I have a network shared folder and I want to access that folder from my asp.net mvc application.
It works fine on local but when I deploy it on the server it fails
Folder is user and password protected
The question is how to configure application to pass the authentication
Assuming you mean the folder is not local to the web server, I believe you need to setup delegation as described here: How to configure an ASP.NET application for a delegation scenario.
Related
I am implementing an application that will create a folder on the NTFS File Server.
For that, I have set up the distributed environment. Meaning, I have machine on which I have hosted my C# Web API and I have NTFS file server on which I have to create folders.
I want my API to create a folder on NTFS machine. How can I do that?
Do I need to share NTFS Drive/Folder to create a subfolder? If so, then with whom I need to share a NTFS folder (either server user or IIS_USRS)?
Is there any other way to create a folder without sharing a drive/folder on NTFS folder.
When I have done this in the past I have done it through a temporary impersonation. For example...
using (Impersonator impersonate = new Impersonator(#"UserName", "Password", "Domain"))
{
//Create directory or copy files across the network
}
I believe I lifted my impersonator code from A small C# Class for impersonating a User
Case 1:
if web server and file server are in the same domain, you can consider to use a domain user, and created a shared folder on NTFS server and grant full access for the domain user accessing it. (depends on your requirements).
On web server, for the web application pool, set the domain user as the identity/credential to run the pool. so you can easily use IIS management tool to update it if password gets changed. for the authentication, you can use whatever you want based on requirements, but remember while you call the code to create folders on NTFS server, you need to use app pool user. (for example, if you turn on impersonation on a different user in authentication, in your code, you need to do impersonation using the pool user.)
Case 2,
web server and file server are not in the same domain, I usually will set up a ftp server on the file server to allow specific users to access it (creating folders and upload files....). Otherwise when you may need your IT administrator to make File server domain trust web server domain, then you can do the same thing as case 1.
About impersonation code, it could be something like:
//get the identity of an appPool
using(System.Security.Principal.WindowsIdentity wid = System.Security.Principal.WindowsIdentity.GetCurrent())
{
using (System.Security.Principal.WindowsImpersonationContext ImpersonationCtx = wid.Impersonate())
{
//creating folders, uploading files to UNC path...
ImpersonationCtx.Undo();
}
}
If your case is one of this, hope it helps.
I have a C# MVC web application that uses the NTML authentication (windows authentication). And I want to access to a shared folder (accessible from the web server).
the shared folder contains a list of sub directories, each directory represents a user personal directory. using windows explorer in the web server, each user is able only to access to its personal folder.
Actually, when I want to access to this shared folder using the application, I have an access denied (As the IIS process doesn't have permission to access to this folders). And I want to know how the user can access to its personal folder via the application.
Is there a way to get user login and password from NTML connection, or a way to access to this shared folder via user NTML token?
I don't have the user login/password.
You can change the thread identity https://msdn.microsoft.com/en-us/library/w070t6ka(v=vs.110).aspx
or use P/Invoke WNetAddConnection2 https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413(v=vs.85).aspx
You can enable ASP.NET user impersonation - https://msdn.microsoft.com/en-us/library/aa292118(v=vs.71).aspx
However, do note that you need to make sure that you only use impersonation when accessing the user's resources - for example, if you simply impersonate the whole request, you may no longer have access to shared data or a database.
I am using C# and Asp.net for developing the application and host same into some hosting service provider.
I need to authenticate users from Active Directory from different location.
Say for example my application is hosted on Asphost.com and the url of app is test.abc.co.in.The said sub domain is for Test client.
So how to use Test client Active directory users from my app.
Please suggest.
If I understand it correctly, this is not a C# or Asp.net problem, but a networking issue.
The Active directory is within the client's internal network and protected by firewalls that are not reachable from the location where you deploy the application.
I have an asp.net website that is hosted in IIS 7.5
The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.
The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored.
I am using Classic mode because Integrated breaks it.
What should be the website authentication and APP Pool settings?
Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.
Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)
Set up a separate App Pool for the
application
Configure the App pool to run as the
service account
Add the service account to the
IIS_WPG group on the server
Make sure the IIS_WPG group has Read,
Read & Execute, and List Folder
Contents permissions for the website
directory and Read and List Folder
Contents to the C:\Windows\Temp
folder (or equivalent).
Grant User Rights “Adjust Memory
Quotas for a Process”, “Replace a
Process Level Token”, and “Log On as
Service” to the service account
Don't mix up IIS autorization and ASP.NET autorization :
IIS autorization
IP/DNS Address Restrictions
Web Permissions (Read, Write, Script Source Access...)
NTFS Permissions (non ASP.NET ISAPI extension only : .htm, .jpg...)
ASP.NET autorization
URL Authorization (<authorization> element)
File Authorization (ASP.NET ISAPI extension only : .aspx, .ascx...)
Principal Permissions (Demands)
.NET Roles
Restrict access to your web :
Uncheck anonymous access
Configure NTFS rights
Give access to your data folder, few solutions :
Use a service account for your application pool, allow it on your folder and manage access control in your application
Use default IIS 7 ASP.NET account, and impersonate the user locally in your code when accessing your data folder
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the
security context of the authenticating
user here.
impersonationContext.Undo();
Activate impersonation globally (<identity impersonate="true"/>) ; dont like this one
I have a winforms, and it connecting wit webservice.
Webservice has method which create folder
Directory.Create(path);
Webservice is at company server, and this folder must me create at another disc in out company.
When I invoke this method, i get exception "Access denied to path..."
When webservice was running at my computer everything was ok.
I have full access to this network disc.
But how to set full access to my company server??
When I check this method:
[WebMethod]
public string GetNameOfUser()
{
return WindowsIdentity.GetCurrent().Name;
}
I get <string>NT AUTHORITY\NETWORK SERVICE</string>
Rest of webmethods without directory instructions working properly
Edited Structure
Computer A is in domain and there is running win forms
Server A : there is running webservice
Network disc: there are folders with important files for winforms application
yes, we have a domain.Computer A has access to network disc.
As I understand, your application tries to create a folder which resides on a different server than the web application.
Your web application is running under a local account NT AUTHORITY\NETWORK SERVICE. In order to access a network share you need it to be running under an account available on both machines, for example a domain account.
If both the web server and the server with the network share are on a domain, you can:
Create a domain account
Grant the account write access to the parent folder where you want to create new folders
Make the Application Pool on your web server run under the domain account
This will should let your web application create foldera on the other server.
When you were running your web-app on your own machine, it worked onder your own account, therefore it could create directories.
On the server the app runs under an account with very low rights.
If you want to create those new directories below a specific fixed directory, you can allow that server account to modify that particular directory.