Win 2003 svr/ASP.NET 2.0 UNC share

  • Thread starter Langedal, Roger
  • Start date
L

Langedal, Roger

I'm trying to setup a simple test on writing to a file on an UNC share from
an asp.net 2.0 webpage. This is whats happing in default.aspx:

-----------------------------------------------------------------------------------
Dim path As String = "\\remoteserver\testshare"

Response.Write(User.Identity.Name)

My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good",
True)
-----------------------------------------------------------------------------------

impersonation is enabled and windows auth is setup in IIS 6.

1. When I run this on my Vista PC - I'm correctly authenticated and the file
is written perfectly to the remote share.
2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a share
on this server \\mywebserver\testshare everything still works perfectly
3. But - I if I try to write to a REMOTE share i.e \\myotherserver\testshare
it fails with "file not found" - no further explanation :-S I've tried to
scan for activity on the remote servers filesystem with Filemon - but it
does'nt even look like it tries to access the share at all.... Permissions
are set to everyone both at NTFS and share permissions at this share.

ANY ideas guys??

Regards,
Roger
 
G

Guest

I'm trying to setup a simple test on writing to a file on an UNC share from
an asp.net 2.0 webpage. This is whats happing in default.aspx:

---------------------------------------------------------------------------­--------
Dim path As String = "\\remoteserver\testshare"

Response.Write(User.Identity.Name)

My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good",
True)
---------------------------------------------------------------------------­--------

impersonation is enabled and windows auth is setup in IIS 6.

1. When I run this on my Vista PC - I'm correctly authenticated and the file
is written perfectly to the remote share.
2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a share
on this server \\mywebserver\testshare everything still works perfectly
3. But - I if I try to write to a REMOTE share i.e \\myotherserver\testshare
it fails with "file not found" - no further explanation :-S I've tried to
scan for activity on the remote servers filesystem with Filemon - but it
does'nt even look like it tries to access the share at all.... Permissions
are set to everyone both at NTFS and share permissions at this share.

ANY ideas guys??

Regards,
Roger
Click to expand...

do you use an impersonation or you run the application under asp.net
account?
 
L

Langedal, Roger

I do impersonate. Testing with my own account - and it does have more than
sufficient permissions.

I'm trying to setup a simple test on writing to a file on an UNC share
from
an asp.net 2.0 webpage. This is whats happing in default.aspx:

---------------------------------------------------------------------------­--------
Dim path As String = "\\remoteserver\testshare"

Response.Write(User.Identity.Name)

My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good",
True)
---------------------------------------------------------------------------­--------

impersonation is enabled and windows auth is setup in IIS 6.

1. When I run this on my Vista PC - I'm correctly authenticated and the
file
is written perfectly to the remote share.
2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a
share
on this server \\mywebserver\testshare everything still works perfectly
3. But - I if I try to write to a REMOTE share i.e
\\myotherserver\testshare
it fails with "file not found" - no further explanation :-S I've tried to
scan for activity on the remote servers filesystem with Filemon - but it
does'nt even look like it tries to access the share at all.... Permissions
are set to everyone both at NTFS and share permissions at this share.

ANY ideas guys??

Regards,
Roger
Click to expand...

do you use an impersonation or you run the application under asp.net
account?
 
L

Langedal, Roger

Thanks Dominick,

1. The web server is a win2003/iis 6 box - same with the box I've setup the
share on for test purposes - both members of our domain

2. I am impersonating an using a domain account to access the site.

3. The site is setup with "Integrated auth"

4. The DC is running as "Windows 2000 native" at the domain functional level

5. The webserver hosting the app is setup as "Trust computer for
delagation"

Still doesn't work - what is the last piece of the puzzle - anyone.....??
:)

Roger
 
D

Dominick Baier

you haven't read the article, did you?

Are you sure your SPNs are setup correctly - are you REALLY using Kerbers
(check the security event log of the web server for logon events - which
authentication package to you see?)
 
L

Langedal, Roger

Sorry - didn't see the article yesterday :p

Excellent article - steped through the troubleshooting part
- seems the two servers are negotiating NTLM between them....
- seems the client and webserver also negotiated NTLM

Do you have any ideas on how the SPN should be setup?

The webserver hosting the app is running IIS6 under the "Network Service"
account and is called web1.mydomain.com
Used LDP to find these SPN's already configured:
servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
HOST/WEB1; HOST/WEB1.mydomain.com;

Pretty much the same with the filesharing server only the name is web2:

Regards,
Roger
 
L

Langedal, Roger

Hey,

First of all - thanks for you patience and excellent help on this one
Dominick... :)

I use http://demoapp.mydomain.com

I got kerberos working now between client and webserver by using setspn -A
HTTP/demoapp.mydomain.com web1

Now I need to setup Kerberos between the web1 and fileserver web2. What
service am I supposed to use for setspn on the fileserver?

Roger
 
D

Dominick Baier

Hi,

you are welcome ;)

try CIFS and HOST + the name of the machine as you use it in the UNC path.
 
L

Langedal, Roger

hmmmm.....auth seems to work using Kerberos between the webserver and
client:

event log from WEBSERVER:
--------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2007-05-08
Time: 12:17:02
User: MYDOMAIN\RLA
Computer: WEB1
Description:
Successful Network Logon:
User Name: RLA
Domain: MYDOMAIN
Logon ID: (0x0,0x5FC7F2AC)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {624ca6b7-acdf-1e0c-f71d-b89a9ca74c6f}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.99
Source Port: 50135
-----------------

but not on the file server somthing seems odd.
It looks like me that the webserver tries to connect using Kerberos first
using a user named WEB1$(??) and then NTLM an ANONYMOUS......

eventlog of WEB2
-------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 08.05.2007
Time: 12:20:12
User: MYDOMAIN\WEB1$
Computer: WEB2
Description:
Successful Network Logon:
User Name: WEB1$
Domain: MYDOMAIN
Logon ID: (0x0,0x52375B9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {2981b3ae-a8dd-1971-830a-3dd64c0d27ac}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.55
Source Port: 0

-------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 08.05.2007
Time: 12:20:12
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: WEB2
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x52375C4)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WEB1
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.55
Source Port: 0
 
L

Langedal, Roger

To me it looks like delagation doe not work - I'll try to reboot the damn
thing and see if it takes the new setting... :p

Roger
 
D

Dominick Baier

this looks like that you are not impersonating when making the hop from web
to fileserver.

Check the value of WindowsIdentity.GetCurrent().Name before doing the access
- it should hold the username of the client and _not_ NETWORK SERVICE...
 
L

Langedal, Roger

1. Used kerbtray.exe and found the falg set to "ok as delagate" for the
webserver.

2. WindowsIdentity.GetCurrent().Name gives the correct username....

*aaarghhhhh*
 
L

Langedal, Roger

ok..turned on Kerberos logging and got this:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 08.05.2007
Time: 14:11:09
User: N/A
Computer: WEB2
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 12:11:9.0000 5/8/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: MYDOMAIN
Server Name: host/web2.mydomain
Target Name: host/web2.mydomain@mydomain
Error Text:
File: 9
Line: ae0
Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
0010: 00 00 00 03 00 00 00 .......
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Win 2003 svr/ASP.NET 2.0 UNC share 1
ASP.NET 2.0 with UNC share - security restriction & impersonation 0
Impersonation on Remote UNC 3
SecurityException when calling DLL while using a UNC share 0
UNC, GetFolder & Windows Authentication 0
Error Hosting ASP.NET 2.0 though UNC 0
Problems with UNC 0
UNC Share Error 0

Members online

No members online now.
Total: 34 (members: 1, guests: 33)
Robots: 326

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,011
Latest member
AjaUqq1950

Latest Threads

Top