Last post Apr 24, 2012 04:40 PM by kjmcad
Apr 17, 2012 05:14 PM|kjmcad|LINK
I have an ASP.NET application that has a button. When you click the button it has one line where is creates a sub-directory in a directory I have Full Control to through an AD group on another server (NOT the web server).
When I click the button I get an Access Denied error to the sub-directory.
Impersonate is set to true in the web.config.
Authentication is Windows.
WindowsIdentity is set to me.
What is wrong?
Apr 17, 2012 05:22 PM|BrockAllen|LINK
If you want the impersonation to flow across the network then you need to configure delegation. Typically this means you configure IIS' app pool to use a domain account, setup a SPN and then configure in AD that account for constrained delegation to the
other server in the network.
Apr 18, 2012 08:51 AM|kjmcad|LINK
That does make sense to me.
The application is running under my account. Remember WindowsIdentity on the web server is set to my account. (Impersonate = true, Authentication = Windows)
I can click the button and have it open the folder in Windows Explorer. So I have access to the parent.
If I create a subfolder in the folder. I can click the button and have it open the subfolder in Windows Explorer
I can do all this using C# code.
Only when I try to create a subfolder using C# does it tell me Access Denied.
But I have Read, Write and Modify permissions.
Do not understand why this does not work.
Apr 18, 2012 09:14 AM|BrockAllen|LINK
Like I said before, if you are authenticating to the web server from a domain account then the token created for you is only allowed to perform impersonation which means local-only access as the user. The token can't be used to then further authenticate
on the network (this is called delegation). To allow delegation you have to do all those steps I listed earlier.
From your original post this is what it sounds like to me.
Apr 18, 2012 09:16 AM|BrockAllen|LINK
So the one thing that's a little strange form your post -- you say that you have read access to other parts of the file share? So here's a test -- disable windows authentication and see if the code can still read the file share. In other words, see if the
account running the web server is the account being used for authentication for the fileshare and not the browser user.
Apr 18, 2012 10:45 AM|kjmcad|LINK
Does not work if I disable windows authentication.
Apr 18, 2012 08:51 PM|BrockAllen|LINK
Hmm, I'm a little confused then... so it sounds like your windows authentication is allowing a certain amount of remote access to the network share. Are you running your browser on the same machine as the web server?
Apr 18, 2012 10:30 PM|kjmcad|LINK
No I am running my browser from the client machine.
Apr 19, 2012 02:32 AM|Steven Cheng - MSFT|LINK
I think the analysis(by BrockAllen) about the windows identity forward limitation across multiple server boundary is reasonable.
Actually, based on your description, you're hitting a typical "double hop" case when using windows authentication in a multiple-tier application. So the basic view is a below:
A -----> B ------> C
A is the client browser
B is the webserver hosting your ASP.NET web app
C is the remote resource(file share or sql database which require certain authenticated user to access)
A,B,C are all on different machines. Then when your ASP.NET web on B is using windows authentication (and without using kerberos delgation over the entire processing line from A to C). Then, the user identity of the client user on A machine, can be got
by ASP.NET web app on B server; but cannot be further forwarded to C machine. What C machine will get is the account under which your ASP.NET web application is running on B(not the impersonated user account forwarded from A).
Here are some reference on about double hop issue:
#IIS, Windows Authentication and the Double Hop issue
#The Double-Hop Problem
And some workarounds exists. For example:
#How To: Use Impersonation and Delegation in ASP.NET 2.0
Apr 24, 2012 03:47 PM|BrockAllen|LINK
Sorry -- just got back from vacation. Any update to this
Apr 24, 2012 04:40 PM|kjmcad|LINK
No. I gave up on it. Could not figure it out. I pushed it off until phase 2 of the application. I think what I am going to do is the impersonation & delegation mentioned earlier.