Impersonation on Remote UNC

[KittyHawk]

I have an ASP.NET 2.0 application running on IIS 5 under SSL on a W2K
machine. The application attempts to copy several files from the local server
to remote UNC shares that are members of the same domain as the host. I have
set permissions on the UNC shares such that members of a particular group can
write to the directory. However, as of now, the file copy operation fails
with a System.UnauthorizedAccessException. I am using Windows Authentication
with impersonation set to “trueâ€. Am I missing something?

 

[KittyHawk]

Let me also add that if I add the userName and password attributes to
web.config, the files copy to the UNC shares just fine. Unfortunately, this
is not feasible for my application since I have a whole group of users I want
to be able to authenticate.

 

[Joe Kaplan]

It sounds like you need to implement Kerberos delegation. This will allow
you to impersonate the authenticated browser user and let the web app
delegate those users' creds to the remote resource (a file share in this
case).

MSDN and TechNet have lots of articles on implementing Kerberos delegation
that should turn up with a search. It is also covered frequently in this
newsgroup.

Note that since you are using Win2K IIS, you'll be limited to using
unconstrained, "Kerberos only" delegation. You can't use any of the new
Win2K3 Kerberos features like protocol transition or constrained delegation.

Joe K.

 

[KittyHawk]

Kerberos delegation was not an option since I don't have an AD forest. Since
my app sits behind an SSL site, I went ahead and configured the
<authorization> module to only allow users from a certain group. The app then
impersonates the user in the web config file that is allowed to copy the
files. I've encrypted the user info in the web config file so it's not
readable.

This seems overly complicated to simply copy a file to a UNC share but I
guess that's the price we pay for security.