Apologies in advance for the newbie question - as this is fairly straightforward operation.
I'm trying to migrate my intranet MVC application to production. One of its features is that it allows users to upload files. This is very simple - after a user selects a file, it is saved using the HttpPostedFileBase.SaveAs() method.
The application itself has Windows Authentication enabled along with Impersonation (authenticated user). For development purposes, I was uploading to a local location and of course everything is working as expected. But for production, we've allocated space
on a network share. The Application Pool uses ApplicationPoolIdentity.
My question is which users are supposed to get permission to the shared directory? Should it be the individual Windows accounts (we can put them into an AD group to simplify management) or do we just give access to IIS_IUSRS? (I believe the latter is a security
hole). Or is there a different solution altogether?
Apologies in advance if I'm missing information needed for making an assessment - please let me know your thoughts.
My question is which users are supposed to get permission to the shared directory? Should it be the individual Windows accounts (we can put them into an AD group to simplify management) or do we just give access to IIS_IUSRS? (I believe the latter is a security
hole). Or is there a different solution altogether?
As far as I know, the web application will use the identity pool account to accesss the shared folder. Like below: IIS_Apppool {your application pool name}.
If you want to upload the file to shared folder, you should make sure your ASP.NET identity account has permission on this network folder and make sure the account is in the Access this computer from the network group on remote server.
If you don't want to use asp.net IIS application pool acocunt, you could use Impersonation to achieve your requirement.
If impersonation is enabled your code should run with the user identity but it might be difficult to reuse this user identity to access network resources for safety reason (else from a web app you could act as a user for everything). You don't have the user
name as part of the error message when you try ? Do you really need impersonation ?
Member
12 Points
72 Posts
MVC File Upload - Shared Drive directory permissions
Mar 01, 2019 08:16 PM|kj27|LINK
Apologies in advance for the newbie question - as this is fairly straightforward operation.
I'm trying to migrate my intranet MVC application to production. One of its features is that it allows users to upload files. This is very simple - after a user selects a file, it is saved using the HttpPostedFileBase.SaveAs() method.
The application itself has Windows Authentication enabled along with Impersonation (authenticated user). For development purposes, I was uploading to a local location and of course everything is working as expected. But for production, we've allocated space on a network share. The Application Pool uses ApplicationPoolIdentity.
My question is which users are supposed to get permission to the shared directory? Should it be the individual Windows accounts (we can put them into an AD group to simplify management) or do we just give access to IIS_IUSRS? (I believe the latter is a security hole). Or is there a different solution altogether?
Apologies in advance if I'm missing information needed for making an assessment - please let me know your thoughts.
Best Regards.
Star
9031 Points
2760 Posts
Re: MVC File Upload - Shared Drive directory permissions
Mar 04, 2019 07:19 AM|Brando ZWZ|LINK
Hi kj27,
As far as I know, the web application will use the identity pool account to accesss the shared folder. Like below: IIS_Apppool {your application pool name}.
If you want to upload the file to shared folder, you should make sure your ASP.NET identity account has permission on this network folder and make sure the account is in the Access this computer from the network group on remote server.
If you don't want to use asp.net IIS application pool acocunt, you could use Impersonation to achieve your requirement.
More details, you could refer to below article:
http://aspalliance.com/336_Upload_Files_Using_ASPNET_Impersonation_and_UNC_Share.all
https://stackoverflow.com/a/5985299/7609093
Best Regards,
Brando
All-Star
43500 Points
15160 Posts
Re: MVC File Upload - Shared Drive directory permissions
Mar 05, 2019 01:57 PM|PatriceSc|LINK
Hi,
If impersonation is enabled your code should run with the user identity but it might be difficult to reuse this user identity to access network resources for safety reason (else from a web app you could act as a user for everything). You don't have the user name as part of the error message when you try ? Do you really need impersonation ?
See for example https://stackoverflow.com/questions/2646644/asp-net-impersonate-user-for-network-resource-access in short you need to authorize reusing the user idenity to access non local resources...
Usually you grant access to the application and you make sure only allowed users can use your app.