I am implementing an application that will create a folder on the NTFS File Server.
For that, I have set up the distributed environment. Meaning, I have machine on which I have hosted my C# Web API and I have NTFS file server on which I have to create folders.
I want my API to create a folder on NTFS machine. How can I do that?
Do I need to share NTFS Drive/Folder to create a subfolder? If so, then with whom I need to share a NTFS folder (either server user or IIS_USRS)?
Is there any other way to create a folder without sharing a drive/folder on NTFS folder.
When I have done this in the past I have done it through a temporary impersonation. For example...
using (Impersonator impersonate = new Impersonator(#"UserName", "Password", "Domain"))
{
//Create directory or copy files across the network
}
I believe I lifted my impersonator code from A small C# Class for impersonating a User
Case 1:
if web server and file server are in the same domain, you can consider to use a domain user, and created a shared folder on NTFS server and grant full access for the domain user accessing it. (depends on your requirements).
On web server, for the web application pool, set the domain user as the identity/credential to run the pool. so you can easily use IIS management tool to update it if password gets changed. for the authentication, you can use whatever you want based on requirements, but remember while you call the code to create folders on NTFS server, you need to use app pool user. (for example, if you turn on impersonation on a different user in authentication, in your code, you need to do impersonation using the pool user.)
Case 2,
web server and file server are not in the same domain, I usually will set up a ftp server on the file server to allow specific users to access it (creating folders and upload files....). Otherwise when you may need your IT administrator to make File server domain trust web server domain, then you can do the same thing as case 1.
About impersonation code, it could be something like:
//get the identity of an appPool
using(System.Security.Principal.WindowsIdentity wid = System.Security.Principal.WindowsIdentity.GetCurrent())
{
using (System.Security.Principal.WindowsImpersonationContext ImpersonationCtx = wid.Impersonate())
{
//creating folders, uploading files to UNC path...
ImpersonationCtx.Undo();
}
}
If your case is one of this, hope it helps.
Related
I have a C# MVC web application that uses the NTML authentication (windows authentication). And I want to access to a shared folder (accessible from the web server).
the shared folder contains a list of sub directories, each directory represents a user personal directory. using windows explorer in the web server, each user is able only to access to its personal folder.
Actually, when I want to access to this shared folder using the application, I have an access denied (As the IIS process doesn't have permission to access to this folders). And I want to know how the user can access to its personal folder via the application.
Is there a way to get user login and password from NTML connection, or a way to access to this shared folder via user NTML token?
I don't have the user login/password.
You can change the thread identity https://msdn.microsoft.com/en-us/library/w070t6ka(v=vs.110).aspx
or use P/Invoke WNetAddConnection2 https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413(v=vs.85).aspx
You can enable ASP.NET user impersonation - https://msdn.microsoft.com/en-us/library/aa292118(v=vs.71).aspx
However, do note that you need to make sure that you only use impersonation when accessing the user's resources - for example, if you simply impersonate the whole request, you may no longer have access to shared data or a database.
In my ASP.NET application I have to show some images. Actually these images saved in some other server. In my database I have the file path. I need to access file from remote server to my application. How can I do that? I am using the following code
imgFiles = Directory.GetFiles(strFullPath,
strPkStock + "_*",
SearchOption.TopDirectoryOnly);
But this throws an error saying "Access to the path denied"
You have to have file system access on other server to do this and I am sure you will not have it.
The shortest way to get it done is, publish the images folder from other server and use the url of the images to access it rather then file system path. This way, your asp.net application will be able to easily access these images. In fact, it will be the client browser which will directly access these images from the other server, you will just change the src of images.
Murtuza Kabul's suggestion to access files over HTTP/HTTPS is probably easiest approach. You may use HTTPS with client ceritficates to prevent other users/machines to read files from the same HTTPS server.
If you want to access files directly on other server's shared folder you need to make sure that code that accesses files runs under account that have at least read permissions for that shared folder.
Note that default configuration (where code runs under either special anonymous account or calling user's credentials) account that code runs under will not have permissions on other servers (anonymous becuse it is local account, user's due to restrictions on delegation also called "NTLM one hop hell").
Your easiest bet is to run app polls under some account that have permissions on other server and de-impersonate current user to process account. You can also explcitly impresonate some account to access remote files.
I have a winforms, and it connecting wit webservice.
Webservice has method which create folder
Directory.Create(path);
Webservice is at company server, and this folder must me create at another disc in out company.
When I invoke this method, i get exception "Access denied to path..."
When webservice was running at my computer everything was ok.
I have full access to this network disc.
But how to set full access to my company server??
When I check this method:
[WebMethod]
public string GetNameOfUser()
{
return WindowsIdentity.GetCurrent().Name;
}
I get <string>NT AUTHORITY\NETWORK SERVICE</string>
Rest of webmethods without directory instructions working properly
Edited Structure
Computer A is in domain and there is running win forms
Server A : there is running webservice
Network disc: there are folders with important files for winforms application
yes, we have a domain.Computer A has access to network disc.
As I understand, your application tries to create a folder which resides on a different server than the web application.
Your web application is running under a local account NT AUTHORITY\NETWORK SERVICE. In order to access a network share you need it to be running under an account available on both machines, for example a domain account.
If both the web server and the server with the network share are on a domain, you can:
Create a domain account
Grant the account write access to the parent folder where you want to create new folders
Make the Application Pool on your web server run under the domain account
This will should let your web application create foldera on the other server.
When you were running your web-app on your own machine, it worked onder your own account, therefore it could create directories.
On the server the app runs under an account with very low rights.
If you want to create those new directories below a specific fixed directory, you can allow that server account to modify that particular directory.
I recently built a program that parses a remote file from \some_server\c$\directory\file.xls and it works fine on my local machine as just a normal aspx page.
Then I put the program into web part
form on my VM SharePoint server and I
get this error: Access to the path
'\some_server\c$\directory\file.xls'
is denied.
The file is shared to Domain\Authenticated Users so I am not sure why it would be denied? Is it possible my SharePoint is trying to call it with a local or network service account? How can I get it to read? Thank you.
Salamander is right, SharePoint doesn't run with trust to do this.
Changing the trust level for SharePoint in it's web.config from WSS_Medium to Full is the quick solution, but there are security implications..
Just a quick note, you could be running into the classic NTLM Double-Hop issue. You can authenticate to the front end, but because the front end does not have your password, it cannot then authenticate to a resource on another server.
Running with Elevated priviliges, and setting permissions based on the Application Pool identity could be one way of moving your forward.
I think you will need RunWithElevatedPrivleges which will make SharePoint use the application pool account. Also keep in mind you will have to make sure that application pool account has access to that network share. Avoid using full trust.
Can you explain further what exactly setting the trust level does for you?
I would think that if your app pool identity is a domain account you can use SPSecurity.RunWithElevatedPrivileges to use the app pool credentials to access the file. Or, use impersonate to explicitly pass another account's credentials.
SharePoint usually runs in a separate application pool. Please check the identity of this application pool.
I think to be able to access network path, your code has to run in FULL TRUST, which I don't think SharePoint does.
Why not store the file in SharePoint so you have better access to it? Put it in a hidden library and access it using SPSecurity.RunWithElevatedPrivledges.
There are caveats to RWEP. Any reference to SPSite and SPWeb obtained from the SPContext (ie SPContext.Current.Site) will still run under the privledges of the logged on user. You must explicity create a reference inside the RWEP delegate.
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(SPContext.Current.Site.Url))
{
using (SPWeb web = site.OpenWeb())
{
//... Do something with SPWeb
}
}
});
If you need to access the file from outside sharepoint to update it with existing processes you can use the file share path which is available for all SPDocumentLibrary's but going to Actions --> Open with Windows Explorer to obtain the network path.
I have a web application that needs to read (and possibly write) files from a network share. I was wondering what the best way to do this would be?
I can't give the network service or aspnet accounts access to the network share. I could possibly use impersonation.
The network share and the web application are both hosted on the same domain and I can create a new user on the domain specifically for this purpose however I'm not quite sure how to join the dots between creating the filestream and specifying the credentials to use in the web application.
Unfortunately the drive isn't mapped as a network drive on the machine, it's only available to me as a network share so unfortunately I can't make a transparent call.
There is one problem I can think of with impersonation... I can only impersonate one user per application domain I think but I'm happy to be corrected. I may need to write this file to several different shares which means I may have to impersonate several users.
I like the idea of creating a token... if I can do that I'll be able to ask the use up front for their credentials and then dynamically apply the security and give them meaningful error messages if access is denied... I'm off to play but I'll be back with an update.
Given everyone already has domain accounts. Try IIS integrated authentication. You will get an ugly logon box off network but your creds should pass down to the file share.
#lomaxx
Are you saying that only you have perms to the share or that you manually mapped it to a drive letter. If the later you can use ucn \host\share the same way you would use a c:\shared_folder.
Random
Would it be a burden to mirror the share to a local folder on the host? I hear ROBOCOPY is pretty handy.
Another Idea. Run IIS on your target share you can read via http and if you need to write investigate webdav.
I've had no problems connecting to network shares transparently as if they were local drives. The only issue you may have is what you mentioned: having the aspnet account gain access to the share. Impersonation is probably the best way to do this.
You should be able to use any filestream objects to access the network share as long as it has a drive letter on the server machine.
Impersonation worked well for me in this scenario. We had a wizard that uploaded a zip file through the website, but we load balanced the site. Therefore needed to setup a way to save the file on all the machines.
There are many different ways to do it. We decided to make all requests to run under the user we setup and just added the web.config entry and setup the security permissions on the folders for the user. This kb article explains the setup very well.
You do have some options and one of of those is impersonation as you mentioned. However, another one I like to use and have used in the past is a trusted service call. Let's assume for a moment that it's always much safer to limit access through IIS to ensure there are as few holes as possible. With that let's go down this road.
Build a WCF service that has a couple of entry points and the interface might look like this.
public interface IDocumentService
{
public string BuildTrustedRelationship(string privateKey);
public byte[] ReadFile(string token, string fileName);
public void WriteFile(string token, string fileName, byte[] file);
}
Now, you can host this service via a Windows service very easily and so now all you need to do is on Application_start build the relationship with the service to get your token and you're off to the races. The other nice thing here is that this service is internal, trusted, and I've even hosted it on the file server before and so it's much easier to grant permissions to this operation.
If you can create a new AD user, I think the simplest solution is to have the Application Pool run under that AD account's authority, which would mean your application is now running as the AD user. You would need to add the AD user to the IIS Worker Process Group on the machine running your application. Then as long as your AD user has write permissions on the network share, you should be able to use the UNC path in your file operations.