Re: Impersonation on Remote UNC

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jun 2007 09:47:37 -0500

It sounds like you need to implement Kerberos delegation. This will allow
you to impersonate the authenticated browser user and let the web app
delegate those users' creds to the remote resource (a file share in this
case).

MSDN and TechNet have lots of articles on implementing Kerberos delegation
that should turn up with a search. It is also covered frequently in this
newsgroup.

Note that since you are using Win2K IIS, you'll be limited to using
unconstrained, "Kerberos only" delegation. You can't use any of the new
Win2K3 Kerberos features like protocol transition or constrained delegation.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"KittyHawk" <KittyHawk@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AA6707CE-D308-495F-8778-12DB51F3F0F1@xxxxxxxxxxxxxxxx

Let me also add that if I add the userName and password attributes to
web.config, the files copy to the UNC shares just fine. Unfortunately,
this
is not feasible for my application since I have a whole group of users I
want
to be able to authenticate.

"KittyHawk" wrote:

I have an ASP.NET 2.0 application running on IIS 5 under SSL on a W2K
machine. The application attempts to copy several files from the local
server
to remote UNC shares that are members of the same domain as the host. I
have
set permissions on the UNC shares such that members of a particular group
can
write to the directory. However, as of now, the file copy operation fails
with a System.UnauthorizedAccessException. I am using Windows
Authentication
with impersonation set to "true". Am I missing something?

Prev by Date: Re: accessing IWA secured website from Mac?
Next by Date: Re: AzMan scope level application groups seem to be br ...
Previous by thread: What characters are allowed by validateRequest page directive?
Next by thread: Re: AzMan scope level application groups seem to be br ...
Index(es):
- Date
- Thread

Relevant Pages

Re: Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Servic
... Directory Domain as the server computer and the server App Pool run-as ... Windows 2003 Server mode -- they may be in Windows 2000 mixed mode. ... to be configured so as to use kerberos delegation. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: File Server delegation
... Identity) using a custom domain account required for Delegation? ... you're going to use kerberos delegation to make the ... Microsoft MSDN Online Support Lead ...
(microsoft.public.dotnet.framework.aspnet)
Re: Delegation through Linked Server Stops working
... "Sue Hoegemeier" wrote: ... This post was about delegation working and then suddenly ... delegation on linked server fails in our network when we use ... I'd suggest getting the Kerberos Delegation troubleshooting ...
(microsoft.public.sqlserver.security)
Re: Kerberos Delegation
... Yes, kerberos delegation is possible. ... Server S will FORWARD this to server T ... > about Delegation but ALL described Only one hop scenario. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: token elevation
... the user's security context. ... Do you know if you have Kerberos delegation enabled for the machine account? ... into problems when my service required access to network files. ... Perhaps it would be better to not impersonate the user for the ...
(microsoft.public.dotnet.security)