impersonation - network share - access denied

Discussion in 'ASP .Net Security' started by bren@ebesser.com, Mar 8, 2006.

  1. Guest

    My intranet web app is trying to display the list of files in a
    directory showing their mod date.

    I wrap the code that's retreiving the mode date with code to set
    impersonation and I still get and access denied error.

    This is the code that's fails and raises the error:

    ModDate = File.GetLastWriteTime( TestPath ).ToString();

    I'm confident that I am impersonating the current login.

    The application requires integrated authentication with anonymous
    authentication turned off.

    To confirm for myself what login is trying to access the share, I
    display the access denied error along with the login name using
    System.Security.Principal.User.Identity.Name.

    The login has full permissions on the directory and the files that are
    being accessed.

    Why is the error being raised?

    thanks, Bren
    , Mar 8, 2006
    #1
    1. Advertising

  2. If the files are on a file share on a remote machine, you probably need to
    get Kerberos delegation in order to use the authenticated user's security
    context to access them. That constitutes a double hop.

    Joe K.

    <> wrote in message
    news:...
    > My intranet web app is trying to display the list of files in a
    > directory showing their mod date.
    >
    > I wrap the code that's retreiving the mode date with code to set
    > impersonation and I still get and access denied error.
    >
    > This is the code that's fails and raises the error:
    >
    > ModDate = File.GetLastWriteTime( TestPath ).ToString();
    >
    > I'm confident that I am impersonating the current login.
    >
    > The application requires integrated authentication with anonymous
    > authentication turned off.
    >
    > To confirm for myself what login is trying to access the share, I
    > display the access denied error along with the login name using
    > System.Security.Principal.User.Identity.Name.
    >
    > The login has full permissions on the directory and the files that are
    > being accessed.
    >
    > Why is the error being raised?
    >
    > thanks, Bren
    >
    Joe Kaplan \(MVP - ADSI\), Mar 8, 2006
    #2
    1. Advertising

  3. Guest

    Joe,

    Thanks for your reply.

    I've researched Kerberos and tried a few things. I've enabled
    delegation on the web server on which the app is running, and I've set
    the attribute for delegation for the login I'm testing with. Those
    changes didn't make a difference.

    Do you know of anything else specific that I need to do?

    Maybe there is something in the impersonation code that needs to be
    different?

    Thanks, Bren
    , Mar 10, 2006
    #3
  4. The first thing I always check for with delegation issues is to make sure
    that I'm authenticating to the web server with Kerberos, not NTLM. NTLM
    auth will prevent delegation right off.

    The security event log on the server is the best way to find out what
    happened, but you can also use a tool like wfetch.exe (IIS Resource Kit) to
    play around with the settings. After a while, you can learn to tell what a
    Kerberos authentication "looks like" in terms of the authorization headers
    sent by the client as usually the blob of data is much larger than with
    NTLM.

    Once you get the front end working with Kerberos, you then need to make sure
    you are accessing the backend file share via Kerberos too. The same rules
    apply with the security event log.

    Most of the time, failure to get Kerberos auth is an issue with not having
    the correct SPNs set on the accounts in question in AD.

    Joe K.

    <> wrote in message
    news:...
    > Joe,
    >
    > Thanks for your reply.
    >
    > I've researched Kerberos and tried a few things. I've enabled
    > delegation on the web server on which the app is running, and I've set
    > the attribute for delegation for the login I'm testing with. Those
    > changes didn't make a difference.
    >
    > Do you know of anything else specific that I need to do?
    >
    > Maybe there is something in the impersonation code that needs to be
    > different?
    >
    > Thanks, Bren
    >
    Joe Kaplan \(MVP - ADSI\), Mar 10, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chuck Haeberle
    Replies:
    0
    Views:
    349
    Chuck Haeberle
    Jul 10, 2003
  2. Andy
    Replies:
    2
    Views:
    3,429
  3. Replies:
    0
    Views:
    404
  4. Jason MacKenzie

    Impersonation and Network Share

    Jason MacKenzie, Jun 3, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    2,582
    Scott Allen
    Jun 3, 2005
  5. Saraswati lakki
    Replies:
    0
    Views:
    1,284
    Saraswati lakki
    Jan 6, 2012
Loading...

Share This Page