Re: problem writing a file

anonymous_at_discussions.microsoft.com
Date: 09/28/04 

Date: Tue, 28 Sep 2004 09:45:35 -0700

Hi dominick

I've found out why it wsan't working... Apparently our
staging server didn't have write permissions to the
share. Our live server did. I've just created a temp.
directory on our staging server for testing and can use
impersonation.

Many thanks for your help, it's made things a lot clearer.

Regards
Iain
>-----Original Message-----
>hi,
>
>
>
> check out the machine settings in active directory users
and computers.
>
>
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>
nntp://news.microsoft.com/microsoft.public.dotnet.framework
.aspnet.security/<uTN5laOpEHA.3988@tk2msftngp13.phx.gbl>
>
> Thanks again for the reply.
>
> How can I find out if trust for delegation is enabled?
Is it enabled on a
> machine specific basis, and if so, is it the webserver
or the smb server
> providing that share which should have trust enabled?
>
> Regards
> Iain
>
>
>
> "Dominick Baier" <dotnet@leastprivilege.com> wrote in
message
> news:O7XGdROpEHA.3668@TK2MSFTNGP15.phx.gbl...
> > if you are impersonating depends on the
impersonate=true/false switch in
> web.config.
> >
> > trust for delegation is a active directory setting.
> >
> >
> >
> > ---
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
> >
> >
>
nntp://news.microsoft.com/microsoft.public.dotnet.framework
.aspnet.security/<u9SE2XNpEHA.3460@TK2MSFTNGP15.phx.gbl>
> >
> > Thanks for your prompt reply Dominick
> >
> > I'm not sure which is the case as I am not the server
administrator -
> they
> > are away :-(
> > But I'm a bit confused as to the machine account
needing to be trusted
> for
> > delegation?
> > Is this an option in IIS admin?
> >
> > Regards
> > Iain
> >
> > "Dominick Baier" <dotnet@leastprivilege.com> wrote in
message
> > news:%23muBcHNpEHA.1460@TK2MSFTNGP12.phx.gbl...
> > > hi,
> > >
> > > i don't know if you are running on w2k3 or w2k and
if you intend to
> > impersonate or not...
> > >
> > > here are the 2 scenarios
> > >
> > > 1. no impersonation
> > >
> > > Your asp.net app runs under the ASPNET (wk2/xp)
account or Network
> Server
> > (w2k3). The local ASPNET account has no network
credentials on another
> > machine -> use a domain account instead. The Network
Service account has
> the
> > credentials of the machine (MachineName$) when in
Active Directory or
> none
> > if stand-alone. Also here - use a domain account or a
account that
> matches
> > on both machines
> > >
> > > 2. impersonation
> > >
> > > if you are impersonating you are doing a second hop
with the client
> > credentials. your machine/service account has to be
trusted for
> delegation
> > to achieve this.
> > >
> > >
> > >
> > > ---
> > > Dominick Baier - DevelopMentor
> > > http://www.leastprivilege.com
> > >
> > >
> >
>
nntp://news.microsoft.com/microsoft.public.dotnet.framework
.aspnet.security/<#EFytMMpEHA.3900@TK2MSFTNGP10.phx.gbl>
> > >
> > > Hi,
> > > I'm really stuck with this one - wondering if you
can spot the problem?
> > > I think that it's a webserver problem that goes
deeper than web.config.
> > > I've not been able to write to a file on a network
share via ASP.NET.
> The
> > > network share is not the same as the webserver.
> > >
> > > relevant section of web.config:
> > > <appSettings>
> > > <!-- the location we cannot write to. My staging
server
> > > doesn't have write permissions here, but I do if
authenticating as
> > > myself -->
> > > <add key="ProjectCollection"
> > >
value=\\my_server\userhome\MyAccount\websiteTests\test.txt
/>
> > > </appSettings>
> > > <!-- Neither of these work!
> > > I have write perms here for my user ac*** and
believe that
> > > my staging server has write perms here too
> > > add key="ProjectCollection"
> > >
value=\\my_server\commondocuments\websiteTests\test.txt />
> > > -->
> > > </appSettings>
> > > <system.web>
> > > <!-- I have also tried "None" here -->
> > > <authentication mode="Windows" />
> > >
> > > <!-- I have tried leaving this out -->
> > > <identity impersonate="true" />
> > >
> > > <authorization>
> > > <allow users="mydomain\myusername" />
> > > <deny users="*" />
> > > <!-- I have tried allow users="*" but I think that
then my server
> > > tries to authenticate as ASPNET. This certainly
should not access my
> home
> > > folder, but should??? access the common share. I
believe that my
> > > administrator has set up access privs for my server
on the common
> share.
> > It
> > > doesn't access it however! -->
> > > </authorization>
> > > </system.web>
> > > Relevant code:
> > > Private Sub btnSearch_Click(ByVal sender As
System.Object, ByVal e As
> > > System.EventArgs) Handles btnSearch.Click
> > > 'identity we are running as - 2 ways of getting the
same
> > > information
> > > ' returns my username if I am impersonating and
> > > authenticating in web.config
> > > 'however, still cannot write to either folder no
> > > matter what I am impersonating or not
> > > Trace.Write(Page.User.Identity.Name)
> > >
> > >
> Trace.Write
(System.Security.Principal.WindowsIdentity.GetCurrent
().Name)
> > > 'filename we are trying to write to
> > > Dim strFileName As String =
> > > ConfigurationSettings.AppSettings
("ProjectCollection")
> > > Trace.Write(strFileName)
> > > 'fails here. This creates a file in location
specified by
> > > Config setting above
> > > Dim fs As FileStream = New FileStream(strFileName,
> > > FileMode.Append)
> > > Dim w As New StreamWriter(fs)
> > > w.WriteLine("Test")
> > > w.Close()
> > > fs.Close()
> > > End Sub
> > > Any Ideas?
> > > Many thanks
> > > Sorry for long post
> > > Iain
> > >
> > >
> > >
> > > [microsoft.public.dotnet.framework.aspnet.security]
> >
> >
> >
> > [microsoft.public.dotnet.framework.aspnet.security]
>
>
>
> [microsoft.public.dotnet.framework.aspnet.security]
>.
>