shared folder access

[sundeeps]

hi, i have a web application residing on a web server [w]
and a file server . Both the servers are part of same
domain [d].

now, i want to access shared folders from my web
application but the access should be given to only those
users who has permission on shared folder.

I set up impersonate in my system and m using windows
authentication, but still i get access denied error.

Need help

 

[Steve Jansen]

I suggest reading the Patterns & Practices whitepaper "Authentication in
ASP.NET: .NET Security Guidance":
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

Impersonation is not enough to accomplish what you want. You require
account delegation from your physical server running IIS to your physical
server hosting the file share.

Option 1
---------
Your first option is to use Basic Authentication in IIS over SSL. This way,
the inetinfo.exe process has your credentials in plaintext and can logon to
the remote file server on the end-users behalf.

Option 2
---------
Alternatively I have gotten this to work before with Windows Authenticaion,
but, it is not straightforward:
1) Enable Windows Authentication in IIS for your web app
2) If you create a virtual directory that maps to your UNC share, manually
delete the UNCUserName and UNCPassword metabase values using adsutil.vbs.
This will remove the UNC user token credentials (something that cannot be
done through inetmgr.exe). Doing so causes IIS to attempt delegation using
the current logon credentials.
3) Even though inetinfo.exe runs as LocalSystem, I had to create an AD
Service Principal Name. First, I had to set the option "Trust this computer
for delegation" for the IIS Computer AD object. Then, I had to issue the
setspn.exe command, which I remember being :

setspn -A HTTP/myhost.mydomain.com myserver


4) For IE clients, I had to add myhost.mydomain.com to the LocalIntranet
zone. I would guess this caused IE to use Kerberos authentication instead
of NTLM. It may have also had something to do with "Automatic Logon in
Intranet Zone only"

Connected IE clients should then browse the remote file share using their
credentials and appropriate ACLs. You should be able to confirm this by
enabling complete auditing of file access for your share and checking the
event viewer. I believe there are major performance implications for this,
due to the increased network activity of IIS performing delegation and UNC
file operations.

Option 3
---------
You can also set the UNCAuthenticationPassthrough metabase attribute to True
to accomplish this. The article @
http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/default.aspx
provides a good discussion of this setting. However, the KB 286401 states
that this setting is not supported by MS.

-Steve Jansen

hi, i have a web application residing on a web server [w]
and a file server . Both the servers are part of same
domain [d].

now, i want to access shared folders from my web
application but the access should be given to only those
users who has permission on shared folder.

I set up impersonate in my system and m using windows
authentication, but still i get access denied error.

Need help

 

[Guest]

Thanks Steve. Your options are really logical. However, i
tried with the basic autjentication as we r on intranet
and its ok for us to pass in plain text too.. but seems it
doesn't work.

also, i am not able to delete the UNC parameters too as
you did..

-----Original Message-----
I suggest reading the Patterns & Practices whitepaper "Authentication in
ASP.NET: .NET Security Guidance":
http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnbda/html/authaspdotnet.asp

Impersonation is not enough to accomplish what you want. You require
account delegation from your physical server running IIS to your physical
server hosting the file share.

Option 1
---------
Your first option is to use Basic Authentication in IIS over SSL. This way,
the inetinfo.exe process has your credentials in plaintext and can logon to
the remote file server on the end-users behalf.

Option 2
---------
Alternatively I have gotten this to work before with Windows Authenticaion,
but, it is not straightforward:
1) Enable Windows Authentication in IIS for your web app
2) If you create a virtual directory that maps to your UNC share, manually
delete the UNCUserName and UNCPassword metabase values using adsutil.vbs.
This will remove the UNC user token credentials (something that cannot be
done through inetmgr.exe). Doing so causes IIS to attempt delegation using
the current logon credentials.
3) Even though inetinfo.exe runs as LocalSystem, I had to create an AD
Service Principal Name. First, I had to set the option "Trust this computer
for delegation" for the IIS Computer AD object. Then, I had to issue the
setspn.exe command, which I remember being :

setspn -A HTTP/myhost.mydomain.com myserver


4) For IE clients, I had to add myhost.mydomain.com to the LocalIntranet
zone. I would guess this caused IE to use Kerberos authentication instead
of NTLM. It may have also had something to do with "Automatic Logon in
Intranet Zone only"

Connected IE clients should then browse the remote file share using their
credentials and appropriate ACLs. You should be able to confirm this by
enabling complete auditing of file access for your share and checking the
event viewer. I believe there are major performance implications for this,
due to the increased network activity of IIS performing delegation and UNC
file operations.

Option 3
---------
You can also set the UNCAuthenticationPassthrough metabase attribute to True
to accomplish this. The article @
http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d efault.aspx
provides a good discussion of this setting. However, the KB 286401 states
that this setting is not supported by MS.

-Steve Jansen

hi, i have a web application residing on a web server [w]
and a file server . Both the servers are part of same
domain [d].

now, i want to access shared folders from my web
application but the access should be given to only those
users who has permission on shared folder.

I set up impersonate in my system and m using windows
authentication, but still i get access denied error.

Need help

.

 

[Steve Jansen]

Did you use adsutil.vbs to delete the UNC parameters, or did you try to use
the GUI tool (inetmgr.exe)?

Thanks Steve. Your options are really logical. However, i
tried with the basic autjentication as we r on intranet
and its ok for us to pass in plain text too.. but seems it
doesn't work.

also, i am not able to delete the UNC parameters too as
you did..

-----Original Message-----
I suggest reading the Patterns & Practices whitepaper "Authentication in
ASP.NET: .NET Security Guidance":
http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnbda/html/authaspdotnet.asp

Impersonation is not enough to accomplish what you want. You require
account delegation from your physical server running IIS to your physical
server hosting the file share.

Option 1
---------
Your first option is to use Basic Authentication in IIS over SSL. This way,
the inetinfo.exe process has your credentials in plaintext and can logon to
the remote file server on the end-users behalf.

Option 2
---------
Alternatively I have gotten this to work before with Windows Authenticaion,
but, it is not straightforward:
1) Enable Windows Authentication in IIS for your web app
2) If you create a virtual directory that maps to your UNC share, manually
delete the UNCUserName and UNCPassword metabase values using adsutil.vbs.
This will remove the UNC user token credentials (something that cannot be
done through inetmgr.exe). Doing so causes IIS to attempt delegation using
the current logon credentials.
3) Even though inetinfo.exe runs as LocalSystem, I had to create an AD
Service Principal Name. First, I had to set the option "Trust this computer
for delegation" for the IIS Computer AD object. Then, I had to issue the
setspn.exe command, which I remember being :

setspn -A HTTP/myhost.mydomain.com myserver


4) For IE clients, I had to add myhost.mydomain.com to the LocalIntranet
zone. I would guess this caused IE to use Kerberos authentication instead
of NTLM. It may have also had something to do with "Automatic Logon in
Intranet Zone only"

Connected IE clients should then browse the remote file share using their
credentials and appropriate ACLs. You should be able to confirm this by
enabling complete auditing of file access for your share and checking the
event viewer. I believe there are major performance implications for this,
due to the increased network activity of IIS performing delegation and UNC
file operations.

Option 3
---------
You can also set the UNCAuthenticationPassthrough metabase attribute to True
to accomplish this. The article @
http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d efault.aspx
provides a good discussion of this setting. However, the KB 286401 states
that this setting is not supported by MS.

-Steve Jansen

hi, i have a web application residing on a web server [w]
and a file server . Both the servers are part of same
domain [d].

now, i want to access shared folders from my web
application but the access should be given to only those
users who has permission on shared folder.

I set up impersonate in my system and m using windows
authentication, but still i get access denied error.

Need help

.

 

[sandy]

i tried using adsutil.vbs !

-----Original Message-----
Did you use adsutil.vbs to delete the UNC parameters, or did you try to use
the GUI tool (inetmgr.exe)?

Thanks Steve. Your options are really logical. However, i
tried with the basic autjentication as we r on intranet
and its ok for us to pass in plain text too.. but seems it
doesn't work.

also, i am not able to delete the UNC parameters too as
you did..
want.
You require IIS
to your physical I
had to issue the to
confirm this by share
and checking the
http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d the
KB 286401 states

wrote in message

hi, i have a web application residing on a web server [w]
and a file server . Both the servers are part of same
domain [d].

now, i want to access shared folders from my web
application but the access should be given to only those
users who has permission on shared folder.

I set up impersonate in my system and m using windows
authentication, but still i get access denied error.

Need help


.

.