Re: Can't determine if a file exists
From: Nikolai Evseev (NikolaiEvseev_at_discussions.microsoft.com)
Date: 08/15/05
- Previous message: Nikolai Evseev: "Re: Can't determine if a file exists"
- In reply to: Paul Clement: "Re: Can't determine if a file exists"
- Next in thread: Paul Clement: "Re: Can't determine if a file exists"
- Reply: Paul Clement: "Re: Can't determine if a file exists"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Aug 2005 02:00:04 -0700
Thanks Paul for pointing at the article. I've tried the default
authentication scenario, when <processModel userName="machine"/>. I've added
NT AUTHORITY\ANONYMOUS LOGON user to the permissions list for the bloody
shared folder, but getting the same picture at the end - no access. As far as
I understand, according to the above mentioned article, IIS should delegate
ASPNET user to the workgroup machine, which should appear as ANONYMOUS LOGON
on that machine.
"Paul Clement" wrote:
> On Fri, 12 Aug 2005 05:07:03 -0700, "Nikolai Evseev" <NikolaiEvseev@discussions.microsoft.com>
> wrote:
>
> ¤ Thanks Nicole for your reply,
> ¤
> ¤ The target shared folder (call it \\PCWKG\SHAREDFOLDER) is on another
> ¤ machine. My machine (PCDOM1), on which I am running the browser is also the
> ¤ IIS. Presume that PCDOM1 is in the corporate domain, and PCWKG is in it's own
> ¤ workgroup and not in the corporate domain. If IIS\website authentication is
> ¤ set to Windows Authentication then it works, if Anonymous then not. But if I
> ¤ login as myself (with the same user name and password) on PCDOM2 and start
> ¤ the browser on it then it's not working as well. I was thinking that the
> ¤ reasong could be that my own account doesn't have access to the shared
> ¤ folder, but how can I give access on a shared folder to the domain user if
> ¤ the PCWKG is not on the domain?
> ¤
>
> I think the larger problem is one of delegation. Authenticating locally (on your web server)
> shouldn't pose a delegation issue as long as sufficient permissions are enabled on the workgroup PC
> (as you have demonstrated).
>
> However, a user authenticating from a browser on another machine, using Integrated Windows security,
> will not be able to have his credentials delegated through IIS. NTLM handles the authentication
> under this configuration and IIS never receives encrypted credentials. Implementing Kerberos allows
> delegation to occur under this scenario but I don't know whether it's possible with a machine that
> is not in the domain. There are some workarounds, when using Integrated Windows security, that you
> may find suitable in the below article. It's a good read if you need to understand how this stuff
> works.
>
> Basic authentication would be another alternative since impersonation and delegation of clear text
> credentials is allowed.
>
> ASP.NET Delegation
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconaspnetdelegation.asp
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)
>
- Previous message: Nikolai Evseev: "Re: Can't determine if a file exists"
- In reply to: Paul Clement: "Re: Can't determine if a file exists"
- Next in thread: Paul Clement: "Re: Can't determine if a file exists"
- Reply: Paul Clement: "Re: Can't determine if a file exists"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
