I have an ASP.NET application that has a button. When you click the button it has one line where is creates a sub-directory in a directory I have Full Control to through an AD group on another server (NOT the web server).
When I click the button I get an Access Denied error to the sub-directory.
If you want the impersonation to flow across the network then you need to configure delegation. Typically this means you configure IIS' app pool to use a domain account, setup a SPN and then configure in AD that account for constrained delegation to the
other server in the network.
The application is running under my account. Remember WindowsIdentity on the web server is set to my account. (Impersonate = true, Authentication = Windows)
I can click the button and have it open the folder in Windows Explorer. So I have access to the parent.
If I create a subfolder in the folder. I can click the button and have it open the subfolder in Windows Explorer
I can do all this using C# code.
Only when I try to create a subfolder using C# does it tell me Access Denied.
But I have Read, Write and Modify permissions.
Like I said before, if you are authenticating to the web server from a domain account then the token created for you is only allowed to perform impersonation which means local-only access as the user. The token can't be used to then further authenticate
on the network (this is called delegation). To allow delegation you have to do all those steps I listed earlier.
From your original post this is what it sounds like to me.
So the one thing that's a little strange form your post -- you say that you have read access to other parts of the file share? So here's a test -- disable windows authentication and see if the code can still read the file share. In other words, see if the
account running the web server is the account being used for authentication for the fileshare and not the browser user.
Hmm, I'm a little confused then... so it sounds like your windows authentication is allowing a certain amount of remote access to the network share. Are you running your browser on the same machine as the web server?
I think the analysis(by BrockAllen) about the windows identity forward limitation across multiple server boundary is reasonable.
Actually, based on your description, you're hitting a typical "double hop" case when using windows authentication in a multiple-tier application. So the basic view is a below:
A -----> B ------> C
A is the client browser
B is the webserver hosting your ASP.NET web app
C is the remote resource(file share or sql database which require certain authenticated user to access)
A,B,C are all on different machines. Then when your ASP.NET web on B is using windows authentication (and without using kerberos delgation over the entire processing line from A to C). Then, the user identity of the client user on A machine, can be got
by ASP.NET web app on B server; but cannot be further forwarded to C machine. What C machine will get is the account under which your ASP.NET web application is running on B(not the impersonated user account forwarded from A).
Here are some reference on about double hop issue:
using a fixed account on B machine to access other remote resources(like the file share in your case) And you can also programmtically impersonate a fixed account (with username/password) too
kjmcad
Member
352 Points
219 Posts
Access Denied - CreateDirectory
Apr 17, 2012 09:14 PM|LINK
I have an ASP.NET application that has a button. When you click the button it has one line where is creates a sub-directory in a directory I have Full Control to through an AD group on another server (NOT the web server).
When I click the button I get an Access Denied error to the sub-directory.
Impersonate is set to true in the web.config.
Authentication is Windows.
WindowsIdentity is set to me.
What is wrong?
BrockAllen
All-Star
27564 Points
4912 Posts
MVP
Re: Access Denied - CreateDirectory
Apr 17, 2012 09:22 PM|LINK
If you want the impersonation to flow across the network then you need to configure delegation. Typically this means you configure IIS' app pool to use a domain account, setup a SPN and then configure in AD that account for constrained delegation to the other server in the network.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
kjmcad
Member
352 Points
219 Posts
Re: Access Denied - CreateDirectory
Apr 18, 2012 12:51 PM|LINK
That does make sense to me.
The application is running under my account. Remember WindowsIdentity on the web server is set to my account. (Impersonate = true, Authentication = Windows)
I can click the button and have it open the folder in Windows Explorer. So I have access to the parent.
If I create a subfolder in the folder. I can click the button and have it open the subfolder in Windows Explorer
I can do all this using C# code.
Only when I try to create a subfolder using C# does it tell me Access Denied. But I have Read, Write and Modify permissions.
Do not understand why this does not work.
BrockAllen
All-Star
27564 Points
4912 Posts
MVP
Re: Access Denied - CreateDirectory
Apr 18, 2012 01:14 PM|LINK
Like I said before, if you are authenticating to the web server from a domain account then the token created for you is only allowed to perform impersonation which means local-only access as the user. The token can't be used to then further authenticate on the network (this is called delegation). To allow delegation you have to do all those steps I listed earlier.
From your original post this is what it sounds like to me.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
BrockAllen
All-Star
27564 Points
4912 Posts
MVP
Re: Access Denied - CreateDirectory
Apr 18, 2012 01:16 PM|LINK
So the one thing that's a little strange form your post -- you say that you have read access to other parts of the file share? So here's a test -- disable windows authentication and see if the code can still read the file share. In other words, see if the account running the web server is the account being used for authentication for the fileshare and not the browser user.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
kjmcad
Member
352 Points
219 Posts
Re: Access Denied - CreateDirectory
Apr 18, 2012 02:45 PM|LINK
Does not work if I disable windows authentication.
BrockAllen
All-Star
27564 Points
4912 Posts
MVP
Re: Access Denied - CreateDirectory
Apr 19, 2012 12:51 AM|LINK
Hmm, I'm a little confused then... so it sounds like your windows authentication is allowing a certain amount of remote access to the network share. Are you running your browser on the same machine as the web server?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
kjmcad
Member
352 Points
219 Posts
Re: Access Denied - CreateDirectory
Apr 19, 2012 02:30 AM|LINK
No I am running my browser from the client machine.
Steven Cheng...
Contributor
4199 Points
548 Posts
Microsoft
Moderator
Re: Access Denied - CreateDirectory
Apr 19, 2012 06:32 AM|LINK
Hi kjmcad,
I think the analysis(by BrockAllen) about the windows identity forward limitation across multiple server boundary is reasonable.
Actually, based on your description, you're hitting a typical "double hop" case when using windows authentication in a multiple-tier application. So the basic view is a below:
A -----> B ------> C
A is the client browser
B is the webserver hosting your ASP.NET web app
C is the remote resource(file share or sql database which require certain authenticated user to access)
A,B,C are all on different machines. Then when your ASP.NET web on B is using windows authentication (and without using kerberos delgation over the entire processing line from A to C). Then, the user identity of the client user on A machine, can be got by ASP.NET web app on B server; but cannot be further forwarded to C machine. What C machine will get is the account under which your ASP.NET web application is running on B(not the impersonated user account forwarded from A).
Here are some reference on about double hop issue:
#IIS, Windows Authentication and the Double Hop issue
http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
#The Double-Hop Problem
http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx
And some workarounds exists. For example:
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff647404.aspx
Feedback to us
Microsoft One Code Framework
BrockAllen
All-Star
27564 Points
4912 Posts
MVP
Re: Access Denied - CreateDirectory
Apr 24, 2012 07:47 PM|LINK
Sorry -- just got back from vacation. Any update to this kjmcad?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/