J
Joseph Geretz
I'm having a credentialing problem in my web application. Actually, I don't
think this is an IIS security issue, since I'm able to access the page I'm
requesting. However, the executing page itself is not able to access a
specific network resource and I just can't figure out why. First of all, let
me say this worked fine with IIS running on Win2000 Server. This has not
worked since I upgraded to Windows Server 2003.
My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322
My web site has a virtual directory named FPSNowAuth. This virtual directory
disallows anonymous access and is set to use Windows Integrated security.
Thus every page access from this virtual directory must either be
authenticated or fail.
Here are the relevant blocks from the Web.config file:
<authentication mode="Windows" />
<identity impersonate="true" userName="" password=""/>
Thus, code executing in the context of a page request should be executing in
the security context of the authenticated user. Here's a snippet from the
log file:
2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705) 200
As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page request
succeeded. However...
browser.aspx is a .NET page which returns a directory listing of the
directory identified by the dir querystring parameter, in this case
ftp/Dimension. (For a practical example of this, you may check out
www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of my
site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
\\Dimension\User. Here we get to the heart of the problem.
When I'm on the server, browsing the virtual directory in the IIS console, I
can see all the folders and files subordinate to \\Dimension\User. When I
hit this page from a browser on the server, I get a nicely formatted listing
of these folders and files, generated by browser.aspx. However, when I hit
this page from a browser on any other workstation, I get the following
runtime error during the course of the page execution:
Access to path \\Dimension\User is denied.
This despite the fact that I have authenticated as INTDOM\Boss, as shown in
the log file snippet. So running under the identity of INTDOM\Boss, why the
heck am I denied access to a network resource?
For the .NET developers among us, here's the line of code which throws the
exception:
DirectoryInfo[] Dirs = DirInfo.GetDirectories();
The directory indicated by DirInfo is \\Dimension\User\. Prior to executing
this line, I've already checked to ensure that Request.IsAuthenticated ==
true. I've stepped through this in debug mode and confirmed that it is
indeed true (as the log file entry indicates).
So, I'm baffled. The page is executing under the identity of the domain
admin, yet I get an access denied when attempting to access a network
resource. Any ideas?
Thank for any assistance which you can offer.
- Joe Geretz -
think this is an IIS security issue, since I'm able to access the page I'm
requesting. However, the executing page itself is not able to access a
specific network resource and I just can't figure out why. First of all, let
me say this worked fine with IIS running on Win2000 Server. This has not
worked since I upgraded to Windows Server 2003.
My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322
My web site has a virtual directory named FPSNowAuth. This virtual directory
disallows anonymous access and is set to use Windows Integrated security.
Thus every page access from this virtual directory must either be
authenticated or fail.
Here are the relevant blocks from the Web.config file:
<authentication mode="Windows" />
<identity impersonate="true" userName="" password=""/>
Thus, code executing in the context of a page request should be executing in
the security context of the authenticated user. Here's a snippet from the
log file:
2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705) 200
As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page request
succeeded. However...
browser.aspx is a .NET page which returns a directory listing of the
directory identified by the dir querystring parameter, in this case
ftp/Dimension. (For a practical example of this, you may check out
www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of my
site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
\\Dimension\User. Here we get to the heart of the problem.
When I'm on the server, browsing the virtual directory in the IIS console, I
can see all the folders and files subordinate to \\Dimension\User. When I
hit this page from a browser on the server, I get a nicely formatted listing
of these folders and files, generated by browser.aspx. However, when I hit
this page from a browser on any other workstation, I get the following
runtime error during the course of the page execution:
Access to path \\Dimension\User is denied.
This despite the fact that I have authenticated as INTDOM\Boss, as shown in
the log file snippet. So running under the identity of INTDOM\Boss, why the
heck am I denied access to a network resource?
For the .NET developers among us, here's the line of code which throws the
exception:
DirectoryInfo[] Dirs = DirInfo.GetDirectories();
The directory indicated by DirInfo is \\Dimension\User\. Prior to executing
this line, I've already checked to ensure that Request.IsAuthenticated ==
true. I've stepped through this in debug mode and confirmed that it is
indeed true (as the log file entry indicates).
So, I'm baffled. The page is executing under the identity of the domain
admin, yet I get an access denied when attempting to access a network
resource. Any ideas?
Thank for any assistance which you can offer.
- Joe Geretz -