System.UnauthorizedAccessException

Discussion in 'ASP .Net Security' started by Manuel, Jun 5, 2009.

  1. Manuel

    Manuel Guest

    Hi,

    a asp.net web page developed using visual studio 2008 with .net framework
    3.5 can not access to a network file
    \\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\NTMAIL\Received\i0067758.zip
    When I debug the application using visual studio on my local machine it
    works correctly but when I publish the application a
    System.UnauthorizedAccessException occurs

    Please help
     
    Manuel, Jun 5, 2009
    #1
    1. Advertisements

  2. Hi Manuel,
    It's a double hop issue. When you debug your application in Visual Studio
    the thread's identity is your domain account, which has access permission
    to the shared file. However, when you host your application on IIS the
    default identity of the thread is the NetworkService account (IIS 6+). To
    use the domain account to access the file one way is to use Basic
    authentication and turn on impersonation
    (http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx).

    More documentations about double hop and solution:

    http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
    http://drowningintechnicaldebt.com/blogs/shawnweisfeld/archive/2006/12/06/Th
    e-_1C20_Double-Hop_1D20_-Issue.aspx
    http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx
    http://support.microsoft.com/kb/910449
    http://support.microsoft.com/kb/891031
    http://support.microsoft.com/kb/810572
    http://support.microsoft.com/servicedesks/webcasts/seminar/shared/asp/view.a
    sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Allen Chen [MSFT], Jun 8, 2009
    #2
    1. Advertisements

  3. Manuel

    Manuel Guest

    Hello Allen,

    I have a cast exception at runtime

    System.Security.Principal.WindowsImpersonationContext impersonationContext;

    impersonationContext =
    ((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();

    please help
    thank you
     
    Manuel, Jun 8, 2009
    #3
  4. Hi Manuel,
    Could you provide the detailed description of this exception?

    If you want to use Basic Authentication to resolve this issue you can try
    this:

    1. Enable Basic Authentication for this web site in IIS and disable other
    authentication.

    2. Add following setting in web.config:
    <system.web>
    <identity impersonate="true"/>

    ..
    </system.web>

    Could you try above way to see if it works?

    Regards,
    Allen Chen
    Microsoft Online Support
     
    Allen Chen [MSFT], Jun 9, 2009
    #4
  5. Manuel

    Tony201 Guest

    Manuel,

    In order for you to impersonate over a double hop, you need to setup
    delegation for your app pool account and create (if they don't already exist)
    SPNs for your application and the file server. The application SPN should
    look like HTTP/FQDN_of_website and the file server SPNs should look something
    like CIFS/servername.

    Tony
     
    Tony201, Jun 9, 2009
    #5
  6. Manuel

    Manuel Guest

    It works well, thank you very much !

     
    Manuel, Jun 9, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
There are no similar threads yet.
Loading...