System.UnauthorizedAccessException

Discussion in 'ASP .Net Security' started by Manuel, Jun 5, 2009.

  1. Manuel

    Manuel Guest

    Hi,

    a asp.net web page developed using visual studio 2008 with .net framework
    3.5 can not access to a network file
    \\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\NTMAIL\Received\i0067758.zip
    When I debug the application using visual studio on my local machine it
    works correctly but when I publish the application a
    System.UnauthorizedAccessException occurs

    Please help
     
    Manuel, Jun 5, 2009
    #1
    1. Advertising

  2. Hi Manuel,

    >a asp.net web page developed using visual studio 2008 with .net framework
    >3.5 can not access to a network file
    >\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\NTMAIL\Received\i0067758.

    zip
    >When I debug the application using visual studio on my local machine it
    >works correctly but when I publish the application a
    >System.UnauthorizedAccessException occurs


    It's a double hop issue. When you debug your application in Visual Studio
    the thread's identity is your domain account, which has access permission
    to the shared file. However, when you host your application on IIS the
    default identity of the thread is the NetworkService account (IIS 6+). To
    use the domain account to access the file one way is to use Basic
    authentication and turn on impersonation
    (http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx).

    More documentations about double hop and solution:

    http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
    http://drowningintechnicaldebt.com/blogs/shawnweisfeld/archive/2006/12/06/Th
    e-_1C20_Double-Hop_1D20_-Issue.aspx
    http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx
    http://support.microsoft.com/kb/910449
    http://support.microsoft.com/kb/891031
    http://support.microsoft.com/kb/810572
    http://support.microsoft.com/servicedesks/webcasts/seminar/shared/asp/view.a
    sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Allen Chen [MSFT], Jun 8, 2009
    #2
    1. Advertising

  3. Manuel

    Manuel Guest

    Hello Allen,

    I have a cast exception at runtime

    System.Security.Principal.WindowsImpersonationContext impersonationContext;

    impersonationContext =
    ((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();

    please help
    thank you


    "Allen Chen [MSFT]" wrote:

    > Hi Manuel,
    >
    > >a asp.net web page developed using visual studio 2008 with .net framework
    > >3.5 can not access to a network file
    > >\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\NTMAIL\Received\i0067758.

    > zip
    > >When I debug the application using visual studio on my local machine it
    > >works correctly but when I publish the application a
    > >System.UnauthorizedAccessException occurs

    >
    > It's a double hop issue. When you debug your application in Visual Studio
    > the thread's identity is your domain account, which has access permission
    > to the shared file. However, when you host your application on IIS the
    > default identity of the thread is the NetworkService account (IIS 6+). To
    > use the domain account to access the file one way is to use Basic
    > authentication and turn on impersonation
    > (http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx).
    >
    > More documentations about double hop and solution:
    >
    > http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
    > http://drowningintechnicaldebt.com/blogs/shawnweisfeld/archive/2006/12/06/Th
    > e-_1C20_Double-Hop_1D20_-Issue.aspx
    > http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx
    > http://support.microsoft.com/kb/910449
    > http://support.microsoft.com/kb/891031
    > http://support.microsoft.com/kb/810572
    > http://support.microsoft.com/servicedesks/webcasts/seminar/shared/asp/view.a
    > sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml
    >
    > Regards,
    > Allen Chen
    > Microsoft Online Support
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 2 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions. Issues of this
    > nature are best handled working with a dedicated Microsoft Support Engineer
    > by contacting Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    > ==================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    >
    >
     
    Manuel, Jun 8, 2009
    #3
  4. Hi Manuel,

    >I have a cast exception at runtime


    Could you provide the detailed description of this exception?

    If you want to use Basic Authentication to resolve this issue you can try
    this:

    1. Enable Basic Authentication for this web site in IIS and disable other
    authentication.

    2. Add following setting in web.config:
    <system.web>
    <identity impersonate="true"/>

    ..
    </system.web>

    Could you try above way to see if it works?

    Regards,
    Allen Chen
    Microsoft Online Support
     
    Allen Chen [MSFT], Jun 9, 2009
    #4
  5. Manuel

    Tony201 Guest

    Manuel,

    In order for you to impersonate over a double hop, you need to setup
    delegation for your app pool account and create (if they don't already exist)
    SPNs for your application and the file server. The application SPN should
    look like HTTP/FQDN_of_website and the file server SPNs should look something
    like CIFS/servername.

    Tony

    "Manuel" wrote:

    > Hello Allen,
    >
    > I have a cast exception at runtime
    >
    > System.Security.Principal.WindowsImpersonationContext impersonationContext;
    >
    > impersonationContext =
    > ((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();
    >
    > please help
    > thank you
    >
    >
    > "Allen Chen [MSFT]" wrote:
    >
    > > Hi Manuel,
    > >
    > > >a asp.net web page developed using visual studio 2008 with .net framework
    > > >3.5 can not access to a network file
    > > >\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\NTMAIL\Received\i0067758.

    > > zip
    > > >When I debug the application using visual studio on my local machine it
    > > >works correctly but when I publish the application a
    > > >System.UnauthorizedAccessException occurs

    > >
    > > It's a double hop issue. When you debug your application in Visual Studio
    > > the thread's identity is your domain account, which has access permission
    > > to the shared file. However, when you host your application on IIS the
    > > default identity of the thread is the NetworkService account (IIS 6+). To
    > > use the domain account to access the file one way is to use Basic
    > > authentication and turn on impersonation
    > > (http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx).
    > >
    > > More documentations about double hop and solution:
    > >
    > > http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
    > > http://drowningintechnicaldebt.com/blogs/shawnweisfeld/archive/2006/12/06/Th
    > > e-_1C20_Double-Hop_1D20_-Issue.aspx
    > > http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx
    > > http://support.microsoft.com/kb/910449
    > > http://support.microsoft.com/kb/891031
    > > http://support.microsoft.com/kb/810572
    > > http://support.microsoft.com/servicedesks/webcasts/seminar/shared/asp/view.a
    > > sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml
    > >
    > > Regards,
    > > Allen Chen
    > > Microsoft Online Support
    > >
    > > Delighting our customers is our #1 priority. We welcome your comments and
    > > suggestions about how we can improve the support we provide to you. Please
    > > feel free to let my manager know what you think of the level of service
    > > provided. You can send feedback directly to my manager at:
    > > .
    > >
    > > ==================================================
    > > Get notification to my posts through email? Please refer to
    > > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    > >
    > > Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    > > where an initial response from the community or a Microsoft Support
    > > Engineer within 2 business day is acceptable. Please note that each follow
    > > up response may take approximately 2 business days as the support
    > > professional working with you may need further investigation to reach the
    > > most efficient resolution. The offering is not appropriate for situations
    > > that require urgent, real-time or phone-based interactions. Issues of this
    > > nature are best handled working with a dedicated Microsoft Support Engineer
    > > by contacting Microsoft Customer Support Services (CSS) at
    > > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    > > ==================================================
    > > This posting is provided "AS IS" with no warranties, and confers no rights.
    > >
    > >
    > >
    > >
    > >
     
    Tony201, Jun 9, 2009
    #5
  6. Manuel

    Manuel Guest

    It works well, thank you very much !

    "Allen Chen [MSFT]" wrote:

    > Hi Manuel,
    >
    > >I have a cast exception at runtime

    >
    > Could you provide the detailed description of this exception?
    >
    > If you want to use Basic Authentication to resolve this issue you can try
    > this:
    >
    > 1. Enable Basic Authentication for this web site in IIS and disable other
    > authentication.
    >
    > 2. Add following setting in web.config:
    > <system.web>
    > <identity impersonate="true"/>
    >
    > ..
    > </system.web>
    >
    > Could you try above way to see if it works?
    >
    > Regards,
    > Allen Chen
    > Microsoft Online Support
    >
    >
     
    Manuel, Jun 9, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. S. Justin Gengo
    Replies:
    0
    Views:
    861
    S. Justin Gengo
    Jul 14, 2003
  2. Salim Afþar
    Replies:
    0
    Views:
    434
    Salim Afþar
    Aug 11, 2003
  3. James
    Replies:
    0
    Views:
    511
    James
    Aug 11, 2004
  4. Aleks A.
    Replies:
    0
    Views:
    408
    Aleks A.
    Aug 28, 2004
  5. bruce barker
    Replies:
    0
    Views:
    715
    bruce barker
    Aug 31, 2004
Loading...

Share This Page