RE: Writing to a network share

From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 04/23/04


Date: Thu, 22 Apr 2004 23:37:00 GMT

So if I understand you correctly, Machine C accesses Machine A which tries to update the database on Machine B? If this is the case you're
probably running into the "double hop" issue, where impersonation will not work across two network hops. I'd recommend checking out the
microsoft.public.dotnet.aspnet.security newsgroup, to confirm this is the issue, and get some workarounds (I believe there is an Active Directory
setting that will enable double hop impersonation).

-Shawn
http://blogs.msdn.com/shawnfa

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.  
--------------------
>Thread-Topic: Writing to a network share
>thread-index: AcQoeqN93X90836nRhiJ1Ig5eun86Q==
>X-WN-Post: microsoft.public.dotnet.security
>From: "=?Utf-8?B?VHlsZXIgRGF2ZXk=?=" <anonymous@discussions.microsoft.com>
>Subject: Writing to a network share
>Date: Thu, 22 Apr 2004 08:01:06 -0700
>Lines: 40
>Message-ID: <3D30486B-6C65-4C20-BE47-829447EEA828@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
>	charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.security
>Path: cpmsftngxa10.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:5818
>NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>Alright, I've been trying to figure out the solution to this problem for a few days and I'm officially stumped.  
My web app server, Machine A, needs the ability to create a file(xml) on my db server, Machine B. The application performs this task after a user 
invokes a business object through an ASP.net page.  Now, if I do this on the app server (ie, log on locally), it works fine.  However, if i do this from 
another client machine, Machine C, I get the beautiful error message:
Access to path \\machineb\log\log.xml is denied.
<code>
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information 
about the error and where it originated in the code. 
Exception Details: System.UnauthorizedAccessException: Access to the path "\\orchard\Log\test.xml" is denied. 
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. 
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not 
impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically 
IUSR_MACHINENAME) or the authenticated request user. 
To grant ASP.NET write access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the 
appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
</code>
Now, here is what I've done:
I've given full control to the directory on the network share to everyone
I've changed machine.config process model to the SYSTEM account.  When that didn't work, I changed it to my network account, which has local 
admin rights on the network.
I've tried mucking around with the Internet zone permissions and Intranet zone permissions through the .net tools, giving both full trust priviledges, 
no luck
We've set the asp.net service to log on as a local system account, network system account, my domain account, and finally, the domains admin 
account, still no luck
My code is very simple:
<code>
	private void Button1_Click(object sender, System.EventArgs e)
		{
			XmlTextWriter writer = new XmlTextWriter(@"\\machinea\Log\log.xml", Encoding.UTF8);
			writer.WriteStartDocument();
			writer.WriteStartElement("DATA");
			writer.WriteElementString("TEST", "Is this going to work");
			writer.WriteEndElement();
			writer.WriteEndDocument();
			writer.Close();
		}
</code>
So, what am I missing?  
>


Relevant Pages