Re: Win 2003 svr/ASP.NET 2.0 UNC share
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 May 2007 10:49:35 +0000 (UTC)
this looks like that you are not impersonating when making the hop from web to fileserver.
Check the value of WindowsIdentity.GetCurrent().Name before doing the access - it should hold the username of the client and _not_ NETWORK SERVICE...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
hmmmm.....auth seems to work using Kerberos between the webserver and
client:
event log from WEBSERVER:
--------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2007-05-08
Time: 12:17:02
User: MYDOMAIN\RLA
Computer: WEB1
Description:
Successful Network Logon:
User Name: RLA
Domain: MYDOMAIN
Logon ID: (0x0,0x5FC7F2AC)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {624ca6b7-acdf-1e0c-f71d-b89a9ca74c6f}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.99
Source Port: 50135
-----------------
but not on the file server somthing seems odd.
It looks like me that the webserver tries to connect using Kerberos
first
using a user named WEB1$(??) and then NTLM an ANONYMOUS......
eventlog of WEB2
-------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 08.05.2007
Time: 12:20:12
User: MYDOMAIN\WEB1$
Computer: WEB2
Description:
Successful Network Logon:
User Name: WEB1$
Domain: MYDOMAIN
Logon ID: (0x0,0x52375B9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {2981b3ae-a8dd-1971-830a-3dd64c0d27ac}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.55
Source Port: 0
-------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 08.05.2007
Time: 12:20:12
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: WEB2
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x52375C4)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WEB1
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.55
Source Port: 0
-------------------
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:51eb3048f5a38c95f7dba36ddf0@xxxxxxxxxxxxxxxxxxxxx
Hi,
you are welcome ;)
try CIFS and HOST + the name of the machine as you use it in the UNC
path.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Hey,
First of all - thanks for you patience and excellent help on this
one Dominick... :-)
I use http://demoapp.mydomain.com
I got kerberos working now between client and webserver by using
setspn -A HTTP/demoapp.mydomain.com web1
Now I need to setup Kerberos between the web1 and fileserver web2.
What service am I supposed to use for setspn on the fileserver?
Roger
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:51eb3048f59e8c95f7427220f70@xxxxxxxxxxxxxxxxxxxxx
what do you type into IE to open the web app?
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Sorry - didn't see the article yesterday :-P
Excellent article - steped through the troubleshooting part
- seems the two servers are negotiating NTLM between them....
- seems the client and webserver also negotiated NTLM
Do you have any ideas on how the SPN should be setup?
The webserver hosting the app is running IIS6 under the "Network
Service"
account and is called web1.mydomain.com
Used LDP to find these SPN's already configured:
servicePrincipalName: SMTPSVC/WEB1;
SMTPSVC/STRA-WEB1.mydomain.com;
HOST/WEB1; HOST/WEB1.mydomain.com;
Pretty much the same with the filesharing server only the name is
web2:
Regards,
Roger
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote
in message news:51eb3048f4a98c95ed3bb39c0a0@xxxxxxxxxxxxxxxxxxxxx
you haven't read the article, did you?
Are you sure your SPNs are setup correctly - are you REALLY using
Kerbers (check the security event log of the web server for logon
events - which authentication package to you see?)
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Thanks Dominick,
1. The web server is a win2003/iis 6 box - same with the box
I've setup the share on for test purposes - both members of our
domain
2. I am impersonating an using a domain account to access the
site.
3. The site is setup with "Integrated auth"
4. The DC is running as "Windows 2000 native" at the domain
functional level
5. The webserver hosting the app is setup as "Trust computer
for delagation"
Still doesn't work - what is the last piece of the puzzle -
anyone.....?? :-)
Roger
"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:51eb3048f4808c95ea322af0140@xxxxxxxxxxxxxxxxxxxxx
well - if you are impersonating _and_ acccessing a remote
resource - this is called delegation and works only under
specific pre-reqs:
- Kerberos authentication (which implies a domain environment)
- Delegation is set up (which is not the default)
have a look here:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/d
ef au lt .aspx
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I do impersonate. Testing with my own account - and it does
have more than sufficient permissions.
"Alexey Smirnov" <alexey.smirnov@xxxxxxxxx> wrote in message
news:1178308306.449322.237080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On May 4, 2:33 pm, "Langedal, Roger" <rogla...@xxxxxxxxxxx>
wrote:
I'm trying to setup a simple test on writing to a file on ando you use an impersonation or you run the application under
UNC
share
from
an asp.net 2.0 webpage. This is whats happing in
default.aspx:
-------------------------------------------------------------
--
--
--
--
-------------- Dim path As String =
"\\remoteserver\testshare"
Response.Write(User.Identity.Name)
My.Computer.FileSystem.WriteAllText(path & "\myfile.txt",
"life's
good", True)
-------------------------------------------------------------
--
--
-- -- --------------
impersonation is enabled and windows auth is setup in IIS 6.
1. When I run this on my Vista PC - I'm correctly
authenticated
and
the
file
is written perfectly to the remote share.
2. If I move my webapp to a Windows 2003/IIS 6 webserver and
create
a
share
on this server \\mywebserver\testshare everything still works
perfectly
3. But - I if I try to write to a REMOTE share i.e
\\myotherserver\testshare
it fails with "file not found" - no further explanation :-S
I've
tried to
scan for activity on the remote servers filesystem with
Filemon
-
but
it
does'nt even look like it tries to access the share at
all....
Permissions
are set to everyone both at NTFS and share permissions at
this
share.
ANY ideas guys??
Regards,
Roger
asp.net account?
.
- References:
- Re: Win 2003 svr/ASP.NET 2.0 UNC share
- From: Langedal, Roger
- Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Prev by Date: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Next by Date: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Previous by thread: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Next by thread: Re: Win 2003 svr/ASP.NET 2.0 UNC share
- Index(es):
Relevant Pages
|
