Re: CreateDirectory working inconsistantly from ASP.net

From: David Davies (DavidDavies_at_discussions.microsoft.com)
Date: 10/26/04 

Date: Mon, 25 Oct 2004 20:27:02 -0700

Many thanks Scott.

2 and 3 are no feasable becasue the ability to create a directory must
depend on the rights of the user.

That leaves Delegation as the only option, I have followed the instructions
in the kb you posted and waited a few hours to allow for propogation but it
is still producing the same result.

Is there any way to test Delegation is functioning ?

Regards,
David

"Scott Allen" wrote:

> Hi David:
>
> You are facing the dreaded double hop NTLM issue. With integrated
> authentication the client's credentials can make exactly one network
> hop. When the browser authenticates to the web server from a remote
> machine the credentials make one hop and can't be used to make a
> second hop to the server with the file share (if the browser is on the
> same machine as the web server the call works because there is still
> only one hop involved).
>
> A few of the solutions are:
>
> 1) Enable delegation
> http://support.microsoft.com/default.aspx?kbid=810572
>
> 2) Impersonate with a specific username and password, i.e.
> <identity impersonate="true" userName="<name>" password="<password>"/>
> You can also do this programatically.
>
> 3) Run the ASP.NET worker process under a domain account with
> permissions on both machines.
>
> There are some good tips for 2 & 3 here:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
>
> HTH,
>
> --
> Scott
> http://www.OdeToCode.com/blogs/scott/
>
> On Sun, 24 Oct 2004 20:51:02 -0700, David Davies
> <DavidDavies@discussions.microsoft.com> wrote:
>
> >Please HELP !!
> >
> >I have a web page that is trying to create folders on a file server
> >
> > eg. \\SERVERNAME\F4\Projects\[New Folder Name]
> >
> >Users of the web site are authenticated with Windows Integrated Security.
> >
> >(have tried on W2003/IIS6 and W2k/IIS5 with no difference in behavoir)
> >
> >When a user connects to the using a browser on the same machine as the
> >webserver the code works and is able to create the new folder.
> >
> >When the same user connects from a remote machine the CreateDirectory
> >function generates the following Exception
> >System.UnauthorizedAccessException
> >"Access to the path \"TEST\" is denied."
> >Source "mscorlib"
> >StackTrace
> >System.IO.__Error.WinIOError(Int32 errorCode, String str)
> >at System.IO.Directory.InternalCreateDirectory(String fullPath, String
> >path)\r\n
> >...
> >
> >I have tried to do this in 3 ways all with the same problem;
> >A)
> >DirectoryInfo di = Directory.CreateDirectory(newfullpath);
> >
> >B)
> >DirectoryInfo root = new DirectoryInfo(rootPath);
> >DirectoryInfo di = root.CreateSubdirectory(folderName);
> >
> >C)
> >[DllImport("kernel32.dll")]
> >static extern bool CreateDirectory(string lpPathName, IntPtr
> >lpSecurityAttributes);
> >...
> >bool result = CreateDirectory(path, IntPtr.Zero);
> >DirectoryInfo di = DirectoryInfo(path);
> >
> >I have also checked that the Integrated Authentication is getting passed
> >correcty into the application
> >
> >string origID = Thread.CurrentPrincipal.Identity.Name;
> >string contextUser = HttpContext.Current.User.Identity.Name;
> >
> >Both call return the same user regardless if the call is from the server or
> >a remote machine.
> >Needless to say that the User has the required permissions to create the
> >folder because they are able to do so as long as they do it from a browser on
> >the server itself.
> >
> >If anyone can shed any light on what is going on here I would greatly
> >appreciate it.
> >
> >Regards,
> >David Davies
> >Goldman Sachs
> >
>
>

Relevant Pages

  • Re: CreateDirectory working inconsistantly from ASP.net
    ... Many thanks Scott. ... Is there any way to test Delegation is functioning? ... > You are facing the dreaded double hop NTLM issue. ... When the browser authenticates to the web server from a remote ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: CreateDirectory working inconsistantly from ASP.net
    ... Many thanks Scott. ... Is there any way to test Delegation is functioning? ... > You are facing the dreaded double hop NTLM issue. ... When the browser authenticates to the web server from a remote ...
    (microsoft.public.dotnet.framework.aspnet)
  • Kerberos Delegation
    ... I would like to know if Kerberos Delegation is possible in a multi Hop ... Is the following scenario possible? ... A Client C Transfer its to server "S" for Delegation, ...
    (microsoft.public.dotnet.security)
  • Re: Constrained delegation question!
    ... remote server running the services in terms of the security audits on the ... AUTHORITY\ANONYMOUS LOGON event. ... you won't be able to get Kerb delegation to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Unix Bind and Windows DNS coexist problem with forwarder ON
    ... not a web server. ... Here is the MS KB link of how i setup in Microsoft DNS server. ... I setup delegation in UNIX BIND server to Windows 2003 ... >>> The above does not describe delegation. ...
    (microsoft.public.windows.server.dns)
Loading