Impersonation and UnauthorizedAccessException

Discussion in 'ASP .Net Security' started by kevingeist@hotmail.com, Oct 16, 2006.

  1. Guest

    I hope someone can help me with this. Please tell me what I'm not
    seeing. In my web app, I'm trying to create files to a common
    directory. Only some network IDs have access to write to this
    directory.

    In my web.config I have:

    <authentication mode="Windows"/>
    <identity impersonate="true"/>


    in my default.aspx.vb I have:
    Dim impersonationContext As
    System.Security.Principal.WindowsImpersonationContext
    Dim currentWindowsIdentity As
    System.Security.Principal.WindowsIdentity
    ....
    currentWindowsIdentity = CType(User.Identity,
    System.Security.Principal.WindowsIdentity)
    impersonationContext = currentWindowsIdentity.Impersonate()
    filePath = System.IO.Path.Combine("w:\kbg\", FileName)
    My.Computer.FileSystem.WriteAllText(filePath, strData, False)
    impersonationContext.Undo()

    When I run the app on the localhost it works great. If I comment out
    the impersonationContext line, the app fail because the ASPNET account
    does not have access to write to the directory. When I uncomment it,
    it works, my network account does have access rights. That's what I
    want. My network account has access to the directory, I don't want
    ASPNET to have access to it.

    Next step, I bring up a browser session on another PC and run the app
    on my development PC, I get an "Enter Network Password" popup. I enter
    my network password, after a few tries I get an
    "UnauthorizedAccessException: Access is to the path 'w:\KBG' is
    denied." message. Why does it not work if initiated from another PC?
    How do I fix it?

    Any help would really be appreciated.
    , Oct 16, 2006
    #1
    1. Advertising

  2. Chris Taylor Guest

    Is the w drive a local drive or is it a mapped network drive?

    --
    Chris Taylor
    http://dotnetjunkies.com/weblog/chris.taylor
    <> wrote in message
    news:...
    >I hope someone can help me with this. Please tell me what I'm not
    > seeing. In my web app, I'm trying to create files to a common
    > directory. Only some network IDs have access to write to this
    > directory.
    >
    > In my web.config I have:
    >
    > <authentication mode="Windows"/>
    > <identity impersonate="true"/>
    >
    >
    > in my default.aspx.vb I have:
    > Dim impersonationContext As
    > System.Security.Principal.WindowsImpersonationContext
    > Dim currentWindowsIdentity As
    > System.Security.Principal.WindowsIdentity
    > ....
    > currentWindowsIdentity = CType(User.Identity,
    > System.Security.Principal.WindowsIdentity)
    > impersonationContext = currentWindowsIdentity.Impersonate()
    > filePath = System.IO.Path.Combine("w:\kbg\", FileName)
    > My.Computer.FileSystem.WriteAllText(filePath, strData, False)
    > impersonationContext.Undo()
    >
    > When I run the app on the localhost it works great. If I comment out
    > the impersonationContext line, the app fail because the ASPNET account
    > does not have access to write to the directory. When I uncomment it,
    > it works, my network account does have access rights. That's what I
    > want. My network account has access to the directory, I don't want
    > ASPNET to have access to it.
    >
    > Next step, I bring up a browser session on another PC and run the app
    > on my development PC, I get an "Enter Network Password" popup. I enter
    > my network password, after a few tries I get an
    > "UnauthorizedAccessException: Access is to the path 'w:\KBG' is
    > denied." message. Why does it not work if initiated from another PC?
    > How do I fix it?
    >
    > Any help would really be appreciated.
    >
    Chris Taylor, Oct 16, 2006
    #2
    1. Advertising

  3. Guest

    It is a mapped network drive.

    Chris Taylor wrote:
    > Is the w drive a local drive or is it a mapped network drive?
    >
    > --
    > Chris Taylor
    > http://dotnetjunkies.com/weblog/chris.taylor
    > <> wrote in message
    > news:...
    > >I hope someone can help me with this. Please tell me what I'm not
    > > seeing. In my web app, I'm trying to create files to a common
    > > directory. Only some network IDs have access to write to this
    > > directory.
    > >
    > > In my web.config I have:
    > >
    > > <authentication mode="Windows"/>
    > > <identity impersonate="true"/>
    > >
    > >
    > > in my default.aspx.vb I have:
    > > Dim impersonationContext As
    > > System.Security.Principal.WindowsImpersonationContext
    > > Dim currentWindowsIdentity As
    > > System.Security.Principal.WindowsIdentity
    > > ....
    > > currentWindowsIdentity = CType(User.Identity,
    > > System.Security.Principal.WindowsIdentity)
    > > impersonationContext = currentWindowsIdentity.Impersonate()
    > > filePath = System.IO.Path.Combine("w:\kbg\", FileName)
    > > My.Computer.FileSystem.WriteAllText(filePath, strData, False)
    > > impersonationContext.Undo()
    > >
    > > When I run the app on the localhost it works great. If I comment out
    > > the impersonationContext line, the app fail because the ASPNET account
    > > does not have access to write to the directory. When I uncomment it,
    > > it works, my network account does have access rights. That's what I
    > > want. My network account has access to the directory, I don't want
    > > ASPNET to have access to it.
    > >
    > > Next step, I bring up a browser session on another PC and run the app
    > > on my development PC, I get an "Enter Network Password" popup. I enter
    > > my network password, after a few tries I get an
    > > "UnauthorizedAccessException: Access is to the path 'w:\KBG' is
    > > denied." message. Why does it not work if initiated from another PC?
    > > How do I fix it?
    > >
    > > Any help would really be appreciated.
    > >
    , Oct 16, 2006
    #3
  4. Joe Kaplan Guest

    You would need to have Kerberos delegation working in that scenario then
    (assuming you are using integrated auth in IIS). Otherwise you have a
    double hop issue when accessing with a browser from a remote machine.

    You could try following the normal procedures to set up Kerberos delegation.
    I'm not sure exactly how it work with mapped network drives and naming
    conventions, but you should be able to get it working fine using the share
    name.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > It is a mapped network drive.
    >
    > Chris Taylor wrote:
    >> Is the w drive a local drive or is it a mapped network drive?
    >>
    >> --
    >> Chris Taylor
    >> http://dotnetjunkies.com/weblog/chris.taylor
    >> <> wrote in message
    >> news:...
    >> >I hope someone can help me with this. Please tell me what I'm not
    >> > seeing. In my web app, I'm trying to create files to a common
    >> > directory. Only some network IDs have access to write to this
    >> > directory.
    >> >
    >> > In my web.config I have:
    >> >
    >> > <authentication mode="Windows"/>
    >> > <identity impersonate="true"/>
    >> >
    >> >
    >> > in my default.aspx.vb I have:
    >> > Dim impersonationContext As
    >> > System.Security.Principal.WindowsImpersonationContext
    >> > Dim currentWindowsIdentity As
    >> > System.Security.Principal.WindowsIdentity
    >> > ....
    >> > currentWindowsIdentity = CType(User.Identity,
    >> > System.Security.Principal.WindowsIdentity)
    >> > impersonationContext = currentWindowsIdentity.Impersonate()
    >> > filePath = System.IO.Path.Combine("w:\kbg\", FileName)
    >> > My.Computer.FileSystem.WriteAllText(filePath, strData, False)
    >> > impersonationContext.Undo()
    >> >
    >> > When I run the app on the localhost it works great. If I comment out
    >> > the impersonationContext line, the app fail because the ASPNET account
    >> > does not have access to write to the directory. When I uncomment it,
    >> > it works, my network account does have access rights. That's what I
    >> > want. My network account has access to the directory, I don't want
    >> > ASPNET to have access to it.
    >> >
    >> > Next step, I bring up a browser session on another PC and run the app
    >> > on my development PC, I get an "Enter Network Password" popup. I enter
    >> > my network password, after a few tries I get an
    >> > "UnauthorizedAccessException: Access is to the path 'w:\KBG' is
    >> > denied." message. Why does it not work if initiated from another PC?
    >> > How do I fix it?
    >> >
    >> > Any help would really be appreciated.
    >> >

    >
    Joe Kaplan, Oct 16, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. S. Justin Gengo
    Replies:
    0
    Views:
    847
    S. Justin Gengo
    Jul 14, 2003
  2. Salim Afþar
    Replies:
    0
    Views:
    426
    Salim Afþar
    Aug 11, 2003
  3. R Warford
    Replies:
    3
    Views:
    486
    Guest
    Dec 1, 2003
  4. wrecker
    Replies:
    5
    Views:
    202
    Dominick Baier [DevelopMentor]
    Aug 30, 2005
  5. Buckster
    Replies:
    0
    Views:
    113
    Buckster
    Feb 10, 2006
Loading...

Share This Page