ASP.Net Web Application Attempts to Use Impersonation and Delegation to Connect to a File Server

Question

ASP.Net Web Application Attempts to Use Impersonation and Delegation to Connect to a File Server

I am trying to use impersonation and delegation in an intranet ASP.Net web application to pass authenticated user credentials to a file server so that it can write the file to a directory.

The web server and the file server are two separate computers, but in the same domain, so delegation is required.

I have done the following:

Install <authentication mode="Windows"/> and <identity impersonate="true"/>web.config in my web application.
Enabled Limited Delegation from the web server to the HOST service of the file server and CIFS (common Internet file system in Active Directory).
Only Windows Authentication on the website through IIS is enabled.

Apparently, everything should work, but it is not. I get ACCESS DENIED when I try to create a folder on a File server from a web application.

All the web pages I read seem to indicate that my setup should work. What am I missing?

Notes:

My username is passed perfectly to the web server.
I am part of a group that has full rights to the folder in which I create the folder.

+4

asp.net file-upload windows-server-2008-r2 delegation impersonation

Kyle johnson Jul 02 '14 at 15:47

source share

5 answers

Eugene S. · Answer 1 · 2014-07-16T02:33:09+0000

Most likely you are using a double hop issue with Kerberos authentication. There are two options that I know of.

Install your SPN for your site.
Kerberos IIS NTLM.

, 1, , .

KB, IIS6.

, .

Yuriy Galanter · Answer 2 · 2014-07-09T16:30:54+0000

ASP.NET . , - WNetAddConnection2A API. (VB.NET)

API

<StructLayout(LayoutKind.Sequential)> Private Structure NETRESOURCE
    Public dwScope As Integer
    Public dwType As Integer
    Public dwDisplayType As Integer
    Public dwUsage As Integer
    <MarshalAs(UnmanagedType.LPStr)> Public lpLocalName As String
    <MarshalAs(UnmanagedType.LPStr)> Public lpRemoteName As String
    <MarshalAs(UnmanagedType.LPStr)> Public lpComment As String
    <MarshalAs(UnmanagedType.LPStr)> Public lpProvider As String
End Structure

<DllImport("mpr.dll")> _
Private Shared Function WNetAddConnection2A( _
<MarshalAs(UnmanagedType.LPArray)> ByVal lpNetResource As NETRESOURCE(), _
<MarshalAs(UnmanagedType.LPStr)> ByVal lpPassword As String, _
<MarshalAs(UnmanagedType.LPStr)> ByVal lpUserName As String, _
ByVal dwFlags As Integer) As Integer

End Function

<DllImport("mpr.dll")> _
Private Shared Function WNetCancelConnection2A( _
<MarshalAs(UnmanagedType.LPStr)> ByVal lpName As String, _
ByVal dwFlags As Integer, ByVal fForce As Integer) As Integer

End Function


Public Shared Sub WNetAddConnection2AEx(ByVal i_sPath As String, ByVal i_sPassword As String, ByVal i_sUserID As String)
    Dim nr(1) As NETRESOURCE
    nr(0).lpRemoteName = i_sPath
    nr(0).lpLocalName = ""
    nr(0).dwType = 1
    nr(0).dwDisplayType = 0
    nr(0).dwScope = 0
    nr(0).dwUsage = 0
    nr(0).lpComment = ""
    nr(0).lpProvider = ""
    Dim iErr As Integer = WNetAddConnection2A(nr, i_sPassword, i_sUserID, 0)
    If iErr > 0 Then Throw New Exception("Can not connect to share folder: " & i_sPath)
End Sub

WNetAddConnection2AEx("\\server\path", "password", "user_id")
''...
''perform your file operation here
''...
WNetCancelConnection2A("\\server\path", 0, -1)

Samad · Answer 3 · 2014-07-10T18:39:40+0000

IIS Windows , ASP.NET, IIS. Windows IIS, : , , inetmgr . , -. - "". " " "" " ". " Windows", " ", "- Windows" " ".

Ty H. · Answer 4 · 2014-07-16T07:24:04+0000

, ! ASPX , UNC . Windows Server 2012, .NET Framework 4, Workgroup, .

...

"FileShare" .
"FileShare" "IIS_IUSRS" IIS,
// "FileShare" .
\\MyDestServer\MySharedFolder
Web.config <authentication mode="Windows" />
Web.config <identity impersonate="true" userName="FileShare" password="password"/>

, , .

    try
    {
        string strFile = "\\MYDestServer\MySharedFolder\Test.txt";
        if (!System.IO.File.Exists(strFile))
        {
            var stream = System.IO.File.CreateText(strFile);
            stream.WriteLine("This file was created on: " + DateTime.Now.ToString());
            stream.Close();
            stream.Dispose();
            litCreateFileTest.Text = "File Created<br/>" + strFile;
        }
        else
        {
            var inStream = System.IO.File.OpenText(strFile);
            string strContent = inStream.ReadToEnd();
            inStream.Close();
            inStream.Dispose();

            strContent += "modified on: " + DateTime.Now.ToString() + "\r\n";

            var outStream = System.IO.File.CreateText(strFile);
            outStream.Write(strContent);
            outStream.Close();
            outStream.Dispose();

            litCreateFileTest.Text = "File Updated<br/>" + strFile;
        }
    }
    catch (Exception ex)
    {
        litCreateFileTest.Text = "Error: " + ex.Message;
    }

Kyle johnson · Answer 5 · 2014-07-16T17:26:06+0000

We moved on to Active Directory users and groups.

From a web server, right-click and select Properties.
On the Delegation tab, we have enabled delegation for any protocol.

It didn’t work right away, but we think it was so.

I will check with further testing when we move the application to our stage environment.

ASP.Net Web Application Attempts to Use Impersonation and Delegation to Connect to a File Server

More articles: