Win 2003 svr/ASP.NET 2.0 UNC share

Discussion in 'ASP .Net Security' started by Langedal, Roger, May 4, 2007.

  1. I'm trying to setup a simple test on writing to a file on an UNC share from
    an asp.net 2.0 webpage. This is whats happing in default.aspx:

    -----------------------------------------------------------------------------------
    Dim path As String = "\\remoteserver\testshare"

    Response.Write(User.Identity.Name)

    My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good",
    True)
    -----------------------------------------------------------------------------------

    impersonation is enabled and windows auth is setup in IIS 6.

    1. When I run this on my Vista PC - I'm correctly authenticated and the file
    is written perfectly to the remote share.
    2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a share
    on this server \\mywebserver\testshare everything still works perfectly
    3. But - I if I try to write to a REMOTE share i.e \\myotherserver\testshare
    it fails with "file not found" - no further explanation :-S I've tried to
    scan for activity on the remote servers filesystem with Filemon - but it
    does'nt even look like it tries to access the share at all.... Permissions
    are set to everyone both at NTFS and share permissions at this share.

    ANY ideas guys??

    Regards,
    Roger
     
    Langedal, Roger, May 4, 2007
    #1
    1. Advertising

  2. On May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    > I'm trying to setup a simple test on writing to a file on an UNC share from
    > an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >
    > ---------------------------------------------------------------------------­--------
    > Dim path As String = "\\remoteserver\testshare"
    >
    > Response.Write(User.Identity.Name)
    >
    > My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good",
    > True)
    > ---------------------------------------------------------------------------­--------
    >
    > impersonation is enabled and windows auth is setup in IIS 6.
    >
    > 1. When I run this on my Vista PC - I'm correctly authenticated and the file
    > is written perfectly to the remote share.
    > 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a share
    > on this server \\mywebserver\testshare everything still works perfectly
    > 3. But - I if I try to write to a REMOTE share i.e \\myotherserver\testshare
    > it fails with "file not found" - no further explanation :-S I've tried to
    > scan for activity on the remote servers filesystem with Filemon - but it
    > does'nt even look like it tries to access the share at all.... Permissions
    > are set to everyone both at NTFS and share permissions at this share.
    >
    > ANY ideas guys??
    >
    > Regards,
    > Roger


    do you use an impersonation or you run the application under asp.net
    account?
     
    Alexey Smirnov, May 4, 2007
    #2
    1. Advertising

  3. I do impersonate. Testing with my own account - and it does have more than
    sufficient permissions.

    "Alexey Smirnov" <> wrote in message
    news:...
    On May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    > I'm trying to setup a simple test on writing to a file on an UNC share
    > from
    > an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >
    > ---------------------------------------------------------------------------­--------
    > Dim path As String = "\\remoteserver\testshare"
    >
    > Response.Write(User.Identity.Name)
    >
    > My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good",
    > True)
    > ---------------------------------------------------------------------------­--------
    >
    > impersonation is enabled and windows auth is setup in IIS 6.
    >
    > 1. When I run this on my Vista PC - I'm correctly authenticated and the
    > file
    > is written perfectly to the remote share.
    > 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a
    > share
    > on this server \\mywebserver\testshare everything still works perfectly
    > 3. But - I if I try to write to a REMOTE share i.e
    > \\myotherserver\testshare
    > it fails with "file not found" - no further explanation :-S I've tried to
    > scan for activity on the remote servers filesystem with Filemon - but it
    > does'nt even look like it tries to access the share at all.... Permissions
    > are set to everyone both at NTFS and share permissions at this share.
    >
    > ANY ideas guys??
    >
    > Regards,
    > Roger


    do you use an impersonation or you run the application under asp.net
    account?
     
    Langedal, Roger, May 7, 2007
    #3
  4. well - if you are impersonating _and_ acccessing a remote resource - this
    is called delegation and works only under specific pre-reqs:

    - Kerberos authentication (which implies a domain environment)
    - Delegation is set up (which is not the default)

    have a look here:

    http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I do impersonate. Testing with my own account - and it does have more
    > than sufficient permissions.
    >
    > "Alexey Smirnov" <> wrote in message
    > news:... On May
    > 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >
    >> I'm trying to setup a simple test on writing to a file on an UNC
    >> share
    >> from
    >> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >> ---------------------------------------------------------------------
    >> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>
    >> Response.Write(User.Identity.Name)
    >>
    >> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's
    >> good", True)
    >> ---------------------------------------------------------------------
    >> ------­--------
    >>
    >> impersonation is enabled and windows auth is setup in IIS 6.
    >>
    >> 1. When I run this on my Vista PC - I'm correctly authenticated and
    >> the
    >> file
    >> is written perfectly to the remote share.
    >> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a
    >> share
    >> on this server \\mywebserver\testshare everything still works
    >> perfectly
    >> 3. But - I if I try to write to a REMOTE share i.e
    >> \\myotherserver\testshare
    >> it fails with "file not found" - no further explanation :-S I've
    >> tried to
    >> scan for activity on the remote servers filesystem with Filemon - but
    >> it
    >> does'nt even look like it tries to access the share at all....
    >> Permissions
    >> are set to everyone both at NTFS and share permissions at this share.
    >> ANY ideas guys??
    >>
    >> Regards,
    >> Roger

    > do you use an impersonation or you run the application under asp.net
    > account?
    >
     
    Dominick Baier, May 7, 2007
    #4
  5. Thanks Dominick,

    1. The web server is a win2003/iis 6 box - same with the box I've setup the
    share on for test purposes - both members of our domain

    2. I am impersonating an using a domain account to access the site.

    3. The site is setup with "Integrated auth"

    4. The DC is running as "Windows 2000 native" at the domain functional level

    5. The webserver hosting the app is setup as "Trust computer for
    delagation"

    Still doesn't work - what is the last piece of the puzzle - anyone.....??
    :)

    Roger


    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > well - if you are impersonating _and_ acccessing a remote resource - this
    > is called delegation and works only under specific pre-reqs:
    >
    > - Kerberos authentication (which implies a domain environment)
    > - Delegation is set up (which is not the default)
    >
    > have a look here:
    >
    > http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> I do impersonate. Testing with my own account - and it does have more
    >> than sufficient permissions.
    >>
    >> "Alexey Smirnov" <> wrote in message
    >> news:... On May
    >> 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>
    >>> I'm trying to setup a simple test on writing to a file on an UNC
    >>> share
    >>> from
    >>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>> ---------------------------------------------------------------------
    >>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>
    >>> Response.Write(User.Identity.Name)
    >>>
    >>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's
    >>> good", True)
    >>> ---------------------------------------------------------------------
    >>> ------­--------
    >>>
    >>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>
    >>> 1. When I run this on my Vista PC - I'm correctly authenticated and
    >>> the
    >>> file
    >>> is written perfectly to the remote share.
    >>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a
    >>> share
    >>> on this server \\mywebserver\testshare everything still works
    >>> perfectly
    >>> 3. But - I if I try to write to a REMOTE share i.e
    >>> \\myotherserver\testshare
    >>> it fails with "file not found" - no further explanation :-S I've
    >>> tried to
    >>> scan for activity on the remote servers filesystem with Filemon - but
    >>> it
    >>> does'nt even look like it tries to access the share at all....
    >>> Permissions
    >>> are set to everyone both at NTFS and share permissions at this share.
    >>> ANY ideas guys??
    >>>
    >>> Regards,
    >>> Roger

    >> do you use an impersonation or you run the application under asp.net
    >> account?
    >>

    >
    >
     
    Langedal, Roger, May 7, 2007
    #5
  6. you haven't read the article, did you?

    Are you sure your SPNs are setup correctly - are you REALLY using Kerbers
    (check the security event log of the web server for logon events - which
    authentication package to you see?)

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Thanks Dominick,
    >
    > 1. The web server is a win2003/iis 6 box - same with the box I've
    > setup the share on for test purposes - both members of our domain
    >
    > 2. I am impersonating an using a domain account to access the site.
    >
    > 3. The site is setup with "Integrated auth"
    >
    > 4. The DC is running as "Windows 2000 native" at the domain functional
    > level
    >
    > 5. The webserver hosting the app is setup as "Trust computer for
    > delagation"
    >
    > Still doesn't work - what is the last piece of the puzzle -
    > anyone.....?? :)
    >
    > Roger
    >
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    > in message news:...
    >
    >> well - if you are impersonating _and_ acccessing a remote resource -
    >> this is called delegation and works only under specific pre-reqs:
    >>
    >> - Kerberos authentication (which implies a domain environment) -
    >> Delegation is set up (which is not the default)
    >>
    >> have a look here:
    >>
    >> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default
    >> .aspx
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> I do impersonate. Testing with my own account - and it does have
    >>> more than sufficient permissions.
    >>>
    >>> "Alexey Smirnov" <> wrote in message
    >>> news:... On May
    >>> 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>
    >>>> I'm trying to setup a simple test on writing to a file on an UNC
    >>>> share
    >>>> from
    >>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>> -------------------------------------------------------------------
    >>>> --
    >>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>> Response.Write(User.Identity.Name)
    >>>>
    >>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's
    >>>> good", True)
    >>>> -------------------------------------------------------------------
    >>>> -- ------­--------
    >>>>
    >>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>
    >>>> 1. When I run this on my Vista PC - I'm correctly authenticated and
    >>>> the
    >>>> file
    >>>> is written perfectly to the remote share.
    >>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create
    >>>> a
    >>>> share
    >>>> on this server \\mywebserver\testshare everything still works
    >>>> perfectly
    >>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>> \\myotherserver\testshare
    >>>> it fails with "file not found" - no further explanation :-S I've
    >>>> tried to
    >>>> scan for activity on the remote servers filesystem with Filemon -
    >>>> but
    >>>> it
    >>>> does'nt even look like it tries to access the share at all....
    >>>> Permissions
    >>>> are set to everyone both at NTFS and share permissions at this
    >>>> share.
    >>>> ANY ideas guys??
    >>>> Regards,
    >>>> Roger
    >>> do you use an impersonation or you run the application under asp.net
    >>> account?
    >>>
     
    Dominick Baier, May 7, 2007
    #6
  7. Sorry - didn't see the article yesterday :p

    Excellent article - steped through the troubleshooting part
    - seems the two servers are negotiating NTLM between them....
    - seems the client and webserver also negotiated NTLM

    Do you have any ideas on how the SPN should be setup?

    The webserver hosting the app is running IIS6 under the "Network Service"
    account and is called web1.mydomain.com
    Used LDP to find these SPN's already configured:
    servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    HOST/WEB1; HOST/WEB1.mydomain.com;

    Pretty much the same with the filesharing server only the name is web2:

    Regards,
    Roger




    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > you haven't read the article, did you?
    >
    > Are you sure your SPNs are setup correctly - are you REALLY using Kerbers
    > (check the security event log of the web server for logon events - which
    > authentication package to you see?)
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Thanks Dominick,
    >>
    >> 1. The web server is a win2003/iis 6 box - same with the box I've
    >> setup the share on for test purposes - both members of our domain
    >>
    >> 2. I am impersonating an using a domain account to access the site.
    >>
    >> 3. The site is setup with "Integrated auth"
    >>
    >> 4. The DC is running as "Windows 2000 native" at the domain functional
    >> level
    >>
    >> 5. The webserver hosting the app is setup as "Trust computer for
    >> delagation"
    >>
    >> Still doesn't work - what is the last piece of the puzzle -
    >> anyone.....?? :)
    >>
    >> Roger
    >>
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >> in message news:...
    >>
    >>> well - if you are impersonating _and_ acccessing a remote resource -
    >>> this is called delegation and works only under specific pre-reqs:
    >>>
    >>> - Kerberos authentication (which implies a domain environment) -
    >>> Delegation is set up (which is not the default)
    >>>
    >>> have a look here:
    >>>
    >>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default
    >>> .aspx
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> I do impersonate. Testing with my own account - and it does have
    >>>> more than sufficient permissions.
    >>>>
    >>>> "Alexey Smirnov" <> wrote in message
    >>>> news:... On May
    >>>> 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>
    >>>>> I'm trying to setup a simple test on writing to a file on an UNC
    >>>>> share
    >>>>> from
    >>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>> -------------------------------------------------------------------
    >>>>> --
    >>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>> Response.Write(User.Identity.Name)
    >>>>>
    >>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's
    >>>>> good", True)
    >>>>> -------------------------------------------------------------------
    >>>>> -- ------­--------
    >>>>>
    >>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>
    >>>>> 1. When I run this on my Vista PC - I'm correctly authenticated and
    >>>>> the
    >>>>> file
    >>>>> is written perfectly to the remote share.
    >>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create
    >>>>> a
    >>>>> share
    >>>>> on this server \\mywebserver\testshare everything still works
    >>>>> perfectly
    >>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>> \\myotherserver\testshare
    >>>>> it fails with "file not found" - no further explanation :-S I've
    >>>>> tried to
    >>>>> scan for activity on the remote servers filesystem with Filemon -
    >>>>> but
    >>>>> it
    >>>>> does'nt even look like it tries to access the share at all....
    >>>>> Permissions
    >>>>> are set to everyone both at NTFS and share permissions at this
    >>>>> share.
    >>>>> ANY ideas guys??
    >>>>> Regards,
    >>>>> Roger
    >>>> do you use an impersonation or you run the application under asp.net
    >>>> account?
    >>>>

    >
    >
     
    Langedal, Roger, May 8, 2007
    #7
  8. what do you type into IE to open the web app?


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Sorry - didn't see the article yesterday :p
    >
    > Excellent article - steped through the troubleshooting part
    > - seems the two servers are negotiating NTLM between them....
    > - seems the client and webserver also negotiated NTLM
    > Do you have any ideas on how the SPN should be setup?
    >
    > The webserver hosting the app is running IIS6 under the "Network
    > Service"
    > account and is called web1.mydomain.com
    > Used LDP to find these SPN's already configured:
    > servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    > HOST/WEB1; HOST/WEB1.mydomain.com;
    > Pretty much the same with the filesharing server only the name is
    > web2:
    >
    > Regards,
    > Roger
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    > in message news:...
    >
    >> you haven't read the article, did you?
    >>
    >> Are you sure your SPNs are setup correctly - are you REALLY using
    >> Kerbers (check the security event log of the web server for logon
    >> events - which authentication package to you see?)
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Thanks Dominick,
    >>>
    >>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>> setup the share on for test purposes - both members of our domain
    >>>
    >>> 2. I am impersonating an using a domain account to access the site.
    >>>
    >>> 3. The site is setup with "Integrated auth"
    >>>
    >>> 4. The DC is running as "Windows 2000 native" at the domain
    >>> functional level
    >>>
    >>> 5. The webserver hosting the app is setup as "Trust computer for
    >>> delagation"
    >>>
    >>> Still doesn't work - what is the last piece of the puzzle -
    >>> anyone.....?? :)
    >>>
    >>> Roger
    >>>
    >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>> wrote in message
    >>> news:...
    >>>
    >>>> well - if you are impersonating _and_ acccessing a remote resource
    >>>> - this is called delegation and works only under specific pre-reqs:
    >>>>
    >>>> - Kerberos authentication (which implies a domain environment) -
    >>>> Delegation is set up (which is not the default)
    >>>>
    >>>> have a look here:
    >>>>
    >>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/defau
    >>>> lt .aspx
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> I do impersonate. Testing with my own account - and it does have
    >>>>> more than sufficient permissions.
    >>>>>
    >>>>> "Alexey Smirnov" <> wrote in message
    >>>>> news:... On
    >>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>
    >>>>>> I'm trying to setup a simple test on writing to a file on an UNC
    >>>>>> share
    >>>>>> from
    >>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>> -----------------------------------------------------------------
    >>>>>> --
    >>>>>> --
    >>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>> Response.Write(User.Identity.Name)
    >>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's
    >>>>>> good", True)
    >>>>>> -----------------------------------------------------------------
    >>>>>> -- -- ------­--------
    >>>>>>
    >>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>
    >>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>> and
    >>>>>> the
    >>>>>> file
    >>>>>> is written perfectly to the remote share.
    >>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>> create
    >>>>>> a
    >>>>>> share
    >>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>> perfectly
    >>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>> \\myotherserver\testshare
    >>>>>> it fails with "file not found" - no further explanation :-S I've
    >>>>>> tried to
    >>>>>> scan for activity on the remote servers filesystem with Filemon -
    >>>>>> but
    >>>>>> it
    >>>>>> does'nt even look like it tries to access the share at all....
    >>>>>> Permissions
    >>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>> share.
    >>>>>> ANY ideas guys??
    >>>>>> Regards,
    >>>>>> Roger
    >>>>> do you use an impersonation or you run the application under
    >>>>> asp.net account?
    >>>>>
     
    Dominick Baier, May 8, 2007
    #8
  9. Hey,

    First of all - thanks for you patience and excellent help on this one
    Dominick... :)

    I use http://demoapp.mydomain.com

    I got kerberos working now between client and webserver by using setspn -A
    HTTP/demoapp.mydomain.com web1

    Now I need to setup Kerberos between the web1 and fileserver web2. What
    service am I supposed to use for setspn on the fileserver?

    Roger




    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > what do you type into IE to open the web app?
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Sorry - didn't see the article yesterday :p
    >>
    >> Excellent article - steped through the troubleshooting part
    >> - seems the two servers are negotiating NTLM between them....
    >> - seems the client and webserver also negotiated NTLM
    >> Do you have any ideas on how the SPN should be setup?
    >>
    >> The webserver hosting the app is running IIS6 under the "Network
    >> Service"
    >> account and is called web1.mydomain.com
    >> Used LDP to find these SPN's already configured:
    >> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    >> HOST/WEB1; HOST/WEB1.mydomain.com;
    >> Pretty much the same with the filesharing server only the name is
    >> web2:
    >>
    >> Regards,
    >> Roger
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >> in message news:...
    >>
    >>> you haven't read the article, did you?
    >>>
    >>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>> Kerbers (check the security event log of the web server for logon
    >>> events - which authentication package to you see?)
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> Thanks Dominick,
    >>>>
    >>>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>>> setup the share on for test purposes - both members of our domain
    >>>>
    >>>> 2. I am impersonating an using a domain account to access the site.
    >>>>
    >>>> 3. The site is setup with "Integrated auth"
    >>>>
    >>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>> functional level
    >>>>
    >>>> 5. The webserver hosting the app is setup as "Trust computer for
    >>>> delagation"
    >>>>
    >>>> Still doesn't work - what is the last piece of the puzzle -
    >>>> anyone.....?? :)
    >>>>
    >>>> Roger
    >>>>
    >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>> wrote in message
    >>>> news:...
    >>>>
    >>>>> well - if you are impersonating _and_ acccessing a remote resource
    >>>>> - this is called delegation and works only under specific pre-reqs:
    >>>>>
    >>>>> - Kerberos authentication (which implies a domain environment) -
    >>>>> Delegation is set up (which is not the default)
    >>>>>
    >>>>> have a look here:
    >>>>>
    >>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/defau
    >>>>> lt .aspx
    >>>>>
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>> I do impersonate. Testing with my own account - and it does have
    >>>>>> more than sufficient permissions.
    >>>>>>
    >>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>> news:... On
    >>>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>>
    >>>>>>> I'm trying to setup a simple test on writing to a file on an UNC
    >>>>>>> share
    >>>>>>> from
    >>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>>> -----------------------------------------------------------------
    >>>>>>> --
    >>>>>>> --
    >>>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>>> Response.Write(User.Identity.Name)
    >>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's
    >>>>>>> good", True)
    >>>>>>> -----------------------------------------------------------------
    >>>>>>> -- -- ------­--------
    >>>>>>>
    >>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>
    >>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>>> and
    >>>>>>> the
    >>>>>>> file
    >>>>>>> is written perfectly to the remote share.
    >>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>> create
    >>>>>>> a
    >>>>>>> share
    >>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>> perfectly
    >>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>> \\myotherserver\testshare
    >>>>>>> it fails with "file not found" - no further explanation :-S I've
    >>>>>>> tried to
    >>>>>>> scan for activity on the remote servers filesystem with Filemon -
    >>>>>>> but
    >>>>>>> it
    >>>>>>> does'nt even look like it tries to access the share at all....
    >>>>>>> Permissions
    >>>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>>> share.
    >>>>>>> ANY ideas guys??
    >>>>>>> Regards,
    >>>>>>> Roger
    >>>>>> do you use an impersonation or you run the application under
    >>>>>> asp.net account?
    >>>>>>

    >
    >
     
    Langedal, Roger, May 8, 2007
    #9
  10. Hi,

    you are welcome ;)

    try CIFS and HOST + the name of the machine as you use it in the UNC path.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hey,
    >
    > First of all - thanks for you patience and excellent help on this one
    > Dominick... :)
    >
    > I use http://demoapp.mydomain.com
    >
    > I got kerberos working now between client and webserver by using
    > setspn -A HTTP/demoapp.mydomain.com web1
    >
    > Now I need to setup Kerberos between the web1 and fileserver web2.
    > What service am I supposed to use for setspn on the fileserver?
    >
    > Roger
    >
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    > in message news:...
    >
    >> what do you type into IE to open the web app?
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Sorry - didn't see the article yesterday :p
    >>>
    >>> Excellent article - steped through the troubleshooting part
    >>> - seems the two servers are negotiating NTLM between them....
    >>> - seems the client and webserver also negotiated NTLM
    >>> Do you have any ideas on how the SPN should be setup?
    >>> The webserver hosting the app is running IIS6 under the "Network
    >>> Service"
    >>> account and is called web1.mydomain.com
    >>> Used LDP to find these SPN's already configured:
    >>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    >>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>> Pretty much the same with the filesharing server only the name is
    >>> web2:
    >>> Regards,
    >>> Roger
    >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>> wrote
    >>> in message news:...
    >>>> you haven't read the article, did you?
    >>>>
    >>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>> Kerbers (check the security event log of the web server for logon
    >>>> events - which authentication package to you see?)
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> Thanks Dominick,
    >>>>>
    >>>>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>>>> setup the share on for test purposes - both members of our domain
    >>>>>
    >>>>> 2. I am impersonating an using a domain account to access the
    >>>>> site.
    >>>>>
    >>>>> 3. The site is setup with "Integrated auth"
    >>>>>
    >>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>> functional level
    >>>>>
    >>>>> 5. The webserver hosting the app is setup as "Trust computer for
    >>>>> delagation"
    >>>>>
    >>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>> anyone.....?? :)
    >>>>>
    >>>>> Roger
    >>>>>
    >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>> resource - this is called delegation and works only under
    >>>>>> specific pre-reqs:
    >>>>>>
    >>>>>> - Kerberos authentication (which implies a domain environment) -
    >>>>>> Delegation is set up (which is not the default)
    >>>>>>
    >>>>>> have a look here:
    >>>>>>
    >>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def
    >>>>>> au lt .aspx
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> I do impersonate. Testing with my own account - and it does have
    >>>>>>> more than sufficient permissions.
    >>>>>>>
    >>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>> news:... On
    >>>>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>>>
    >>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>> UNC
    >>>>>>>> share
    >>>>>>>> from
    >>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>>>> ---------------------------------------------------------------
    >>>>>>>> --
    >>>>>>>> --
    >>>>>>>> --
    >>>>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>> "life's
    >>>>>>>> good", True)
    >>>>>>>> ---------------------------------------------------------------
    >>>>>>>> --
    >>>>>>>> -- -- ------­--------
    >>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>
    >>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>>>> and
    >>>>>>>> the
    >>>>>>>> file
    >>>>>>>> is written perfectly to the remote share.
    >>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>> create
    >>>>>>>> a
    >>>>>>>> share
    >>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>> perfectly
    >>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>> \\myotherserver\testshare
    >>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>> I've
    >>>>>>>> tried to
    >>>>>>>> scan for activity on the remote servers filesystem with Filemon
    >>>>>>>> -
    >>>>>>>> but
    >>>>>>>> it
    >>>>>>>> does'nt even look like it tries to access the share at all....
    >>>>>>>> Permissions
    >>>>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>>>> share.
    >>>>>>>> ANY ideas guys??
    >>>>>>>> Regards,
    >>>>>>>> Roger
    >>>>>>> do you use an impersonation or you run the application under
    >>>>>>> asp.net account?
    >>>>>>>
     
    Dominick Baier, May 8, 2007
    #10
  11. Like this? setspn -A CIFS/web2 web2

    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Hi,
    > you are welcome ;)
    >
    > try CIFS and HOST + the name of the machine as you use it in the UNC path.
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Hey,
    >>
    >> First of all - thanks for you patience and excellent help on this one
    >> Dominick... :)
    >>
    >> I use http://demoapp.mydomain.com
    >>
    >> I got kerberos working now between client and webserver by using
    >> setspn -A HTTP/demoapp.mydomain.com web1
    >>
    >> Now I need to setup Kerberos between the web1 and fileserver web2.
    >> What service am I supposed to use for setspn on the fileserver?
    >>
    >> Roger
    >>
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >> in message news:...
    >>
    >>> what do you type into IE to open the web app?
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> Sorry - didn't see the article yesterday :p
    >>>>
    >>>> Excellent article - steped through the troubleshooting part
    >>>> - seems the two servers are negotiating NTLM between them....
    >>>> - seems the client and webserver also negotiated NTLM
    >>>> Do you have any ideas on how the SPN should be setup?
    >>>> The webserver hosting the app is running IIS6 under the "Network
    >>>> Service"
    >>>> account and is called web1.mydomain.com
    >>>> Used LDP to find these SPN's already configured:
    >>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    >>>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>>> Pretty much the same with the filesharing server only the name is
    >>>> web2:
    >>>> Regards,
    >>>> Roger
    >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>> wrote
    >>>> in message news:...
    >>>>> you haven't read the article, did you?
    >>>>>
    >>>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>>> Kerbers (check the security event log of the web server for logon
    >>>>> events - which authentication package to you see?)
    >>>>>
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>> Thanks Dominick,
    >>>>>>
    >>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>>>>> setup the share on for test purposes - both members of our domain
    >>>>>>
    >>>>>> 2. I am impersonating an using a domain account to access the
    >>>>>> site.
    >>>>>>
    >>>>>> 3. The site is setup with "Integrated auth"
    >>>>>>
    >>>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>>> functional level
    >>>>>>
    >>>>>> 5. The webserver hosting the app is setup as "Trust computer for
    >>>>>> delagation"
    >>>>>>
    >>>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>>> anyone.....?? :)
    >>>>>>
    >>>>>> Roger
    >>>>>>
    >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>> wrote in message
    >>>>>> news:...
    >>>>>>
    >>>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>>> resource - this is called delegation and works only under
    >>>>>>> specific pre-reqs:
    >>>>>>>
    >>>>>>> - Kerberos authentication (which implies a domain environment) -
    >>>>>>> Delegation is set up (which is not the default)
    >>>>>>>
    >>>>>>> have a look here:
    >>>>>>>
    >>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def
    >>>>>>> au lt .aspx
    >>>>>>>
    >>>>>>> -----
    >>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>> I do impersonate. Testing with my own account - and it does have
    >>>>>>>> more than sufficient permissions.
    >>>>>>>>
    >>>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>>> news:... On
    >>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>>>>
    >>>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>>> UNC
    >>>>>>>>> share
    >>>>>>>>> from
    >>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>> --
    >>>>>>>>> --
    >>>>>>>>> --
    >>>>>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>>> "life's
    >>>>>>>>> good", True)
    >>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>> --
    >>>>>>>>> -- -- ------­--------
    >>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>>
    >>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>>>>> and
    >>>>>>>>> the
    >>>>>>>>> file
    >>>>>>>>> is written perfectly to the remote share.
    >>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>>> create
    >>>>>>>>> a
    >>>>>>>>> share
    >>>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>>> perfectly
    >>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>>> \\myotherserver\testshare
    >>>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>>> I've
    >>>>>>>>> tried to
    >>>>>>>>> scan for activity on the remote servers filesystem with Filemon
    >>>>>>>>> -
    >>>>>>>>> but
    >>>>>>>>> it
    >>>>>>>>> does'nt even look like it tries to access the share at all....
    >>>>>>>>> Permissions
    >>>>>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>>>>> share.
    >>>>>>>>> ANY ideas guys??
    >>>>>>>>> Regards,
    >>>>>>>>> Roger
    >>>>>>>> do you use an impersonation or you run the application under
    >>>>>>>> asp.net account?
    >>>>>>>>

    >
    >
     
    Langedal, Roger, May 8, 2007
    #11
  12. hmmmm.....auth seems to work using Kerberos between the webserver and
    client:

    event log from WEBSERVER:
    --------------------------------
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 2007-05-08
    Time: 12:17:02
    User: MYDOMAIN\RLA
    Computer: WEB1
    Description:
    Successful Network Logon:
    User Name: RLA
    Domain: MYDOMAIN
    Logon ID: (0x0,0x5FC7F2AC)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {624ca6b7-acdf-1e0c-f71d-b89a9ca74c6f}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 10.1.1.99
    Source Port: 50135
    -----------------

    but not on the file server somthing seems odd.
    It looks like me that the webserver tries to connect using Kerberos first
    using a user named WEB1$(??) and then NTLM an ANONYMOUS......

    eventlog of WEB2
    -------------------
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 08.05.2007
    Time: 12:20:12
    User: MYDOMAIN\WEB1$
    Computer: WEB2
    Description:
    Successful Network Logon:
    User Name: WEB1$
    Domain: MYDOMAIN
    Logon ID: (0x0,0x52375B9)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {2981b3ae-a8dd-1971-830a-3dd64c0d27ac}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 10.1.1.55
    Source Port: 0

    -------------------
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 08.05.2007
    Time: 12:20:12
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: WEB2
    Description:
    Successful Network Logon:
    User Name:
    Domain:
    Logon ID: (0x0,0x52375C4)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: WEB1
    Logon GUID: -
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 10.1.1.55
    Source Port: 0

    -------------------


    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Hi,
    > you are welcome ;)
    >
    > try CIFS and HOST + the name of the machine as you use it in the UNC path.
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Hey,
    >>
    >> First of all - thanks for you patience and excellent help on this one
    >> Dominick... :)
    >>
    >> I use http://demoapp.mydomain.com
    >>
    >> I got kerberos working now between client and webserver by using
    >> setspn -A HTTP/demoapp.mydomain.com web1
    >>
    >> Now I need to setup Kerberos between the web1 and fileserver web2.
    >> What service am I supposed to use for setspn on the fileserver?
    >>
    >> Roger
    >>
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >> in message news:...
    >>
    >>> what do you type into IE to open the web app?
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> Sorry - didn't see the article yesterday :p
    >>>>
    >>>> Excellent article - steped through the troubleshooting part
    >>>> - seems the two servers are negotiating NTLM between them....
    >>>> - seems the client and webserver also negotiated NTLM
    >>>> Do you have any ideas on how the SPN should be setup?
    >>>> The webserver hosting the app is running IIS6 under the "Network
    >>>> Service"
    >>>> account and is called web1.mydomain.com
    >>>> Used LDP to find these SPN's already configured:
    >>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    >>>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>>> Pretty much the same with the filesharing server only the name is
    >>>> web2:
    >>>> Regards,
    >>>> Roger
    >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>> wrote
    >>>> in message news:...
    >>>>> you haven't read the article, did you?
    >>>>>
    >>>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>>> Kerbers (check the security event log of the web server for logon
    >>>>> events - which authentication package to you see?)
    >>>>>
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>> Thanks Dominick,
    >>>>>>
    >>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>>>>> setup the share on for test purposes - both members of our domain
    >>>>>>
    >>>>>> 2. I am impersonating an using a domain account to access the
    >>>>>> site.
    >>>>>>
    >>>>>> 3. The site is setup with "Integrated auth"
    >>>>>>
    >>>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>>> functional level
    >>>>>>
    >>>>>> 5. The webserver hosting the app is setup as "Trust computer for
    >>>>>> delagation"
    >>>>>>
    >>>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>>> anyone.....?? :)
    >>>>>>
    >>>>>> Roger
    >>>>>>
    >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>> wrote in message
    >>>>>> news:...
    >>>>>>
    >>>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>>> resource - this is called delegation and works only under
    >>>>>>> specific pre-reqs:
    >>>>>>>
    >>>>>>> - Kerberos authentication (which implies a domain environment) -
    >>>>>>> Delegation is set up (which is not the default)
    >>>>>>>
    >>>>>>> have a look here:
    >>>>>>>
    >>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def
    >>>>>>> au lt .aspx
    >>>>>>>
    >>>>>>> -----
    >>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>> I do impersonate. Testing with my own account - and it does have
    >>>>>>>> more than sufficient permissions.
    >>>>>>>>
    >>>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>>> news:... On
    >>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>>>>
    >>>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>>> UNC
    >>>>>>>>> share
    >>>>>>>>> from
    >>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>> --
    >>>>>>>>> --
    >>>>>>>>> --
    >>>>>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>>> "life's
    >>>>>>>>> good", True)
    >>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>> --
    >>>>>>>>> -- -- ------­--------
    >>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>>
    >>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>>>>> and
    >>>>>>>>> the
    >>>>>>>>> file
    >>>>>>>>> is written perfectly to the remote share.
    >>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>>> create
    >>>>>>>>> a
    >>>>>>>>> share
    >>>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>>> perfectly
    >>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>>> \\myotherserver\testshare
    >>>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>>> I've
    >>>>>>>>> tried to
    >>>>>>>>> scan for activity on the remote servers filesystem with Filemon
    >>>>>>>>> -
    >>>>>>>>> but
    >>>>>>>>> it
    >>>>>>>>> does'nt even look like it tries to access the share at all....
    >>>>>>>>> Permissions
    >>>>>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>>>>> share.
    >>>>>>>>> ANY ideas guys??
    >>>>>>>>> Regards,
    >>>>>>>>> Roger
    >>>>>>>> do you use an impersonation or you run the application under
    >>>>>>>> asp.net account?
    >>>>>>>>

    >
    >
     
    Langedal, Roger, May 8, 2007
    #12
  13. yep. also alternatively try the fully qualified domain name
    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Like this? setspn -A CIFS/web2 web2
    >
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    > in message news:...
    >
    >> Hi,
    >> you are welcome ;)
    >> try CIFS and HOST + the name of the machine as you use it in the UNC
    >> path.
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Hey,
    >>>
    >>> First of all - thanks for you patience and excellent help on this
    >>> one Dominick... :)
    >>>
    >>> I use http://demoapp.mydomain.com
    >>>
    >>> I got kerberos working now between client and webserver by using
    >>> setspn -A HTTP/demoapp.mydomain.com web1
    >>>
    >>> Now I need to setup Kerberos between the web1 and fileserver web2.
    >>> What service am I supposed to use for setspn on the fileserver?
    >>>
    >>> Roger
    >>>
    >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>> wrote in message
    >>> news:...
    >>>
    >>>> what do you type into IE to open the web app?
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> Sorry - didn't see the article yesterday :p
    >>>>>
    >>>>> Excellent article - steped through the troubleshooting part
    >>>>> - seems the two servers are negotiating NTLM between them....
    >>>>> - seems the client and webserver also negotiated NTLM
    >>>>> Do you have any ideas on how the SPN should be setup?
    >>>>> The webserver hosting the app is running IIS6 under the "Network
    >>>>> Service"
    >>>>> account and is called web1.mydomain.com
    >>>>> Used LDP to find these SPN's already configured:
    >>>>> servicePrincipalName: SMTPSVC/WEB1;
    >>>>> SMTPSVC/STRA-WEB1.mydomain.com;
    >>>>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>>>> Pretty much the same with the filesharing server only the name is
    >>>>> web2:
    >>>>> Regards,
    >>>>> Roger
    >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>> wrote
    >>>>> in message news:...
    >>>>>> you haven't read the article, did you?
    >>>>>>
    >>>>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>>>> Kerbers (check the security event log of the web server for logon
    >>>>>> events - which authentication package to you see?)
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> Thanks Dominick,
    >>>>>>>
    >>>>>>> 1. The web server is a win2003/iis 6 box - same with the box
    >>>>>>> I've setup the share on for test purposes - both members of our
    >>>>>>> domain
    >>>>>>>
    >>>>>>> 2. I am impersonating an using a domain account to access the
    >>>>>>> site.
    >>>>>>>
    >>>>>>> 3. The site is setup with "Integrated auth"
    >>>>>>>
    >>>>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>>>> functional level
    >>>>>>>
    >>>>>>> 5. The webserver hosting the app is setup as "Trust computer
    >>>>>>> for delagation"
    >>>>>>>
    >>>>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>>>> anyone.....?? :)
    >>>>>>>
    >>>>>>> Roger
    >>>>>>>
    >>>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>>> wrote in message
    >>>>>>> news:...
    >>>>>>>
    >>>>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>>>> resource - this is called delegation and works only under
    >>>>>>>> specific pre-reqs:
    >>>>>>>>
    >>>>>>>> - Kerberos authentication (which implies a domain environment)
    >>>>>>>> - Delegation is set up (which is not the default)
    >>>>>>>>
    >>>>>>>> have a look here:
    >>>>>>>>
    >>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/d
    >>>>>>>> ef au lt .aspx
    >>>>>>>>
    >>>>>>>> -----
    >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>> I do impersonate. Testing with my own account - and it does
    >>>>>>>>> have more than sufficient permissions.
    >>>>>>>>>
    >>>>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>>>> news:...
    >>>>>>>>> On May 4, 2:33 pm, "Langedal, Roger" <>
    >>>>>>>>> wrote:
    >>>>>>>>>
    >>>>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>>>> UNC
    >>>>>>>>>> share
    >>>>>>>>>> from
    >>>>>>>>>> an asp.net 2.0 webpage. This is whats happing in
    >>>>>>>>>> default.aspx:
    >>>>>>>>>> -------------------------------------------------------------
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> ------­-------- Dim path As String =
    >>>>>>>>>> "\\remoteserver\testshare"
    >>>>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>>>> "life's
    >>>>>>>>>> good", True)
    >>>>>>>>>> -------------------------------------------------------------
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> -- -- ------­--------
    >>>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>>> 1. When I run this on my Vista PC - I'm correctly
    >>>>>>>>>> authenticated
    >>>>>>>>>> and
    >>>>>>>>>> the
    >>>>>>>>>> file
    >>>>>>>>>> is written perfectly to the remote share.
    >>>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>>>> create
    >>>>>>>>>> a
    >>>>>>>>>> share
    >>>>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>>>> perfectly
    >>>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>>>> \\myotherserver\testshare
    >>>>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>>>> I've
    >>>>>>>>>> tried to
    >>>>>>>>>> scan for activity on the remote servers filesystem with
    >>>>>>>>>> Filemon
    >>>>>>>>>> -
    >>>>>>>>>> but
    >>>>>>>>>> it
    >>>>>>>>>> does'nt even look like it tries to access the share at
    >>>>>>>>>> all....
    >>>>>>>>>> Permissions
    >>>>>>>>>> are set to everyone both at NTFS and share permissions at
    >>>>>>>>>> this
    >>>>>>>>>> share.
    >>>>>>>>>> ANY ideas guys??
    >>>>>>>>>> Regards,
    >>>>>>>>>> Roger
    >>>>>>>>> do you use an impersonation or you run the application under
    >>>>>>>>> asp.net account?
    >>>>>>>>>
     
    Dominick Baier, May 8, 2007
    #13
  14. To me it looks like delagation doe not work - I'll try to reboot the damn
    thing and see if it takes the new setting... :p

    Roger

    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Hi,
    > you are welcome ;)
    >
    > try CIFS and HOST + the name of the machine as you use it in the UNC path.
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Hey,
    >>
    >> First of all - thanks for you patience and excellent help on this one
    >> Dominick... :)
    >>
    >> I use http://demoapp.mydomain.com
    >>
    >> I got kerberos working now between client and webserver by using
    >> setspn -A HTTP/demoapp.mydomain.com web1
    >>
    >> Now I need to setup Kerberos between the web1 and fileserver web2.
    >> What service am I supposed to use for setspn on the fileserver?
    >>
    >> Roger
    >>
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >> in message news:...
    >>
    >>> what do you type into IE to open the web app?
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> Sorry - didn't see the article yesterday :p
    >>>>
    >>>> Excellent article - steped through the troubleshooting part
    >>>> - seems the two servers are negotiating NTLM between them....
    >>>> - seems the client and webserver also negotiated NTLM
    >>>> Do you have any ideas on how the SPN should be setup?
    >>>> The webserver hosting the app is running IIS6 under the "Network
    >>>> Service"
    >>>> account and is called web1.mydomain.com
    >>>> Used LDP to find these SPN's already configured:
    >>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    >>>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>>> Pretty much the same with the filesharing server only the name is
    >>>> web2:
    >>>> Regards,
    >>>> Roger
    >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>> wrote
    >>>> in message news:...
    >>>>> you haven't read the article, did you?
    >>>>>
    >>>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>>> Kerbers (check the security event log of the web server for logon
    >>>>> events - which authentication package to you see?)
    >>>>>
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>> Thanks Dominick,
    >>>>>>
    >>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>>>>> setup the share on for test purposes - both members of our domain
    >>>>>>
    >>>>>> 2. I am impersonating an using a domain account to access the
    >>>>>> site.
    >>>>>>
    >>>>>> 3. The site is setup with "Integrated auth"
    >>>>>>
    >>>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>>> functional level
    >>>>>>
    >>>>>> 5. The webserver hosting the app is setup as "Trust computer for
    >>>>>> delagation"
    >>>>>>
    >>>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>>> anyone.....?? :)
    >>>>>>
    >>>>>> Roger
    >>>>>>
    >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>> wrote in message
    >>>>>> news:...
    >>>>>>
    >>>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>>> resource - this is called delegation and works only under
    >>>>>>> specific pre-reqs:
    >>>>>>>
    >>>>>>> - Kerberos authentication (which implies a domain environment) -
    >>>>>>> Delegation is set up (which is not the default)
    >>>>>>>
    >>>>>>> have a look here:
    >>>>>>>
    >>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def
    >>>>>>> au lt .aspx
    >>>>>>>
    >>>>>>> -----
    >>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>> I do impersonate. Testing with my own account - and it does have
    >>>>>>>> more than sufficient permissions.
    >>>>>>>>
    >>>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>>> news:... On
    >>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>>>>
    >>>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>>> UNC
    >>>>>>>>> share
    >>>>>>>>> from
    >>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>> --
    >>>>>>>>> --
    >>>>>>>>> --
    >>>>>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>>> "life's
    >>>>>>>>> good", True)
    >>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>> --
    >>>>>>>>> -- -- ------­--------
    >>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>>
    >>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>>>>> and
    >>>>>>>>> the
    >>>>>>>>> file
    >>>>>>>>> is written perfectly to the remote share.
    >>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>>> create
    >>>>>>>>> a
    >>>>>>>>> share
    >>>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>>> perfectly
    >>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>>> \\myotherserver\testshare
    >>>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>>> I've
    >>>>>>>>> tried to
    >>>>>>>>> scan for activity on the remote servers filesystem with Filemon
    >>>>>>>>> -
    >>>>>>>>> but
    >>>>>>>>> it
    >>>>>>>>> does'nt even look like it tries to access the share at all....
    >>>>>>>>> Permissions
    >>>>>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>>>>> share.
    >>>>>>>>> ANY ideas guys??
    >>>>>>>>> Regards,
    >>>>>>>>> Roger
    >>>>>>>> do you use an impersonation or you run the application under
    >>>>>>>> asp.net account?
    >>>>>>>>

    >
    >
     
    Langedal, Roger, May 8, 2007
    #14
  15. this looks like that you are not impersonating when making the hop from web
    to fileserver.

    Check the value of WindowsIdentity.GetCurrent().Name before doing the access
    - it should hold the username of the client and _not_ NETWORK SERVICE...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > hmmmm.....auth seems to work using Kerberos between the webserver and
    > client:
    >
    > event log from WEBSERVER:
    > --------------------------------
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 540
    > Date: 2007-05-08
    > Time: 12:17:02
    > User: MYDOMAIN\RLA
    > Computer: WEB1
    > Description:
    > Successful Network Logon:
    > User Name: RLA
    > Domain: MYDOMAIN
    > Logon ID: (0x0,0x5FC7F2AC)
    > Logon Type: 3
    > Logon Process: Kerberos
    > Authentication Package: Kerberos
    > Workstation Name:
    > Logon GUID: {624ca6b7-acdf-1e0c-f71d-b89a9ca74c6f}
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: 10.1.1.99
    > Source Port: 50135
    > -----------------
    > but not on the file server somthing seems odd.
    > It looks like me that the webserver tries to connect using Kerberos
    > first
    > using a user named WEB1$(??) and then NTLM an ANONYMOUS......
    > eventlog of WEB2
    > -------------------
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 540
    > Date: 08.05.2007
    > Time: 12:20:12
    > User: MYDOMAIN\WEB1$
    > Computer: WEB2
    > Description:
    > Successful Network Logon:
    > User Name: WEB1$
    > Domain: MYDOMAIN
    > Logon ID: (0x0,0x52375B9)
    > Logon Type: 3
    > Logon Process: Kerberos
    > Authentication Package: Kerberos
    > Workstation Name:
    > Logon GUID: {2981b3ae-a8dd-1971-830a-3dd64c0d27ac}
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: 10.1.1.55
    > Source Port: 0
    > -------------------
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 540
    > Date: 08.05.2007
    > Time: 12:20:12
    > User: NT AUTHORITY\ANONYMOUS LOGON
    > Computer: WEB2
    > Description:
    > Successful Network Logon:
    > User Name:
    > Domain:
    > Logon ID: (0x0,0x52375C4)
    > Logon Type: 3
    > Logon Process: NtLmSsp
    > Authentication Package: NTLM
    > Workstation Name: WEB1
    > Logon GUID: -
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: 10.1.1.55
    > Source Port: 0
    > -------------------
    >
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    > in message news:...
    >
    >> Hi,
    >> you are welcome ;)
    >> try CIFS and HOST + the name of the machine as you use it in the UNC
    >> path.
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Hey,
    >>>
    >>> First of all - thanks for you patience and excellent help on this
    >>> one Dominick... :)
    >>>
    >>> I use http://demoapp.mydomain.com
    >>>
    >>> I got kerberos working now between client and webserver by using
    >>> setspn -A HTTP/demoapp.mydomain.com web1
    >>>
    >>> Now I need to setup Kerberos between the web1 and fileserver web2.
    >>> What service am I supposed to use for setspn on the fileserver?
    >>>
    >>> Roger
    >>>
    >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>> wrote in message
    >>> news:...
    >>>
    >>>> what do you type into IE to open the web app?
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> Sorry - didn't see the article yesterday :p
    >>>>>
    >>>>> Excellent article - steped through the troubleshooting part
    >>>>> - seems the two servers are negotiating NTLM between them....
    >>>>> - seems the client and webserver also negotiated NTLM
    >>>>> Do you have any ideas on how the SPN should be setup?
    >>>>> The webserver hosting the app is running IIS6 under the "Network
    >>>>> Service"
    >>>>> account and is called web1.mydomain.com
    >>>>> Used LDP to find these SPN's already configured:
    >>>>> servicePrincipalName: SMTPSVC/WEB1;
    >>>>> SMTPSVC/STRA-WEB1.mydomain.com;
    >>>>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>>>> Pretty much the same with the filesharing server only the name is
    >>>>> web2:
    >>>>> Regards,
    >>>>> Roger
    >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>> wrote
    >>>>> in message news:...
    >>>>>> you haven't read the article, did you?
    >>>>>>
    >>>>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>>>> Kerbers (check the security event log of the web server for logon
    >>>>>> events - which authentication package to you see?)
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> Thanks Dominick,
    >>>>>>>
    >>>>>>> 1. The web server is a win2003/iis 6 box - same with the box
    >>>>>>> I've setup the share on for test purposes - both members of our
    >>>>>>> domain
    >>>>>>>
    >>>>>>> 2. I am impersonating an using a domain account to access the
    >>>>>>> site.
    >>>>>>>
    >>>>>>> 3. The site is setup with "Integrated auth"
    >>>>>>>
    >>>>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>>>> functional level
    >>>>>>>
    >>>>>>> 5. The webserver hosting the app is setup as "Trust computer
    >>>>>>> for delagation"
    >>>>>>>
    >>>>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>>>> anyone.....?? :)
    >>>>>>>
    >>>>>>> Roger
    >>>>>>>
    >>>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>>> wrote in message
    >>>>>>> news:...
    >>>>>>>
    >>>>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>>>> resource - this is called delegation and works only under
    >>>>>>>> specific pre-reqs:
    >>>>>>>>
    >>>>>>>> - Kerberos authentication (which implies a domain environment)
    >>>>>>>> - Delegation is set up (which is not the default)
    >>>>>>>>
    >>>>>>>> have a look here:
    >>>>>>>>
    >>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/d
    >>>>>>>> ef au lt .aspx
    >>>>>>>>
    >>>>>>>> -----
    >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>> I do impersonate. Testing with my own account - and it does
    >>>>>>>>> have more than sufficient permissions.
    >>>>>>>>>
    >>>>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>>>> news:...
    >>>>>>>>> On May 4, 2:33 pm, "Langedal, Roger" <>
    >>>>>>>>> wrote:
    >>>>>>>>>
    >>>>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>>>> UNC
    >>>>>>>>>> share
    >>>>>>>>>> from
    >>>>>>>>>> an asp.net 2.0 webpage. This is whats happing in
    >>>>>>>>>> default.aspx:
    >>>>>>>>>> -------------------------------------------------------------
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> ------­-------- Dim path As String =
    >>>>>>>>>> "\\remoteserver\testshare"
    >>>>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>>>> "life's
    >>>>>>>>>> good", True)
    >>>>>>>>>> -------------------------------------------------------------
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> -- -- ------­--------
    >>>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>>> 1. When I run this on my Vista PC - I'm correctly
    >>>>>>>>>> authenticated
    >>>>>>>>>> and
    >>>>>>>>>> the
    >>>>>>>>>> file
    >>>>>>>>>> is written perfectly to the remote share.
    >>>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>>>> create
    >>>>>>>>>> a
    >>>>>>>>>> share
    >>>>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>>>> perfectly
    >>>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>>>> \\myotherserver\testshare
    >>>>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>>>> I've
    >>>>>>>>>> tried to
    >>>>>>>>>> scan for activity on the remote servers filesystem with
    >>>>>>>>>> Filemon
    >>>>>>>>>> -
    >>>>>>>>>> but
    >>>>>>>>>> it
    >>>>>>>>>> does'nt even look like it tries to access the share at
    >>>>>>>>>> all....
    >>>>>>>>>> Permissions
    >>>>>>>>>> are set to everyone both at NTFS and share permissions at
    >>>>>>>>>> this
    >>>>>>>>>> share.
    >>>>>>>>>> ANY ideas guys??
    >>>>>>>>>> Regards,
    >>>>>>>>>> Roger
    >>>>>>>>> do you use an impersonation or you run the application under
    >>>>>>>>> asp.net account?
    >>>>>>>>>
     
    Dominick Baier, May 8, 2007
    #15
  16. 1. Used kerbtray.exe and found the falg set to "ok as delagate" for the
    webserver.

    2. WindowsIdentity.GetCurrent().Name gives the correct username....

    *aaarghhhhh*



    "Langedal, Roger" <> wrote in message
    news:%...
    > To me it looks like delagation doe not work - I'll try to reboot the damn
    > thing and see if it takes the new setting... :p
    >
    > Roger
    >
    > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    > message news:...
    >> Hi,
    >> you are welcome ;)
    >>
    >> try CIFS and HOST + the name of the machine as you use it in the UNC
    >> path.
    >>
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >>
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Hey,
    >>>
    >>> First of all - thanks for you patience and excellent help on this one
    >>> Dominick... :)
    >>>
    >>> I use http://demoapp.mydomain.com
    >>>
    >>> I got kerberos working now between client and webserver by using
    >>> setspn -A HTTP/demoapp.mydomain.com web1
    >>>
    >>> Now I need to setup Kerberos between the web1 and fileserver web2.
    >>> What service am I supposed to use for setspn on the fileserver?
    >>>
    >>> Roger
    >>>
    >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >>> in message news:...
    >>>
    >>>> what do you type into IE to open the web app?
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>
    >>>>> Sorry - didn't see the article yesterday :p
    >>>>>
    >>>>> Excellent article - steped through the troubleshooting part
    >>>>> - seems the two servers are negotiating NTLM between them....
    >>>>> - seems the client and webserver also negotiated NTLM
    >>>>> Do you have any ideas on how the SPN should be setup?
    >>>>> The webserver hosting the app is running IIS6 under the "Network
    >>>>> Service"
    >>>>> account and is called web1.mydomain.com
    >>>>> Used LDP to find these SPN's already configured:
    >>>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    >>>>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>>>> Pretty much the same with the filesharing server only the name is
    >>>>> web2:
    >>>>> Regards,
    >>>>> Roger
    >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>> wrote
    >>>>> in message news:...
    >>>>>> you haven't read the article, did you?
    >>>>>>
    >>>>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>>>> Kerbers (check the security event log of the web server for logon
    >>>>>> events - which authentication package to you see?)
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> Thanks Dominick,
    >>>>>>>
    >>>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>>>>>> setup the share on for test purposes - both members of our domain
    >>>>>>>
    >>>>>>> 2. I am impersonating an using a domain account to access the
    >>>>>>> site.
    >>>>>>>
    >>>>>>> 3. The site is setup with "Integrated auth"
    >>>>>>>
    >>>>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>>>> functional level
    >>>>>>>
    >>>>>>> 5. The webserver hosting the app is setup as "Trust computer for
    >>>>>>> delagation"
    >>>>>>>
    >>>>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>>>> anyone.....?? :)
    >>>>>>>
    >>>>>>> Roger
    >>>>>>>
    >>>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>>> wrote in message
    >>>>>>> news:...
    >>>>>>>
    >>>>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>>>> resource - this is called delegation and works only under
    >>>>>>>> specific pre-reqs:
    >>>>>>>>
    >>>>>>>> - Kerberos authentication (which implies a domain environment) -
    >>>>>>>> Delegation is set up (which is not the default)
    >>>>>>>>
    >>>>>>>> have a look here:
    >>>>>>>>
    >>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def
    >>>>>>>> au lt .aspx
    >>>>>>>>
    >>>>>>>> -----
    >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>> I do impersonate. Testing with my own account - and it does have
    >>>>>>>>> more than sufficient permissions.
    >>>>>>>>>
    >>>>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>>>> news:... On
    >>>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>>>>>
    >>>>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>>>> UNC
    >>>>>>>>>> share
    >>>>>>>>>> from
    >>>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> --
    >>>>>>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>>>> "life's
    >>>>>>>>>> good", True)
    >>>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>>> --
    >>>>>>>>>> -- -- ------­--------
    >>>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>>>
    >>>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>>>>>> and
    >>>>>>>>>> the
    >>>>>>>>>> file
    >>>>>>>>>> is written perfectly to the remote share.
    >>>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>>>> create
    >>>>>>>>>> a
    >>>>>>>>>> share
    >>>>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>>>> perfectly
    >>>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>>>> \\myotherserver\testshare
    >>>>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>>>> I've
    >>>>>>>>>> tried to
    >>>>>>>>>> scan for activity on the remote servers filesystem with Filemon
    >>>>>>>>>> -
    >>>>>>>>>> but
    >>>>>>>>>> it
    >>>>>>>>>> does'nt even look like it tries to access the share at all....
    >>>>>>>>>> Permissions
    >>>>>>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>>>>>> share.
    >>>>>>>>>> ANY ideas guys??
    >>>>>>>>>> Regards,
    >>>>>>>>>> Roger
    >>>>>>>>> do you use an impersonation or you run the application under
    >>>>>>>>> asp.net account?
    >>>>>>>>>

    >>
    >>

    >
     
    Langedal, Roger, May 8, 2007
    #16
  17. ok..turned on Kerberos logging and got this:

    Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 3
    Date: 08.05.2007
    Time: 14:11:09
    User: N/A
    Computer: WEB2
    Description:
    A Kerberos Error Message was received:
    on logon session
    Client Time:
    Server Time: 12:11:9.0000 5/8/2007 Z
    Error Code: 0xd KDC_ERR_BADOPTION
    Extended Error: 0xc00000bb KLIN(0)
    Client Realm:
    Client Name:
    Server Realm: MYDOMAIN
    Server Name: host/web2.mydomain
    Target Name: host/web2.mydomain@mydomain
    Error Text:
    File: 9
    Line: ae0
    Error Data is in record data.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
    0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
    0010: 00 00 00 03 00 00 00 .......




    "Langedal, Roger" <> wrote in message
    news:...
    > 1. Used kerbtray.exe and found the falg set to "ok as delagate" for the
    > webserver.
    >
    > 2. WindowsIdentity.GetCurrent().Name gives the correct username....
    >
    > *aaarghhhhh*
    >
    >
    >
    > "Langedal, Roger" <> wrote in message
    > news:%...
    >> To me it looks like delagation doe not work - I'll try to reboot the damn
    >> thing and see if it takes the new setting... :p
    >>
    >> Roger
    >>
    >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    >> message news:...
    >>> Hi,
    >>> you are welcome ;)
    >>>
    >>> try CIFS and HOST + the name of the machine as you use it in the UNC
    >>> path.
    >>>
    >>>
    >>> -----
    >>> Dominick Baier (http://www.leastprivilege.com)
    >>>
    >>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>
    >>>> Hey,
    >>>>
    >>>> First of all - thanks for you patience and excellent help on this one
    >>>> Dominick... :)
    >>>>
    >>>> I use http://demoapp.mydomain.com
    >>>>
    >>>> I got kerberos working now between client and webserver by using
    >>>> setspn -A HTTP/demoapp.mydomain.com web1
    >>>>
    >>>> Now I need to setup Kerberos between the web1 and fileserver web2.
    >>>> What service am I supposed to use for setspn on the fileserver?
    >>>>
    >>>> Roger
    >>>>
    >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote
    >>>> in message news:...
    >>>>
    >>>>> what do you type into IE to open the web app?
    >>>>>
    >>>>> -----
    >>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>
    >>>>>> Sorry - didn't see the article yesterday :p
    >>>>>>
    >>>>>> Excellent article - steped through the troubleshooting part
    >>>>>> - seems the two servers are negotiating NTLM between them....
    >>>>>> - seems the client and webserver also negotiated NTLM
    >>>>>> Do you have any ideas on how the SPN should be setup?
    >>>>>> The webserver hosting the app is running IIS6 under the "Network
    >>>>>> Service"
    >>>>>> account and is called web1.mydomain.com
    >>>>>> Used LDP to find these SPN's already configured:
    >>>>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
    >>>>>> HOST/WEB1; HOST/WEB1.mydomain.com;
    >>>>>> Pretty much the same with the filesharing server only the name is
    >>>>>> web2:
    >>>>>> Regards,
    >>>>>> Roger
    >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>> wrote
    >>>>>> in message news:...
    >>>>>>> you haven't read the article, did you?
    >>>>>>>
    >>>>>>> Are you sure your SPNs are setup correctly - are you REALLY using
    >>>>>>> Kerbers (check the security event log of the web server for logon
    >>>>>>> events - which authentication package to you see?)
    >>>>>>>
    >>>>>>> -----
    >>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>> Thanks Dominick,
    >>>>>>>>
    >>>>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've
    >>>>>>>> setup the share on for test purposes - both members of our domain
    >>>>>>>>
    >>>>>>>> 2. I am impersonating an using a domain account to access the
    >>>>>>>> site.
    >>>>>>>>
    >>>>>>>> 3. The site is setup with "Integrated auth"
    >>>>>>>>
    >>>>>>>> 4. The DC is running as "Windows 2000 native" at the domain
    >>>>>>>> functional level
    >>>>>>>>
    >>>>>>>> 5. The webserver hosting the app is setup as "Trust computer for
    >>>>>>>> delagation"
    >>>>>>>>
    >>>>>>>> Still doesn't work - what is the last piece of the puzzle -
    >>>>>>>> anyone.....?? :)
    >>>>>>>>
    >>>>>>>> Roger
    >>>>>>>>
    >>>>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    >>>>>>>> wrote in message
    >>>>>>>> news:...
    >>>>>>>>
    >>>>>>>>> well - if you are impersonating _and_ acccessing a remote
    >>>>>>>>> resource - this is called delegation and works only under
    >>>>>>>>> specific pre-reqs:
    >>>>>>>>>
    >>>>>>>>> - Kerberos authentication (which implies a domain environment) -
    >>>>>>>>> Delegation is set up (which is not the default)
    >>>>>>>>>
    >>>>>>>>> have a look here:
    >>>>>>>>>
    >>>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def
    >>>>>>>>> au lt .aspx
    >>>>>>>>>
    >>>>>>>>> -----
    >>>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>>> I do impersonate. Testing with my own account - and it does have
    >>>>>>>>>> more than sufficient permissions.
    >>>>>>>>>>
    >>>>>>>>>> "Alexey Smirnov" <> wrote in message
    >>>>>>>>>> news:... On
    >>>>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <> wrote:
    >>>>>>>>>>
    >>>>>>>>>>> I'm trying to setup a simple test on writing to a file on an
    >>>>>>>>>>> UNC
    >>>>>>>>>>> share
    >>>>>>>>>>> from
    >>>>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx:
    >>>>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>>>> --
    >>>>>>>>>>> --
    >>>>>>>>>>> --
    >>>>>>>>>>> ------­-------- Dim path As String = "\\remoteserver\testshare"
    >>>>>>>>>>> Response.Write(User.Identity.Name)
    >>>>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
    >>>>>>>>>>> "life's
    >>>>>>>>>>> good", True)
    >>>>>>>>>>> ---------------------------------------------------------------
    >>>>>>>>>>> --
    >>>>>>>>>>> -- -- ------­--------
    >>>>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6.
    >>>>>>>>>>>
    >>>>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated
    >>>>>>>>>>> and
    >>>>>>>>>>> the
    >>>>>>>>>>> file
    >>>>>>>>>>> is written perfectly to the remote share.
    >>>>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and
    >>>>>>>>>>> create
    >>>>>>>>>>> a
    >>>>>>>>>>> share
    >>>>>>>>>>> on this server \\mywebserver\testshare everything still works
    >>>>>>>>>>> perfectly
    >>>>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e
    >>>>>>>>>>> \\myotherserver\testshare
    >>>>>>>>>>> it fails with "file not found" - no further explanation :-S
    >>>>>>>>>>> I've
    >>>>>>>>>>> tried to
    >>>>>>>>>>> scan for activity on the remote servers filesystem with Filemon
    >>>>>>>>>>> -
    >>>>>>>>>>> but
    >>>>>>>>>>> it
    >>>>>>>>>>> does'nt even look like it tries to access the share at all....
    >>>>>>>>>>> Permissions
    >>>>>>>>>>> are set to everyone both at NTFS and share permissions at this
    >>>>>>>>>>> share.
    >>>>>>>>>>> ANY ideas guys??
    >>>>>>>>>>> Regards,
    >>>>>>>>>>> Roger
    >>>>>>>>>> do you use an impersonation or you run the application under
    >>>>>>>>>> asp.net account?
    >>>>>>>>>>
    >>>
    >>>

    >>

    >
     
    Langedal, Roger, May 8, 2007
    #17
  18. Dominick Baier, May 8, 2007
    #18
  19. yes I have..... :-S


    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Do you have SPNs for the below names?
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> Server Name: host/web2.mydomain
    >> Target Name: host/web2.mydomain@mydomain

    >
    >
     
    Langedal, Roger, May 8, 2007
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TomS
    Replies:
    0
    Views:
    392
  2. =?Utf-8?B?cGpfc2VydmFkbWlu?=

    Running an asp.net application on a remote share (UNC) - parser er

    =?Utf-8?B?cGpfc2VydmFkbWlu?=, Jun 20, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    2,603
    =?Utf-8?B?cGpfc2VydmFkbWlu?=
    Jul 1, 2005
  3. Langedal, Roger

    Win 2003 svr/ASP.NET 2.0 UNC share

    Langedal, Roger, May 4, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    329
    gover
    May 5, 2007
  4. Krist
    Replies:
    6
    Views:
    771
    Arne Vajhøj
    May 7, 2010
  5. Saraswati lakki
    Replies:
    0
    Views:
    1,375
    Saraswati lakki
    Jan 6, 2012
Loading...

Share This Page