I have a C# MVC web application that uses the NTML authentication (windows authentication). And I want to access to a shared folder (accessible from the web server).
the shared folder contains a list of sub directories, each directory represents a user personal directory. using windows explorer in the web server, each user is able only to access to its personal folder.
Actually, when I want to access to this shared folder using the application, I have an access denied (As the IIS process doesn't have permission to access to this folders). And I want to know how the user can access to its personal folder via the application.
Is there a way to get user login and password from NTML connection, or a way to access to this shared folder via user NTML token?
I don't have the user login/password.
You can change the thread identity https://msdn.microsoft.com/en-us/library/w070t6ka(v=vs.110).aspx
or use P/Invoke WNetAddConnection2 https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413(v=vs.85).aspx
You can enable ASP.NET user impersonation - https://msdn.microsoft.com/en-us/library/aa292118(v=vs.71).aspx
However, do note that you need to make sure that you only use impersonation when accessing the user's resources - for example, if you simply impersonate the whole request, you may no longer have access to shared data or a database.
Related
I am implementing an application that will create a folder on the NTFS File Server.
For that, I have set up the distributed environment. Meaning, I have machine on which I have hosted my C# Web API and I have NTFS file server on which I have to create folders.
I want my API to create a folder on NTFS machine. How can I do that?
Do I need to share NTFS Drive/Folder to create a subfolder? If so, then with whom I need to share a NTFS folder (either server user or IIS_USRS)?
Is there any other way to create a folder without sharing a drive/folder on NTFS folder.
When I have done this in the past I have done it through a temporary impersonation. For example...
using (Impersonator impersonate = new Impersonator(#"UserName", "Password", "Domain"))
{
//Create directory or copy files across the network
}
I believe I lifted my impersonator code from A small C# Class for impersonating a User
Case 1:
if web server and file server are in the same domain, you can consider to use a domain user, and created a shared folder on NTFS server and grant full access for the domain user accessing it. (depends on your requirements).
On web server, for the web application pool, set the domain user as the identity/credential to run the pool. so you can easily use IIS management tool to update it if password gets changed. for the authentication, you can use whatever you want based on requirements, but remember while you call the code to create folders on NTFS server, you need to use app pool user. (for example, if you turn on impersonation on a different user in authentication, in your code, you need to do impersonation using the pool user.)
Case 2,
web server and file server are not in the same domain, I usually will set up a ftp server on the file server to allow specific users to access it (creating folders and upload files....). Otherwise when you may need your IT administrator to make File server domain trust web server domain, then you can do the same thing as case 1.
About impersonation code, it could be something like:
//get the identity of an appPool
using(System.Security.Principal.WindowsIdentity wid = System.Security.Principal.WindowsIdentity.GetCurrent())
{
using (System.Security.Principal.WindowsImpersonationContext ImpersonationCtx = wid.Impersonate())
{
//creating folders, uploading files to UNC path...
ImpersonationCtx.Undo();
}
}
If your case is one of this, hope it helps.
I am getting access denied exception while trying to get a file from another system using my asp.net web application.
these both systems are in different domains. I am able to access the file from the explorer. However I am not able to access through asp.net web application (IIS).
Could you please help me out in this?
Exception Details: System.UnauthorizedAccessException: Access to the
path '\otherserver\inputs_for_import_only\AllOutputs\abcd.pdf' is
denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
You Web application runs on different user account , check the identity under which you application is running and then provide access to that user account.
I have a network shared folder and I want to access that folder from my asp.net mvc application.
It works fine on local but when I deploy it on the server it fails
Folder is user and password protected
The question is how to configure application to pass the authentication
Assuming you mean the folder is not local to the web server, I believe you need to setup delegation as described here: How to configure an ASP.NET application for a delegation scenario.
I am currently creating a folder and writing a file to the folder that need to be create on a file server that we have. When i do a localhost test, it work perfectly but when i access the website from outside the localhost and from another pc. It said that
System.UnauthorizedAccessException: Access to the path 'My File Server
URL' is denied
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
But the thing is that i have already set the identity impersonate="true" in the web.config and it still didn't work. My web server is running on Winder Server 2003 and IIS 6
Any advice and help will be deeply appreciated
Thanks
Brandon
You need to grant write, modify permission to the Users group for that file/folder.
Check your IIS Authentication setting and make sure that Anonymous authentication is enabled.
Hi Guys i manage to find the solution to it
If u are creating a folder, using this code before file or folder creation
WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero);
// Insert the create code here
ctx.Undo();
Well i do not know if this is the best solution. if anyone know the downside or implication of this code please share and comment.
no harm knowing more
I have an asp.net website that is hosted in IIS 7.5
The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.
The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored.
I am using Classic mode because Integrated breaks it.
What should be the website authentication and APP Pool settings?
Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.
Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)
Set up a separate App Pool for the
application
Configure the App pool to run as the
service account
Add the service account to the
IIS_WPG group on the server
Make sure the IIS_WPG group has Read,
Read & Execute, and List Folder
Contents permissions for the website
directory and Read and List Folder
Contents to the C:\Windows\Temp
folder (or equivalent).
Grant User Rights “Adjust Memory
Quotas for a Process”, “Replace a
Process Level Token”, and “Log On as
Service” to the service account
Don't mix up IIS autorization and ASP.NET autorization :
IIS autorization
IP/DNS Address Restrictions
Web Permissions (Read, Write, Script Source Access...)
NTFS Permissions (non ASP.NET ISAPI extension only : .htm, .jpg...)
ASP.NET autorization
URL Authorization (<authorization> element)
File Authorization (ASP.NET ISAPI extension only : .aspx, .ascx...)
Principal Permissions (Demands)
.NET Roles
Restrict access to your web :
Uncheck anonymous access
Configure NTFS rights
Give access to your data folder, few solutions :
Use a service account for your application pool, allow it on your folder and manage access control in your application
Use default IIS 7 ASP.NET account, and impersonate the user locally in your code when accessing your data folder
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the
security context of the authenticating
user here.
impersonationContext.Undo();
Activate impersonation globally (<identity impersonate="true"/>) ; dont like this one