All geek questions in one place

Impersonation DOES NOT Work - Network

I created a virtual directory (IIS 7.0) that points to a network share. This virtual directory is under my web application root.

I tried using anonymous access with domain credentials. Also, I tried using impersonation as shown below ...

<identity impersonate="true" userName="<supplied username>"
password="<supplied password>" />

QUESTION: The application always uses IUSR to connect to this resource and get "ACCESS DENIED". I need to force my application to use the domain name above.

UPDATES
1. When I run procmon, I see a “FAST IO DISALLOWED” message every time before access is denied. Not quite sure if this is related.
2. I suspect symptoms of a double hop problem. But I don’t know how to really verify it or how to get around it without real Kerbros authentication.

Thank!

+3
source share
5 answers

IIS 7 default works "integrated mode".
, you can no longer pretend to be there
(you do not get an error message for the impersonation, but it just does not increase the privilege) .

ASP.NET "classic mode", .
, , , .

enter image description hereenter image description here

, smb, IUSR , ( , , MSFT, 'd , .

mklink /d  C:\inetpub\wwwroot\your_application_root\ShareName \\Server\ShareName\Directory

mklink, , Windows Vista +, Windows Server 2008 +

+4

ASP.NET ASP.NET . , , , - .

( , ).

http://west-wind.com/weblog/posts/2153.aspx

+1

Give your IUSR account access to your account. Even better, if your program uses the built-in ASP account (as Joe Garrett stated) and gives access to this share.

+1
source

Try disabling anonymous access. Using Windows Authentication, if you do not force the user to log in (by adding deny = "?" To your web.config), will force IIS to impersonate the use of the configured account.

0
source

Source: https://habr.com/ru/post/1760925/

More articles:


All Articles