Re: Win 2003 svr/ASP.NET 2.0 UNC share
- From: "Langedal, Roger" <roglan19@xxxxxxxxxxx>
- Date: Tue, 8 May 2007 12:26:35 +0200
hmmmm.....auth seems to work using Kerberos between the webserver and client:
event log from WEBSERVER:
--------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2007-05-08
Time: 12:17:02
User: MYDOMAIN\RLA
Computer: WEB1
Description:
Successful Network Logon:
User Name: RLA
Domain: MYDOMAIN
Logon ID: (0x0,0x5FC7F2AC)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {624ca6b7-acdf-1e0c-f71d-b89a9ca74c6f}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.99
Source Port: 50135
-----------------
but not on the file server somthing seems odd.
It looks like me that the webserver tries to connect using Kerberos first using a user named WEB1$(??) and then NTLM an ANONYMOUS......
eventlog of WEB2
-------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 08.05.2007
Time: 12:20:12
User: MYDOMAIN\WEB1$
Computer: WEB2
Description:
Successful Network Logon:
User Name: WEB1$
Domain: MYDOMAIN
Logon ID: (0x0,0x52375B9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {2981b3ae-a8dd-1971-830a-3dd64c0d27ac}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.55
Source Port: 0
-------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 08.05.2007
Time: 12:20:12
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: WEB2
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x52375C4)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WEB1
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.55
Source Port: 0
-------------------
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:51eb3048f5a38c95f7dba36ddf0@xxxxxxxxxxxxxxxxxxxxx
Hi,
you are welcome ;)
try CIFS and HOST + the name of the machine as you use it in the UNC path.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Hey,
First of all - thanks for you patience and excellent help on this one
Dominick... :-)
I use http://demoapp.mydomain.com
I got kerberos working now between client and webserver by using
setspn -A HTTP/demoapp.mydomain.com web1
Now I need to setup Kerberos between the web1 and fileserver web2.
What service am I supposed to use for setspn on the fileserver?
Roger
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:51eb3048f59e8c95f7427220f70@xxxxxxxxxxxxxxxxxxxxx
what do you type into IE to open the web app?
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Sorry - didn't see the article yesterday :-P
Excellent article - steped through the troubleshooting part
- seems the two servers are negotiating NTLM between them....
- seems the client and webserver also negotiated NTLM
Do you have any ideas on how the SPN should be setup?
The webserver hosting the app is running IIS6 under the "Network
Service"
account and is called web1.mydomain.com
Used LDP to find these SPN's already configured:
servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com;
HOST/WEB1; HOST/WEB1.mydomain.com;
Pretty much the same with the filesharing server only the name is
web2:
Regards,
Roger
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote
in message news:51eb3048f4a98c95ed3bb39c0a0@xxxxxxxxxxxxxxxxxxxxx
you haven't read the article, did you?
Are you sure your SPNs are setup correctly - are you REALLY using
Kerbers (check the security event log of the web server for logon
events - which authentication package to you see?)
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Thanks Dominick,
1. The web server is a win2003/iis 6 box - same with the box I've
setup the share on for test purposes - both members of our domain
2. I am impersonating an using a domain account to access the
site.
3. The site is setup with "Integrated auth"
4. The DC is running as "Windows 2000 native" at the domain
functional level
5. The webserver hosting the app is setup as "Trust computer for
delagation"
Still doesn't work - what is the last piece of the puzzle -
anyone.....?? :-)
Roger
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:51eb3048f4808c95ea322af0140@xxxxxxxxxxxxxxxxxxxxx
well - if you are impersonating _and_ acccessing a remote
resource - this is called delegation and works only under
specific pre-reqs:
- Kerberos authentication (which implies a domain environment) -
Delegation is set up (which is not the default)
have a look here:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def
au lt .aspx
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I do impersonate. Testing with my own account - and it does have
more than sufficient permissions.
"Alexey Smirnov" <alexey.smirnov@xxxxxxxxx> wrote in message
news:1178308306.449322.237080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx On
May 4, 2:33 pm, "Langedal, Roger" <rogla...@xxxxxxxxxxx> wrote:
I'm trying to setup a simple test on writing to a file on ando you use an impersonation or you run the application under
UNC
share
from
an asp.net 2.0 webpage. This is whats happing in default.aspx:
---------------------------------------------------------------
--
--
--
-------------- Dim path As String = "\\remoteserver\testshare"
Response.Write(User.Identity.Name)
My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
"life's
good", True)
---------------------------------------------------------------
--
-- -- --------------
impersonation is enabled and windows auth is setup in IIS 6.
1. When I run this on my Vista PC - I'm correctly authenticated
and
the
file
is written perfectly to the remote share.
2. If I move my webapp to a Windows 2003/IIS 6 webserver and
create
a
share
on this server \\mywebserver\testshare everything still works
perfectly
3. But - I if I try to write to a REMOTE share i.e
\\myotherserver\testshare
it fails with "file not found" - no further explanation :-S
I've
tried to
scan for activity on the remote servers filesystem with Filemon
-
but
it
does'nt even look like it tries to access the share at all....
Permissions
are set to everyone both at NTFS and share permissions at this
share.
ANY ideas guys??
Regards,
Roger
asp.net account?
.
- Follow-Ups:
- Re: Win 2003 svr/ASP.NET 2.0 UNC share
- From: Dominick Baier
- Re: Win 2003 svr/ASP.NET 2.0 UNC share
- References:
- Re: Win 2003 svr/ASP.NET 2.0 UNC share
- From: Langedal, Roger
- Re: Win 2003 svr/ASP.NET 2.0 UNC share
- From: Dominick Baier
- Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Prev by Date: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Next by Date: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Previous by thread: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Next by thread: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Index(es):
Relevant Pages
|
