shared folder access

Discussion in 'ASP .Net Security' started by sundeeps@niit.com, Oct 15, 2003.

  1. Guest

    hi, i have a web application residing on a web server [w]
    and a file server . Both the servers are part of same
    domain [d].

    now, i want to access shared folders from my web
    application but the access should be given to only those
    users who has permission on shared folder.

    I set up impersonate in my system and m using windows
    authentication, but still i get access denied error.

    Need help
     
    , Oct 15, 2003
    #1
    1. Advertising

  2. Steve Jansen Guest

    I suggest reading the Patterns & Practices whitepaper "Authentication in
    ASP.NET: .NET Security Guidance":
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

    Impersonation is not enough to accomplish what you want. You require
    account delegation from your physical server running IIS to your physical
    server hosting the file share.

    Option 1
    ---------
    Your first option is to use Basic Authentication in IIS over SSL. This way,
    the inetinfo.exe process has your credentials in plaintext and can logon to
    the remote file server on the end-users behalf.

    Option 2
    ---------
    Alternatively I have gotten this to work before with Windows Authenticaion,
    but, it is not straightforward:
    1) Enable Windows Authentication in IIS for your web app
    2) If you create a virtual directory that maps to your UNC share, manually
    delete the UNCUserName and UNCPassword metabase values using adsutil.vbs.
    This will remove the UNC user token credentials (something that cannot be
    done through inetmgr.exe). Doing so causes IIS to attempt delegation using
    the current logon credentials.
    3) Even though inetinfo.exe runs as LocalSystem, I had to create an AD
    Service Principal Name. First, I had to set the option "Trust this computer
    for delegation" for the IIS Computer AD object. Then, I had to issue the
    setspn.exe command, which I remember being :

    setspn -A HTTP/myhost.mydomain.com myserver


    4) For IE clients, I had to add myhost.mydomain.com to the LocalIntranet
    zone. I would guess this caused IE to use Kerberos authentication instead
    of NTLM. It may have also had something to do with "Automatic Logon in
    Intranet Zone only"

    Connected IE clients should then browse the remote file share using their
    credentials and appropriate ACLs. You should be able to confirm this by
    enabling complete auditing of file access for your share and checking the
    event viewer. I believe there are major performance implications for this,
    due to the increased network activity of IIS performing delegation and UNC
    file operations.

    Option 3
    ---------
    You can also set the UNCAuthenticationPassthrough metabase attribute to True
    to accomplish this. The article @
    http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/default.aspx
    provides a good discussion of this setting. However, the KB 286401 states
    that this setting is not supported by MS.

    -Steve Jansen

    "" <> wrote in message
    news:06d601c39315$9f30aef0$...
    > hi, i have a web application residing on a web server [w]
    > and a file server . Both the servers are part of same
    > domain [d].
    >
    > now, i want to access shared folders from my web
    > application but the access should be given to only those
    > users who has permission on shared folder.
    >
    > I set up impersonate in my system and m using windows
    > authentication, but still i get access denied error.
    >
    > Need help
     
    Steve Jansen, Oct 15, 2003
    #2
    1. Advertising

  3. Guest Guest

    Thanks Steve. Your options are really logical. However, i
    tried with the basic autjentication as we r on intranet
    and its ok for us to pass in plain text too.. but seems it
    doesn't work.

    also, i am not able to delete the UNC parameters too as
    you did..

    >-----Original Message-----
    >I suggest reading the Patterns & Practices

    whitepaper "Authentication in
    >ASP.NET: .NET Security Guidance":
    >http://msdn.microsoft.com/library/default.asp?

    url=/library/en-us/dnbda/html/authaspdotnet.asp
    >
    >Impersonation is not enough to accomplish what you want.

    You require
    >account delegation from your physical server running IIS

    to your physical
    >server hosting the file share.
    >
    >Option 1
    >---------
    >Your first option is to use Basic Authentication in IIS

    over SSL. This way,
    >the inetinfo.exe process has your credentials in

    plaintext and can logon to
    >the remote file server on the end-users behalf.
    >
    >Option 2
    >---------
    >Alternatively I have gotten this to work before with

    Windows Authenticaion,
    >but, it is not straightforward:
    >1) Enable Windows Authentication in IIS for your web app
    >2) If you create a virtual directory that maps to your

    UNC share, manually
    >delete the UNCUserName and UNCPassword metabase values

    using adsutil.vbs.
    >This will remove the UNC user token credentials

    (something that cannot be
    >done through inetmgr.exe). Doing so causes IIS to

    attempt delegation using
    >the current logon credentials.
    >3) Even though inetinfo.exe runs as LocalSystem, I had

    to create an AD
    >Service Principal Name. First, I had to set the

    option "Trust this computer
    >for delegation" for the IIS Computer AD object. Then, I

    had to issue the
    >setspn.exe command, which I remember being :
    >
    >setspn -A HTTP/myhost.mydomain.com myserver
    >
    >
    >4) For IE clients, I had to add myhost.mydomain.com to

    the LocalIntranet
    >zone. I would guess this caused IE to use Kerberos

    authentication instead
    >of NTLM. It may have also had something to do

    with "Automatic Logon in
    >Intranet Zone only"
    >
    >Connected IE clients should then browse the remote file

    share using their
    >credentials and appropriate ACLs. You should be able to

    confirm this by
    >enabling complete auditing of file access for your share

    and checking the
    >event viewer. I believe there are major performance

    implications for this,
    >due to the increased network activity of IIS performing

    delegation and UNC
    >file operations.
    >
    >Option 3
    >---------
    >You can also set the UNCAuthenticationPassthrough

    metabase attribute to True
    >to accomplish this. The article @
    >http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d

    efault.aspx
    >provides a good discussion of this setting. However, the

    KB 286401 states
    >that this setting is not supported by MS.
    >
    >-Steve Jansen
    >
    >"" <>

    wrote in message
    >news:06d601c39315$9f30aef0$...
    >> hi, i have a web application residing on a web server

    [w]
    >> and a file server . Both the servers are part of same
    >> domain [d].
    >>
    >> now, i want to access shared folders from my web
    >> application but the access should be given to only those
    >> users who has permission on shared folder.
    >>
    >> I set up impersonate in my system and m using windows
    >> authentication, but still i get access denied error.
    >>
    >> Need help

    >
    >
    >.
    >
     
    Guest, Oct 16, 2003
    #3
  4. Steve Jansen Guest

    Did you use adsutil.vbs to delete the UNC parameters, or did you try to use
    the GUI tool (inetmgr.exe)?

    <> wrote in message
    news:0b0001c393ae$591ea900$...
    > Thanks Steve. Your options are really logical. However, i
    > tried with the basic autjentication as we r on intranet
    > and its ok for us to pass in plain text too.. but seems it
    > doesn't work.
    >
    > also, i am not able to delete the UNC parameters too as
    > you did..
    >
    > >-----Original Message-----
    > >I suggest reading the Patterns & Practices

    > whitepaper "Authentication in
    > >ASP.NET: .NET Security Guidance":
    > >http://msdn.microsoft.com/library/default.asp?

    > url=/library/en-us/dnbda/html/authaspdotnet.asp
    > >
    > >Impersonation is not enough to accomplish what you want.

    > You require
    > >account delegation from your physical server running IIS

    > to your physical
    > >server hosting the file share.
    > >
    > >Option 1
    > >---------
    > >Your first option is to use Basic Authentication in IIS

    > over SSL. This way,
    > >the inetinfo.exe process has your credentials in

    > plaintext and can logon to
    > >the remote file server on the end-users behalf.
    > >
    > >Option 2
    > >---------
    > >Alternatively I have gotten this to work before with

    > Windows Authenticaion,
    > >but, it is not straightforward:
    > >1) Enable Windows Authentication in IIS for your web app
    > >2) If you create a virtual directory that maps to your

    > UNC share, manually
    > >delete the UNCUserName and UNCPassword metabase values

    > using adsutil.vbs.
    > >This will remove the UNC user token credentials

    > (something that cannot be
    > >done through inetmgr.exe). Doing so causes IIS to

    > attempt delegation using
    > >the current logon credentials.
    > >3) Even though inetinfo.exe runs as LocalSystem, I had

    > to create an AD
    > >Service Principal Name. First, I had to set the

    > option "Trust this computer
    > >for delegation" for the IIS Computer AD object. Then, I

    > had to issue the
    > >setspn.exe command, which I remember being :
    > >
    > >setspn -A HTTP/myhost.mydomain.com myserver
    > >
    > >
    > >4) For IE clients, I had to add myhost.mydomain.com to

    > the LocalIntranet
    > >zone. I would guess this caused IE to use Kerberos

    > authentication instead
    > >of NTLM. It may have also had something to do

    > with "Automatic Logon in
    > >Intranet Zone only"
    > >
    > >Connected IE clients should then browse the remote file

    > share using their
    > >credentials and appropriate ACLs. You should be able to

    > confirm this by
    > >enabling complete auditing of file access for your share

    > and checking the
    > >event viewer. I believe there are major performance

    > implications for this,
    > >due to the increased network activity of IIS performing

    > delegation and UNC
    > >file operations.
    > >
    > >Option 3
    > >---------
    > >You can also set the UNCAuthenticationPassthrough

    > metabase attribute to True
    > >to accomplish this. The article @
    > >http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d

    > efault.aspx
    > >provides a good discussion of this setting. However, the

    > KB 286401 states
    > >that this setting is not supported by MS.
    > >
    > >-Steve Jansen
    > >
    > >"" <>

    > wrote in message
    > >news:06d601c39315$9f30aef0$...
    > >> hi, i have a web application residing on a web server

    > [w]
    > >> and a file server . Both the servers are part of same
    > >> domain [d].
    > >>
    > >> now, i want to access shared folders from my web
    > >> application but the access should be given to only those
    > >> users who has permission on shared folder.
    > >>
    > >> I set up impersonate in my system and m using windows
    > >> authentication, but still i get access denied error.
    > >>
    > >> Need help

    > >
    > >
    > >.
    > >
     
    Steve Jansen, Oct 16, 2003
    #4
  5. sandy Guest

    i tried using adsutil.vbs !

    >-----Original Message-----
    >Did you use adsutil.vbs to delete the UNC parameters, or

    did you try to use
    >the GUI tool (inetmgr.exe)?
    >
    ><> wrote in message
    >news:0b0001c393ae$591ea900$...
    >> Thanks Steve. Your options are really logical. However,

    i
    >> tried with the basic autjentication as we r on intranet
    >> and its ok for us to pass in plain text too.. but seems

    it
    >> doesn't work.
    >>
    >> also, i am not able to delete the UNC parameters too as
    >> you did..
    >>
    >> >-----Original Message-----
    >> >I suggest reading the Patterns & Practices

    >> whitepaper "Authentication in
    >> >ASP.NET: .NET Security Guidance":
    >> >http://msdn.microsoft.com/library/default.asp?

    >> url=/library/en-us/dnbda/html/authaspdotnet.asp
    >> >
    >> >Impersonation is not enough to accomplish what you

    want.
    >> You require
    >> >account delegation from your physical server running

    IIS
    >> to your physical
    >> >server hosting the file share.
    >> >
    >> >Option 1
    >> >---------
    >> >Your first option is to use Basic Authentication in IIS

    >> over SSL. This way,
    >> >the inetinfo.exe process has your credentials in

    >> plaintext and can logon to
    >> >the remote file server on the end-users behalf.
    >> >
    >> >Option 2
    >> >---------
    >> >Alternatively I have gotten this to work before with

    >> Windows Authenticaion,
    >> >but, it is not straightforward:
    >> >1) Enable Windows Authentication in IIS for your web

    app
    >> >2) If you create a virtual directory that maps to your

    >> UNC share, manually
    >> >delete the UNCUserName and UNCPassword metabase values

    >> using adsutil.vbs.
    >> >This will remove the UNC user token credentials

    >> (something that cannot be
    >> >done through inetmgr.exe). Doing so causes IIS to

    >> attempt delegation using
    >> >the current logon credentials.
    >> >3) Even though inetinfo.exe runs as LocalSystem, I had

    >> to create an AD
    >> >Service Principal Name. First, I had to set the

    >> option "Trust this computer
    >> >for delegation" for the IIS Computer AD object. Then,

    I
    >> had to issue the
    >> >setspn.exe command, which I remember being :
    >> >
    >> >setspn -A HTTP/myhost.mydomain.com myserver
    >> >
    >> >
    >> >4) For IE clients, I had to add myhost.mydomain.com to

    >> the LocalIntranet
    >> >zone. I would guess this caused IE to use Kerberos

    >> authentication instead
    >> >of NTLM. It may have also had something to do

    >> with "Automatic Logon in
    >> >Intranet Zone only"
    >> >
    >> >Connected IE clients should then browse the remote file

    >> share using their
    >> >credentials and appropriate ACLs. You should be able

    to
    >> confirm this by
    >> >enabling complete auditing of file access for your

    share
    >> and checking the
    >> >event viewer. I believe there are major performance

    >> implications for this,
    >> >due to the increased network activity of IIS performing

    >> delegation and UNC
    >> >file operations.
    >> >
    >> >Option 3
    >> >---------
    >> >You can also set the UNCAuthenticationPassthrough

    >> metabase attribute to True
    >> >to accomplish this. The article @

    >>

    >http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d
    >> efault.aspx
    >> >provides a good discussion of this setting. However,

    the
    >> KB 286401 states
    >> >that this setting is not supported by MS.
    >> >
    >> >-Steve Jansen
    >> >
    >> >""

    <>
    >> wrote in message
    >> >news:06d601c39315$9f30aef0$...
    >> >> hi, i have a web application residing on a web server

    >> [w]
    >> >> and a file server . Both the servers are part of

    same
    >> >> domain [d].
    >> >>
    >> >> now, i want to access shared folders from my web
    >> >> application but the access should be given to only

    those
    >> >> users who has permission on shared folder.
    >> >>
    >> >> I set up impersonate in my system and m using windows
    >> >> authentication, but still i get access denied error.
    >> >>
    >> >> Need help
    >> >
    >> >
    >> >.
    >> >

    >
    >
    >.
    >
     
    sandy, Oct 17, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. DJ Dev
    Replies:
    3
    Views:
    16,136
    Gandalf
    Feb 8, 2004
  2. =?Utf-8?B?SWJyYWhpbS4=?=

    Access to Shared folder from asp.net

    =?Utf-8?B?SWJyYWhpbS4=?=, Jul 6, 2006, in forum: ASP .Net
    Replies:
    7
    Views:
    6,837
    =?Utf-8?B?SWJyYWhpbS4=?=
    Aug 8, 2006
  3. mmb
    Replies:
    0
    Views:
    192
  4. James
    Replies:
    2
    Views:
    137
    Ray at
    Aug 10, 2004
  5. Sebastian Scholz

    win32 - access shared folder

    Sebastian Scholz, Jun 29, 2004, in forum: Perl Misc
    Replies:
    1
    Views:
    194
    MrReallyVeryNice
    Jun 30, 2004
Loading...

Share This Page