Re: UNC file share and NTLM user identity
From: Mike Moore [MSFT] (michmo@online.microsoft.com)
Date: 04/11/03
- Next message: Mike Moore [MSFT]: "Re: UNC file share and NTLM user identity"
- Previous message: Rob Edwards: "Impersonation/Authentication Frustration"
- In reply to: Michael Leung: "RE: UNC file share and NTLM user identity"
- Next in thread: Mike Moore [MSFT]: "Re: UNC file share and NTLM user identity"
- Reply: Mike Moore [MSFT]: "Re: UNC file share and NTLM user identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mike Moore [MSFT]" <michmo@online.microsoft.com> Date: Fri, 11 Apr 2003 13:11:17 -0700
Hi Michael,
[Note: I first posted the below yesterday afternoon. Unfortunately, it has
not shown up in the newsgroups. So, I'm reposting now]
I talked to several people previously, but all folks who focus on ASP.NET.
Your additional questions prompted me to talk to folks who focus on IIS and
clustered servers.
The "general' suggestion is to replicate your web content on each server.
With a large number of servers (you mentioned 20) this "generally" results
in better reliability than one central cluster.
You're specific issue of one server failing can be resolved by changing
your handling of sessions to avoid server affinity. ASP.NET offers two
built-in solutions: "StateServer mode" and "SQLServer mode". Both of these
allow you to store session data on a central server. I've referenced some
articles for you below.
I've also asked my coworker, Karl, to join this conversation. He has
expertise in both IIS and clustering. He will add his post to this thread
tomorrow.
Here are some session state references.
* Very brief info including StateServer and SQLServer modes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/ht
ml/gngrfsessionstatesection.asp
* More detailed info
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconsessionstate.asp
* Article discussing StateServer and SQLServer modes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspnet/ht
ml/asp12282000.asp
--- Please continue monitoring this thread for more comments from Karl tomorrow. Thank you, Mike Moore Microsoft, ASP.NET This posting is provided "AS IS", with no warranties, and confers no rights. "Michael Leung" <kmleung@hec.com.hk> wrote in message news:04fd01c2ff21$395153b0$a101280a@phx.gbl... > Hi Mike Moore, > > Thanks for your effort and I am looking forward to your > results. > > We have taken Microsoft's ASP.NET vision and are migrating > our host applications to ASP.NET. > > Security, Scalability and Availability are our key issues. > Scale-out is achieve by NLB but availability is not > because a NLB member with a corrupted web content disk is > still active and users directed to this machine always > fail (we use client affinity to preserve sessions). Using > UNC file share of a fail-over cluster is a natural choice > of high availability (HA). For security, single-signon to > Active Directory is a must. > > Our requirements are very typical and therefore NTLM + NLB > + UNC file share on MSCS cluster should be a very popular > combination. Why is that only we are having this problem > and it seems that all others are not using this > configuration. Please advice us if our configuration is > not a recommended one. > > Regards, > Michael Leung > > > >-----Original Message----- > >Hi Michael, > > > >A security change from ASP to ASP.NET required that the > user information of > >a web request be changed to the UNC "connect as" user > when the web > >application is accessed by IIS via a UNC share. This > overrides the > >impersonated user. This affects User.Identity.Name and > the ServerVariables. > > > >I have not finished investigating if you could write a > shell extension (an > >extension to the file system) to "hide" the fact that > this is a UNC share. > >I'll post more information as soon as I can. > > > >Thank you, Mike Moore > >Microsoft, ASP.NET > > > >This posting is provided "AS IS", with no warranties, and > confers no rights. > > > >-------------------- > >| >Content-Class: urn:content-classes:message > >| >From: "Michael Leung" <kmleung@hec.com.hk> > >| >Sender: "Michael Leung" <kmleung@hec.com.hk> > >| >Subject: UNC file share and NTLM user identity > >| >Date: Sun, 6 Apr 2003 06:20:43 -0700 > >| >Lines: 57 > >| >Message-ID: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl> > >| >MIME-Version: 1.0 > >| >Content-Type: text/plain; > >| > charset="iso-8859-1" > >| >Content-Transfer-Encoding: 7bit > >| >X-Newsreader: Microsoft CDO for Windows 2000 > >| >Thread-Index: AcL8P1OoE8DJP0gfTA+5GVVr9H8ANw== > >| >X-MimeOLE: Produced By Microsoft MimeOLE > V5.50.4910.0300 > >| >Newsgroups: > microsoft.public.dotnet.framework.aspnet.security > >| >Path: cpmsftngxa08.phx.gbl > >| >Xref: cpmsftngxa08.phx.gbl > >microsoft.public.dotnet.framework.aspnet.security:4716 > >| >NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166 > >| >X-Tomcat-NG: > microsoft.public.dotnet.framework.aspnet.security > >| > > >| >Hi, > >| > > >| >I have used a wrong email address. This one belongs to > my > >| >MSDN subscription. I do a re-post. > >| > > >| >All machines are in the same domain (AOL_DEV). I have > a > >| >W2KAS running IIS having two web sites. port 80 points > to > >| >c:\inetpub\wwwroot and port 81 points to \\192.168.8.1 > >| >\fileshare\wwwroot\ > >| > > >| >In both port 80 & 81, I have the following ASP page > >| >statement > >| >Welcomes <%=Request.ServerVariables("REMOTE_USER")%> > >| >It works fine. I get "Welcomes AOL_DEV\dcs4585" > >| > > >| >I followed Microsoft's document > >| >"http://msdn.microsoft.com/library/en- > >| >us/dnbda/html/authaspdotnet.asp" to create a domain > >| >account for .NET Process model in machine.config and > >| >impersonation in WEB.config. I granted that account > TCB > >| >privilege. I used the local administration account for > IIS > >| >UNC Token to create the WEB site. > >| > > >| >In both port 80 and 81, I have the following ASP.NET > >| >statements. > >| > > >| >Response.Write("You are : " + > >| >Context.User.Identity.Name.ToString() + "<BR>"); > >| >Response.Write("Page run as : " + > >| >System.Security.Principal.WindowsIdentity.GetCurrent > >| >().Name.ToString() + "<BR>"); > >| >Response.Write("Root is : " + > >| >Request.PhysicalApplicationPath.ToString() + "<BR>"); > >| > > >| >In Port 80, I get the following response:- > >| >You are : AOL_DEV\dcs4585 > >| >Page run as : AOL_DEV\dcszcluster > >| >Root is : c:\inetpub\wwwroot\ > >| > > >| >Unluckily in Port 81, I get the following response:- > >| >You are : DCSCS5\Administrator > >| >Page run as : AOL_DEV\dcszcluster > >| >Root is : \\192.168.8.1\fileshare\wwwroot\ > >| > > >| >Questions????? > >| >The whole purpose of impersonation is to keep the > original > >| >authenticated user's identity while executing in > another > >| >user's privileges. The response from port 80 (without > UNC > >| >file share) is correct but that from port 81 (with UNC > >| >file share) is not. I believe it is a bug. > >| > > >| >Imagine you have 20 NLBs for load balancing. Is it > better > >| >to deploy the .NET application to one single UNC > directory > >| >rather that to deploy it to 20 local machines? > >| > > >| >Michael Leung > >| > > >| > > > > >. > >
- Next message: Mike Moore [MSFT]: "Re: UNC file share and NTLM user identity"
- Previous message: Rob Edwards: "Impersonation/Authentication Frustration"
- In reply to: Michael Leung: "RE: UNC file share and NTLM user identity"
- Next in thread: Mike Moore [MSFT]: "Re: UNC file share and NTLM user identity"
- Reply: Mike Moore [MSFT]: "Re: UNC file share and NTLM user identity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
