Re: ASP.NET access to DFS share problem

From: Bret (Bret_at_discussions.microsoft.com)
Date: 02/09/05 

Date: Wed, 9 Feb 2005 11:49:02 -0800

Thanks yet again. To be sure I'm understanding correctly, with impersonation
turned on, it is attempting to access the resource with the user account, but
the token isn't appropriate so it's failing.

How about if impersonation was turned off -- it would then be using the
ASPNET worker process account, correct? (Honestly, the last question, and
thanks so much for your time.)

"Joe Kaplan (MVP - ADSI)" wrote:

> In the case of WIA and ASP.NET impersonation, it IS trying to use the user's
> account to access the share. You can see the current security context with
> System.Security.Principal.WindowsIdentity.GetCurrent().Name.
>
> The issue is the type of Windows token that the current thread has. WIA
> creates an impersonation level token. These types of tokens cannot hop to
> another machine by default. Normally, a primary token can hop to one more
> machine. Since basic authentication has your actual password, a primary
> token can be created, so you don't usually see the double-hop issue there.
>
> In order for tokens to hop freely from machine to machine, you need Kerberos
> delegation enabled. The default setting in AD is to have it turned off, so
> generally people don't have this working by default. Kerberos delegation is
> a big topic with lots written on it, but that is a brief, some what
> "hand-waving" newsgroup explanation that is hopefully accurate enough not to
> be misleading. :)
>
> If you want to get really smart on this, read Keith Brown's .NET/Windows
> security book. You can buy it from AW (which they would prefer) or read it
> online at his wiki at pluralsight.com.
>
> Joe K.
>
> "Bret" <Bret@discussions.microsoft.com> wrote in message
> news:4016C7EC-0B84-4162-AA72-8A7731AC798E@microsoft.com...
> > Thanks, I think that's the way we'll go. I can handle any user-specific
> > issues in the app -- it's a binary "let 'em have it/don't let 'em have it"
> > scenario, so knowing the identity in terms of the file access isn't
> > important.
> >
> > One more question, if I might: with WIA enabled in my original scenario,
> > what account *is* attempting to access the DFS file share? IOW, what
> > account
> > is being rejected? (Is the answer different depending on whether or not
> > impersonation is enabled?)
> >
> > Much appreciated.
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> Yes, that should work. You'll generally be better off making the worker
> >> process run as a domain account when doing this. I believe there are
> >> some
> >> technotes on how to make the changes needed and still use a low
> >> privileged
> >> account. If you don't need to do any "per user" ACLs or anything on the
> >> remote share, then this seems like the way to go. There is also the COM+
> >> component approach, but that might be more work with little extra
> >> benefit.
> >>
> >> Joe K.
> >>
> >> "Bret" <Bret@discussions.microsoft.com> wrote in message
> >> news:3C85458B-9E56-4D98-B7FC-606FED86F1D8@microsoft.com...
> >> > Joe -- I'll follow up on that; I was aware of the "double-hop" issue, I
> >> > just
> >> > didn't think it through to the conclusion. It's an intranet app using
> >> > WIA,
> >> > so
> >> > it's probable that that is the culprit.
> >> >
> >> > Am I right in assuming that the alternative would be to give the
> >> > ASPNET_WP
> >> > account the relevant privileges on the DFS share and just run it
> >> > without
> >> > impersonation? (I'm sure there would normally be concerns with granting
> >> > the
> >> > worker process much in the way of privileges, but this is an isolated
> >> > directory containing stuff of little consequence other than to my app.
> >> >
> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >
> >> >> Was the Thread.CurrentPrincipal.Identity created as a result of using
> >> >> Windows Integrated Authentication in IIS? If so, the issue is likely
> >> >> related to the classic "double-hop" issue and is usually solved by
> >> >> switching
> >> >> to Basic authentication/SSL or enabling Kerberos delegation. Google
> >> >> will
> >> >> reveal much about all of these problems.
> >> >>
> >> >> Joe K.
> >> >>
> >> >> "Bret" <Bret@discussions.microsoft.com> wrote in message
> >> >> news:960807D1-665A-4E01-9307-67F12CA940EB@microsoft.com...
> >> >> > Have an ASP.NET app that is having trouble accessing a file on a DFS
> >> >> > share;
> >> >> > getting "access denied" errors. Using impersonation to ensure the
> >> >> > access
> >> >> > is
> >> >> > done under a domain account that has access, but no luck. Any
> >> >> > thoughts/tips/gotchas that can be shared, please do. Am thinking
> >> >> > that I
> >> >> > may
> >> >> > be botching the impersonation logic, posted below:
> >> >> >
> >> >> > Dim currentIdentity As System.Security.Principal.WindowsIdentity =
> >> >> > Thread.CurrentPrincipal.Identity
> >> >> >
> >> >> > Dim currentContext As
> >> >> > System.Security.Principal.WindowsImpersonationContext
> >> >> > = currentIdentity.Impersonate()
> >> >> >
> >> >> > Dim fileMsg As New StreamReader("theFileOnTheDfsShare")
> >> >> > ...throws the access error
> >> >> >
> >> >> > fileMsg.Close()
> >> >> > currentContext.Undo()
> >> >> >
> >> >> > The user accessing the page where this is done (me) has access on
> >> >> > the
> >> >> > DFS
> >> >> > share, and identity impersonate is set to true in the web.config.
> >> >> > Any
> >> >> > help
> >> >> > welcomed.
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • RE: Impersonation / access rights for application
    ... account of your choice. ... > All the microsoft power API really does is edit the registry. ... >> WindowsIdentity.Token does not seem to work for a System user. ... My guess is that acces tokens are processor ...
    (microsoft.public.platformsdk.security)
  • Re: ASP.NET access to DFS share problem
    ... In the case of WIA and ASP.NET impersonation, it IS trying to use the user's ... account to access the share. ... In order for tokens to hop freely from machine to machine, ...
    (microsoft.public.dotnet.security)
  • Re: LogonUser call fails for NetworkService account on XP x64 insi
    ... The trick is now to find another service that is running with NetworkService ... account, get its token, duplicate it and use it from then on. ... stripped of some necessary privilege or the privilege ... Since this privilege is required for primary tokens however (according to ...
    (microsoft.public.platformsdk.security)
  • Re: Trying to stop Gold Spam
    ... employees to access their network remotely. ... SecurID tokens unfortunately have an attack mode that ... temporary server outage, to grab their account. ...
    (alt.games.warcraft)
  • Re: ASP.NET access to DFS share problem
    ... Impersonation Off means that ASP.NET does not put an impersonation ... the remote machine (why you want to make sure you use a domain account), ... These types of tokens cannot hop ... a primary token can hop to one ...
    (microsoft.public.dotnet.security)