How to create file on network share from ASP.NET

[Guest]

Hi,

I have ASP.NET application running on standalone (not part of the domain)
Windows 2003. I use forms authentication for my application. The problem I
have is that I need to create and read files on Windows domain network shared
drives and also on shared via Samba Unix drives, which is equivalent to
writing/reading to the workgroup computer. Please point, if possible, to
detailed step by step description of what needs to be done. Thank you.

Regards,

 

[Kevin Spencer]

Hi Andre,

You can certainly use the System.IO classes to create files on a network
drive in the same way that you would create them on a local machine drive.
You can use a UNC path if you wish, or a mapped drive. The rules are the
same. The only differences would be:

1. Security: Use an Active Directory domain account with the proper
permissions. Use impersonation if necessary.
2. Unix drives: You may have some issues with the files themselves,
especially if they are text files. Carriage returns are different on Unix
systems. The system may be using ASCII instead of Unicode text encoding as
well.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
The sun never sets on
the Kingdom of Heaven

 

[Guest]

Hi Kevin,

My problem is that I don't understand how impersanation can help me. My web
server (means any accounts on it) does not permissions to read/write to
shared directories. Administrators of Unix and Windows domain created for me
appropriate accounts for access to shares - means on Unix was created user
asp with password asp which can access shared folder. From Windows Explorer
on my PC I can connect to this shared folder using provided username and
password. But this username and password are from remote box not the local
one, which means that LogonUser will not work for me as it can be used only
to login to local computer (at least that is what documentation says).

Could you please help with the issue that I need to login to another box
using another box'es account and not the local one?

Thanks a lot.

 

[Juan T. Llibre]

Hi, Andre.

re:

Could you please help with the issue that I need to login to
another box using another box's account and not the local one?

<identity impersonate="true" name="domain\user" password="pwd"/>

should allow you to run ASP.NET while impersonating the
domain account which has permissions to read/write the other box.

For that, of course, both the other box and your box
need to be members of the same domain.

 

[Juan T. Llibre]

Andre,

You might also want to acquire access programmatically.

Read this article :
http://www.netomatix.com/ImpersonateUser.aspx
and download and study the sample code provided.

 

[Guest]

Hi Juan,

Thank you for your reply, but my point is exactly that both computers ARE
NOT members of the same domain - one is standalone Win2003 and another is
external domain member and I can not put both onto the same domain. Is there
any other way to do it?

Thank you.

 

[Juan T. Llibre]

re:

both computers ARE NOT members of the same domain

I think that, if that's the case, you're out of luck.

You might want to talk to your network admin
about joining your machine to the network.

What would prevent that ?
( If you need to access the shared drive's file system... )

My question to you is : how do you have *shared drives*
if the machines are not on the same network ?

That sounds a bit counter-intuitive to me.

 

[Kevin Spencer]

Hi Andre,

You can certainly impersonate a member of any domain, as long as you supply
that user's credentials. It's simply a matter of identifying the domain as
well as the user.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
The sun never sets on
the Kingdom of Heaven

 

[Scott Allen]

One technique I've used in the past is to use mirrored account. Set up
an account on both machines - same username, same password. Then
ASP.NET can impersonate the account on the server and be authenticated
/ authorized on the remote machine.

 

[Guest]

Guys,

Thank you very much for your answers/suggestions.

Scott,
Does you suggestion mean that Windows will always try to login using current
(impersonated) credentials first? What if my impersonated credentials are
domain related, is it going to be a problem? Sorry for dumb questions I am
not an expert in Windows security.

Kevin,
Does you suggestion mean, that it is domain, which webserver belongs to, you
are talking about? Can impersonte user of another domain (I have domain name,
username and password for that domain, but server is not part of that domain)?

Juan,
There are various reasons (not of a technical matter) which prevent our
web-server to be joined with the other domain. Machines are on the same
physical network, but webserver is maintained by one company and domain by
another. So all I have from the domain managed box is the domain name, share
name, username and password on THAT domain and I need to create export files
using those credentials. I can do this from Windows GUI - access that share
using provided credentials so it is should not a problem via .Net too.

I am currently looking at using WNetAddConnection2 function to map external
drives locally and write onto local drives. Is it a good idea?

Thanks & Regards,

Andre.

 

[Kevin Spencer]

Hi Andre,

Does you suggestion mean, that it is domain, which webserver belongs to,
you
are talking about? Can impersonte user of another domain (I have domain
name,
username and password for that domain, but server is not part of that
domain)?

Of course it is possible to impersonate a user of a different domain or
Workgroup within the same LAN, and even across the Internet. Our LAN, for
example, is comprised of several different domains and Workgroups. I can, as
a network administrator, access any of these machines, and perform any kind
of operation on them, from my local machine, using Windows Explorer, Event
Viewer, IIS Admin snap-in, Remote Desktop, and a large variety of other
applications. Sometimes I have to provide a different set of credentials,
such as domain credentials, in order to do so. As an ASP.Net application is
also an application, it can certainly do the same. It's "simply" a matter of
knowing how. The following (and related) article(s) should give you the
ammunition you need to implement this in your app:

http://www.15seconds.com/issue/041208.htm

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
The sun never sets on
the Kingdom of Heaven

 

[Juan T. Llibre]

Hi, Andre.

You can use "mirrored" local accounts (that is, accounts with matching
usernames and passwords on two computers). You need to use this
approach when the computers are in separate domains with no trust
relationship or when the computers are separated by a firewall and you
cannot open the ports required for NTLM or Kerberos authentication.

See :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod15.asp

In the "ASP.NET Worker Process Identity" section
you'll find precise instructions for setting up mirrored accounts.

 

[homertbush]

Essentially what he's saying is that you can create two local account on both machines with the same user names and passwords.

You can then impersonate the local account with the ASP.NET worker process and access the other machine with the same rights as the local account created there.

This is a common way to get around lack of domain trusts or lack of domain accounts at all.

There's a post here that discusses it.
http://blog.tylerholmes.com/2008/03/work-around-when-impersonating.html