Re: problem writing a file

From: Dominick Baier (dotnet_at_leastprivilege.com)
Date: 09/28/04

  • Next message: Iain A. Mcleod: "Re: problem writing a file" 
    To: microsoft.public.dotnet.framework.aspnet.security
Date: Mon, 27 Sep 2004 15:50:17 -0700

    if you are impersonating depends on the impersonate=true/false switch in web.config.

     trust for delegation is a active directory setting.

     

     ---
     Dominick Baier - DevelopMentor
     http://www.leastprivilege.com

       nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/>

     Thanks for your prompt reply Dominick
     
     I'm not sure which is the case as I am not the server administrator - they
     are away :-(
     But I'm a bit confused as to the machine account needing to be trusted for
     delegation?
     Is this an option in IIS admin?
     
     Regards
     Iain
     
     "Dominick Baier" <dotnet@leastprivilege.com> wrote in message
     news:%23muBcHNpEHA.1460@TK2MSFTNGP12.phx.gbl...
    > hi,
    >
    > i don't know if you are running on w2k3 or w2k and if you intend to
     impersonate or not...
    >
    > here are the 2 scenarios
    >
    > 1. no impersonation
    >
    > Your asp.net app runs under the ASPNET (wk2/xp) account or Network Server
     (w2k3). The local ASPNET account has no network credentials on another
     machine -> use a domain account instead. The Network Service account has the
     credentials of the machine (MachineName$) when in Active Directory or none
     if stand-alone. Also here - use a domain account or a account that matches
     on both machines
    >
    > 2. impersonation
    >
    > if you are impersonating you are doing a second hop with the client
     credentials. your machine/service account has to be trusted for delegation
     to achieve this.
    >
    >
    >
    > ---
    > Dominick Baier - DevelopMentor
    >     http://www.leastprivilege.com
    >
    >
     nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<#EFytMMpEHA.3900@TK2MSFTNGP10.phx.gbl>
    >
    > Hi,
    > I'm really stuck with this one - wondering if you can spot the problem?
    > I think that it's a webserver problem that goes deeper than web.config.
    > I've not been able to write to a file on a network share via ASP.NET. The
    > network share is not the same as the webserver.
    >
    > relevant section of web.config:
    > <appSettings>
    > <!-- the location we cannot write to. My staging server
    > doesn't have write permissions here, but I do if authenticating as
    > myself -->
    > <add key="ProjectCollection"
    > value=\\my_server\userhome\MyAccount\websiteTests\test.txt />
    > </appSettings>
    > <!-- Neither of these work!
    > I have write perms here for my user ac*** and believe that
    > my staging server has write perms here too
    > add key="ProjectCollection"
    > value=\\my_server\commondocuments\websiteTests\test.txt />
    > -->
    > </appSettings>
    > <system.web>
    > <!-- I have also tried "None" here -->
    > <authentication mode="Windows" />
    >
    > <!-- I have tried leaving this out -->
    > <identity impersonate="true" />
    >
    > <authorization>
    > <allow users="mydomain\myusername" />
    > <deny users="*" />
    > <!-- I have tried allow users="*" but I think that then my server
    > tries to authenticate as ASPNET. This certainly should not access my home
    > folder, but should??? access the common share. I believe that my
    > administrator has set up access privs for my server on the common share.
     It
    > doesn't access it however! -->
    > </authorization>
    > </system.web>
    > Relevant code:
    > Private Sub btnSearch_Click(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles btnSearch.Click
    > 'identity we are running as - 2 ways of getting the same
    > information
    > ' returns my username if I am impersonating and
    > authenticating in web.config
    > 'however, still cannot write to either folder no
    > matter what I am impersonating or not
    > Trace.Write(Page.User.Identity.Name)
    >
    > Trace.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name)
    > 'filename we are trying to write to
    > Dim strFileName As String =
    > ConfigurationSettings.AppSettings("ProjectCollection")
    > Trace.Write(strFileName)
    > 'fails here. This creates a file in location specified by
    > Config setting above
    > Dim fs As FileStream = New FileStream(strFileName,
    > FileMode.Append)
    > Dim w As New StreamWriter(fs)
    > w.WriteLine("Test")
    > w.Close()
    > fs.Close()
    > End Sub
    > Any Ideas?
    > Many thanks
    > Sorry for long post
    > Iain
    >
    >
    >
    > [microsoft.public.dotnet.framework.aspnet.security]
     
     
     
     [microsoft.public.dotnet.framework.aspnet.security]

  • Next message: Iain A. Mcleod: "Re: problem writing a file"