System.UnauthorizedAccessException

[Manuel]

Hi,

a asp.net web page developed using visual studio 2008 with .net framework
3.5 can not access to a network file
\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\NTMAIL\Received\i0067758.zip
When I debug the application using visual studio on my local machine it
works correctly but when I publish the application a
System.UnauthorizedAccessException occurs

Please help

 

[Allen Chen [MSFT]]

Hi Manuel,

a asp.net web page developed using visual studio 2008 with .net framework
3.5 can not access to a network file
\\192.168.1.195\SERVICE\CONDIVISIONI\GENERALE\Its\NTMAIL\Received\i0067758. zip
When I debug the application using visual studio on my local machine it
works correctly but when I publish the application a
System.UnauthorizedAccessException occurs

It's a double hop issue. When you debug your application in Visual Studio
the thread's identity is your domain account, which has access permission
to the shared file. However, when you host your application on IIS the
default identity of the thread is the NetworkService account (IIS 6+). To
use the domain account to access the file one way is to use Basic
authentication and turn on impersonation
(http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx).

More documentations about double hop and solution:

http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
http://drowningintechnicaldebt.com/blogs/shawnweisfeld/archive/2006/12/06/Th
e-_1C20_Double-Hop_1D20_-Issue.aspx
http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx
http://support.microsoft.com/kb/910449
http://support.microsoft.com/kb/891031
http://support.microsoft.com/kb/810572
http://support.microsoft.com/servicedesks/webcasts/seminar/shared/asp/view.a
sp?url=/servicedesks/webcasts/en/WC102704/manifest.xml

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Manuel]

Hello Allen,

I have a cast exception at runtime

System.Security.Principal.WindowsImpersonationContext impersonationContext;

impersonationContext =
((System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();

please help
thank you

 

[Allen Chen [MSFT]]

Hi Manuel,

I have a cast exception at runtime

Could you provide the detailed description of this exception?

If you want to use Basic Authentication to resolve this issue you can try
this:

1. Enable Basic Authentication for this web site in IIS and disable other
authentication.

2. Add following setting in web.config:
<system.web>
<identity impersonate="true"/>

..
</system.web>

Could you try above way to see if it works?

Regards,
Allen Chen
Microsoft Online Support

 

[Tony201]

Manuel,

In order for you to impersonate over a double hop, you need to setup
delegation for your app pool account and create (if they don't already exist)
SPNs for your application and the file server. The application SPN should
look like HTTP/FQDN_of_website and the file server SPNs should look something
like CIFS/servername.

Tony

 

[Manuel]

It works well, thank you very much !

Hi Manuel,


Could you provide the detailed description of this exception?

If you want to use Basic Authentication to resolve this issue you can try
this:

1. Enable Basic Authentication for this web site in IIS and disable other
authentication.

2. Add following setting in web.config:
<system.web>
<identity impersonate="true"/>

..
</system.web>

Could you try above way to see if it works?

Regards,
Allen Chen
Microsoft Online Support