Re: shared folder access

• Previous message: Rajesh.V: "Re: Problem with Forms Authentication cookies"
• In reply to: Steve Jansen: "Re: shared folder access"
• Next in thread: Steve Jansen: "Re: shared folder access"
• Reply: Steve Jansen: "Re: shared folder access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 15 Oct 2003 23:25:52 -0700

Thanks Steve. Your options are really logical. However, i
tried with the basic autjentication as we r on intranet
and its ok for us to pass in plain text too.. but seems it
doesn't work.

also, i am not able to delete the UNC parameters too as
you did..

>-----Original Message-----
>I suggest reading the Patterns & Practices
whitepaper "Authentication in
>ASP.NET: .NET Security Guidance":
>http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnbda/html/authaspdotnet.asp
>
>Impersonation is not enough to accomplish what you want.
You require
>account delegation from your physical server running IIS
to your physical
>server hosting the file share.
>
>Option 1
>---------
>Your first option is to use Basic Authentication in IIS
over SSL. This way,
>the inetinfo.exe process has your credentials in
plaintext and can logon to
>the remote file server on the end-users behalf.
>
>Option 2
>---------
>Alternatively I have gotten this to work before with
Windows Authenticaion,
>but, it is not straightforward:
>1) Enable Windows Authentication in IIS for your web app
>2) If you create a virtual directory that maps to your
UNC share, manually
>delete the UNCUserName and UNCPassword metabase values
using adsutil.vbs.
>This will remove the UNC user token credentials
(something that cannot be
>done through inetmgr.exe). Doing so causes IIS to
attempt delegation using
>the current logon credentials.
>3) Even though inetinfo.exe runs as LocalSystem, I had
to create an AD
>Service Principal Name. First, I had to set the
option "Trust this computer
>for delegation" for the IIS Computer AD object. Then, I
had to issue the
>setspn.exe command, which I remember being :
>
>setspn -A HTTP/myhost.mydomain.com myserver
>
>
>4) For IE clients, I had to add myhost.mydomain.com to
the LocalIntranet
>zone. I would guess this caused IE to use Kerberos
authentication instead
>of NTLM. It may have also had something to do
with "Automatic Logon in
>Intranet Zone only"
>
>Connected IE clients should then browse the remote file
share using their
>credentials and appropriate ACLs. You should be able to
confirm this by
>enabling complete auditing of file access for your share
and checking the
>event viewer. I believe there are major performance
implications for this,
>due to the increased network activity of IIS performing
delegation and UNC
>file operations.
>
>Option 3
>---------
>You can also set the UNCAuthenticationPassthrough
metabase attribute to True
>to accomplish this. The article @
>http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/d
efault.aspx
>provides a good discussion of this setting. However, the
KB 286401 states
>that this setting is not supported by MS.
>
>-Steve Jansen
>
>"sundeeps@niit.com" <anonymous@discussions.microsoft.com>
wrote in message
>news:06d601c39315$9f30aef0$a001280a@phx.gbl...
>> hi, i have a web application residing on a web server
[w]
>> and a file server [s]. Both the servers are part of same
>> domain [d].
>>
>> now, i want to access shared folders from my web
>> application but the access should be given to only those
>> users who has permission on shared folder.
>>
>> I set up impersonate in my system and m using windows
>> authentication, but still i get access denied error.
>>
>> Need help
>
>
>.
>

• Previous message: Rajesh.V: "Re: Problem with Forms Authentication cookies"
• In reply to: Steve Jansen: "Re: shared folder access"
• Next in thread: Steve Jansen: "Re: shared folder access"
• Reply: Steve Jansen: "Re: shared folder access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]