the shared drive.
    >
    > I've looked at various threads and other listings, but can someone add
    > some code to do this? I'm not sure how to add a credentials object to
    > the write operation. I've configured my config file to impersonate.
    >
    > Thanks
    >
     
    Dominick Baier [DevelopMentor], Aug 16, 2005
    #2
    1. Advertising

  3. Tom

    Alex Guest

    Unfortunately, I can't use Kerberos, What I don't understand is, why can't I
    use inmpersonation to connect to a shared drive on the same domain?

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello Tom,
    >
    > if you are accessing a non-local ressource while impersonating, this is called
    > delegation. You basically want to flow the client identity off the machine.
    > There are some config steps necessary.
    >
    > check this site:
    > http://www.leastprivilege.com/TroubleshootingKerberosDelegation.aspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I have a web app that allowes you to upload files to a shared forlder
    > > and also read them off a list of uploaded files.
    > >
    > > I created a shared drive on the destination server, and using a mapped
    > > virtual folder to the shared, I can view the files from the shared
    > > drive.
    > >
    > > My problem is writing the files. We're using the html input control to
    > > uplaod files. We're also using System.IO.FileStream Write method to do
    > > the job. It works until we need to write to the shared drive.
    > >
    > > I've looked at various threads and other listings, but can someone add
    > > some code to do this? I'm not sure how to add a credentials object to
    > > the write operation. I've configured my config file to impersonate.
    > >
    > > Thanks
    > >

    >
    >
    >
    >
     
    Alex, Aug 16, 2005
    #3
  4. Tom

    Paul Clement Guest

    On Mon, 15 Aug 2005 18:53:02 -0700, Tom <.(nospam)> wrote:

    ¤ I have a web app that allowes you to upload files to a shared forlder and
    ¤ also read them off a list of uploaded files.
    ¤
    ¤ I created a shared drive on the destination server, and using a mapped
    ¤ virtual folder to the shared, I can view the files from the shared drive.
    ¤
    ¤ My problem is writing the files. We're using the html input control to
    ¤ uplaod files. We're also using System.IO.FileStream Write method to do the
    ¤ job. It works until we need to write to the shared drive.
    ¤
    ¤ I've looked at various threads and other listings, but can someone add some
    ¤ code to do this? I'm not sure how to add a credentials object to the write
    ¤ operation. I've configured my config file to impersonate.

    What level of authentication is your web application using? Are you enabling impersonation?


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Aug 16, 2005
    #4
  5. Tom

    Alex Guest

    I use Windows authentication

    > What level of authentication is your web application using? Are you enabling impersonation?
    >
    >
    > Paul
    > ~~~~
    > Microsoft MVP (Visual Basic)
    >
     
    Alex, Aug 16, 2005
    #5
  6. Tom

    Alex Guest

    This is what we ended up doing, and it seems to work:

    We set the impersonate="false"
    We set the user name and password in the <processModel> element to an active
    directory user
    We gave the user the proper permissions to the unc share

    I'm not sure of the reasons, but I've been told to try and get it working
    without Kerebose\delegation.

    My only concern is the machine.config changes. I'm not sure how it affects
    the other web sites we have....
     
    Alex, Aug 16, 2005
    #6
  7. It means all of the other web sites on the machine will have the worker
    process running as your domain account too. This may or may not be a bad
    thing, depending on what it can do.

    What's the problem with Kerberos delegation? It is probably the best way to
    solve this problem. The other good way is to put the code that does the UNC
    access in a seperate component and set it up in COM+ to run as your domain
    identity. That way only this piece of code has the special privileges. Of
    course, this is more complicated to implement and deploy, but offers more
    security.

    Joe K.

    "Alex" <.(nospam)> wrote in message
    news:...
    > This is what we ended up doing, and it seems to work:
    >
    > We set the impersonate="false"
    > We set the user name and password in the <processModel> element to an
    > active
    > directory user
    > We gave the user the proper permissions to the unc share
    >
    > I'm not sure of the reasons, but I've been told to try and get it working
    > without Kerebose\delegation.
    >
    > My only concern is the machine.config changes. I'm not sure how it affects
    > the other web sites we have....
     
    Joe Kaplan \(MVP - ADSI\), Aug 17, 2005
    #7
  8. Tom

    Alex Guest

    I'm not sure why my manager doesn't want to enable kerberos delegation in
    iis. Running all sites under the user won't be a problem. It's a generic
    system user who does have permissions to perform tasks.

    Thanks
    "Joe Kaplan (MVP - ADSI)" wrote:

    > It means all of the other web sites on the machine will have the worker
    > process running as your domain account too. This may or may not be a bad
    > thing, depending on what it can do.
    >
    > What's the problem with Kerberos delegation? It is probably the best way to
    > solve this problem. The other good way is to put the code that does the UNC
    > access in a seperate component and set it up in COM+ to run as your domain
    > identity. That way only this piece of code has the special privileges. Of
    > course, this is more complicated to implement and deploy, but offers more
    > security.
    >
    > Joe K.
    >
    > "Alex" <.(nospam)> wrote in message
    > news:...
    > > This is what we ended up doing, and it seems to work:
    > >
    > > We set the impersonate="false"
    > > We set the user name and password in the <processModel> element to an
    > > active
    > > directory user
    > > We gave the user the proper permissions to the unc share
    > >
    > > I'm not sure of the reasons, but I've been told to try and get it working
    > > without Kerebose\delegation.
    > >
    > > My only concern is the machine.config changes. I'm not sure how it affects
    > > the other web sites we have....

    >
    >
    >
     
    Alex, Aug 17, 2005
    #8
  9. Fair enough. As long as you understand your options.

    Joe K.

    "Alex" <.(nospam)> wrote in message
    news:...
    > I'm not sure why my manager doesn't want to enable kerberos delegation in
    > iis. Running all sites under the user won't be a problem. It's a generic
    > system user who does have permissions to perform tasks.
    >
    > Thanks
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> It means all of the other web sites on the machine will have the worker
    >> process running as your domain account too. This may or may not be a bad
    >> thing, depending on what it can do.
    >>
    >> What's the problem with Kerberos delegation? It is probably the best way
    >> to
    >> solve this problem. The other good way is to put the code that does the
    >> UNC
    >> access in a seperate component and set it up in COM+ to run as your
    >> domain
    >> identity. That way only this piece of code has the special privileges.
    >> Of
    >> course, this is more complicated to implement and deploy, but offers more
    >> security.
    >>
    >> Joe K.
    >>
    >> "Alex" <.(nospam)> wrote in message
    >> news:...
    >> > This is what we ended up doing, and it seems to work:
    >> >
    >> > We set the impersonate="false"
    >> > We set the user name and password in the <processModel> element to an
    >> > active
    >> > directory user
    >> > We gave the user the proper permissions to the unc share
    >> >
    >> > I'm not sure of the reasons, but I've been told to try and get it
    >> > working
    >> > without Kerebose\delegation.
    >> >
    >> > My only concern is the machine.config changes. I'm not sure how it
    >> > affects
    >> > the other web sites we have....

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Aug 17, 2005
    #9
  10. Tom

    Paul Clement Guest

    On Tue, 16 Aug 2005 08:01:03 -0700, "Alex" <.(nospam)> wrote:

    ¤ Unfortunately, I can't use Kerberos, What I don't understand is, why can't I
    ¤ use inmpersonation to connect to a shared drive on the same domain?
    ¤

    Just an explanation for this:

    Web apps that implement Integrated Windows security are authenticated via NTLM and IIS never
    receives the credentials to delegate to the remote server.

    You may have run across the following documentation:

    http://msdn.microsoft.com/library/d...y/en-us/vsent7/html/vxconaspnetdelegation.asp


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Aug 17, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AL
    Replies:
    0
    Views:
    688
  2. Tom Anderson
    Replies:
    8
    Views:
    396
    Gerrit Holl
    Sep 15, 2005
  3. shailesh
    Replies:
    1
    Views:
    802
    Tim Golden
    Mar 28, 2007
  4. Croney

    Get UNC From drive letter

    Croney, Aug 18, 2003, in forum: ASP General
    Replies:
    0
    Views:
    116
    Croney
    Aug 18, 2003
  5. mavrick_101
    Replies:
    1
    Views:
    231
    Phillip Windell
    Feb 23, 2006
Loading...

Share This Page