Re: Creating files in a unc shared drive.

From: Alex (
Date: 08/17/05

Date: Wed, 17 Aug 2005 05:21:09 -0700

I'm not sure why my manager doesn't want to enable kerberos delegation in
iis. Running all sites under the user won't be a problem. It's a generic
system user who does have permissions to perform tasks.

"Joe Kaplan (MVP - ADSI)" wrote:

> It means all of the other web sites on the machine will have the worker
> process running as your domain account too. This may or may not be a bad
> thing, depending on what it can do.
> What's the problem with Kerberos delegation? It is probably the best way to
> solve this problem. The other good way is to put the code that does the UNC
> access in a seperate component and set it up in COM+ to run as your domain
> identity. That way only this piece of code has the special privileges. Of
> course, this is more complicated to implement and deploy, but offers more
> security.
> Joe K.
> "Alex" <> wrote in message
> > This is what we ended up doing, and it seems to work:
> >
> > We set the impersonate="false"
> > We set the user name and password in the <processModel> element to an
> > active
> > directory user
> > We gave the user the proper permissions to the unc share
> >
> > I'm not sure of the reasons, but I've been told to try and get it working
> > without Kerebose\delegation.
> >
> > My only concern is the machine.config changes. I'm not sure how it affects
> > the other web sites we have....