I want to create a directory on a network path from a WCF web service. This web service is hosted under a site that uses Windows authentication. However, when I try to create the folder with "Directory.Create", I get an access denied. When I check "HttpContext.Current.User.Identity.Name", I can see my own user account, but I guess it is not the one used to create the folder, as, when I do "System.Environment.UserName", I see another value.
I tried to put "<identity impersonate="true" />" in the main web.config of the web site but then, nothing works anymore.
So my question is, is it possible to create the directory using the permissions of the currently logged user ?
As a precision, I'm calling the webservice through AngularJS and I configured my "$httpProvider" to pass the credentials ("$hp.defaults.withCredentials = true;").
EDIT:
I added "<identity impersonate="true" />" to the web.config placed in the folder that contains my web service and now, "System.Environment.UserName" contains the correct credential but still, I guess the access denied. I tried the same command from a console application and it works. I really don't get it...
EDIT 2
If I changed the "identity" element to "<identity impersonate="true" username="USERNAME" password="PASSWORD" />", then it works, but I don't want to fill these fields...
Thanks
I'm assuming the network folder is on another server, you're either going to have to impersonate credentials that has access to it or whoever the apppool is running as will need permissions to write to that folder.
We typically have the app-pool running as a domain account in IIS. You can tailor the permissions as you see fit then (assuming both servers are on the same domain and, you don't have to store passwords this way, whoever manages your IIS would handle that). If the site just needs to write (but not read) you could give it write permissions but not read.
Related
I am trying to access an old fashioned asmx web service hosted in IIS and I am banging my head against a 401.3 error. I know there are lot of resources out there but most of them make use of impersonation and by adding permissions for the authorized user to the file system, which I want to avoid.
My scenario is basically an IIS webservice, running with an AppPool which runs as a specific service account (DOMAIN\username + password). This service account has full control on the folder and the Anonymous authentication is set to use the AppPool Identity.
This is all good and working but now I wanted to secure my webservice by adding Windows authentication. I did that and added a simple <deny users="?" /> to the authorization section. What happens now is that when I connect to the server I get asked for a username and pwd, I provide one and then I get a 401.3 error.
I have tried adding read&execute permissions for myself to the folder and everything works but this is clearly not a proper solution as I would have to keep managing folder permissions.
My question is: why does the authenticated user needs folder access? Isn't the folder accessed as the app pool identity? Impersonation is disabled so I would expect that to be the proper behaviour.
why does the authenticated user needs folder access?
The FileAuthorization module requires the authenticated user to have permissions to the file.
Isn't the folder accessed as the app pool identity
Yes, but the above module also checks the authenticated user. You mentioned that you have Anonymous set to use AppPoolIdentity, so I'd expect in your case, this to be true.
Impersonation is disabled so I would expect that to be the proper behaviour.
This is independent as the FileAuthorization module kicks in anyways.
By recommendation for how to troubleshoot would be grab a ProcMon trace and I suspect you'll see some AccessDenied. Go look and see what permissions are required by what process and see if its doing impersonation (for this check). This will tell you what permission is missing/failing.
I just joined a company to support a web app that no one knows anything about. Everyone who might have once known is gone.
The app is using a dll (I only have the binary) which is used to get a string list of Active Directory groups that the user belongs to. The code works in production and when I run interactively in the VS2005 IDE, but does not work when I run it locally in IIS.
The code is this. It blows up on line 127:
Line 127: userGroups = new FW.DirectoryHelper(username).getGroups();
Line 128: List<string> roles = new List<string>();
Line 129: List<string> groups = new List<string>();
With this error:
Error getting group information. The specified domain either does not exist or could not be contacted.
This looks like some sort of an issue with the ASPNET account not having access to Active Directory, but why is it working interactively but not under IIS? Is this because when I run interactvely I am running under my own credentials instead of the ASPNET account? Why would it run on other (eg, UAT) IIS servers including Production and not local?
Is there some local IIS configuration or fodler security configuration that I need to make to get it to work locally?
The binary is surely used elsewhere within my company; I think it is a shared IT utility that no one will support or trying to find someone who will will prove difficult.
My local IIS was configured with Windows Authentication turned on and Anonymous off. I also tried Windows Auth on and Anonymous...
Your issue is very similar to a question I answered recently, they too were using IIS 5.1.
Is it possible to retrieve data from Active Directory by impersonating a Windows authenticated user in ASP.NET?.
In my answer I provide a couple of possible solutions, what you will probably want to do is use ASP.Net impersonation.
The code is using the windows login credentials for ldap, whichever pc is running the program. Try setting iis to anonymous access and give it an account (a dummy one perhaps) that has ldap reading rights. And in your web.config file, you're going to want to set this anonymous account like so:
<system.web>
<identity userName="DOMAIN\username" password="myPW"/>
</system.web>
Is this IIS6 or 7?
If II6 make sure the application pools Identity is set to that of a domain account.
If IIS7 make sure under Basic Settings it is set to that of a domain account.
Hope this is helpul.
A quick fix is to set the identity of your local IIS to use your login credentials instead of the default system account.
I have a aspx file that suppose to write to a file in the server while loading. On the local machine it works fine, but when i deploy it to a live server it gives me an exception "Access to the path 'd:\DZHosts\LocalUser\asafz83\www.asafz83.somee.com\lala.htm' is denied."
WHen i asked my serverAdmin for the reason - he told me to remove any impersonation from my web.config file. Well, my web.config file doesn't contain any impersonation, so i'm really confused:
What can i do in order for this sealy-stupid application to work?
thanks!
Assuming the id being impersonated has appropriate access to the server & folder that you are writing to, you have to allow your web server to be trusted for delegation.
See this for Windows 2003 server:
http://technet.microsoft.com/en-us/library/cc738491(WS.10).aspx
I've had the same problem a couple weeks ago..it took us a few days to figure out that it's just a checkbox that needed to be set.
You don't have to go through impersonation.
Create a folder in your website, let's call it "Files". You can access its path via Server.MapPath to do whatever saves you want in that directory.
Server.MapPath("~/Files")
When you deploy on IIS, you have to apply Write permissions on the folder "Files" for the ASP.NET user.
Essentially your server admin is saying that you may not have the permissions needed to perform the operation / access th path in the error.
Is this a valid path that you think you should have access to, if it is then there is a chance your application is configured wrong.
Your admin guy is basically saying ...
In the web.config file check that you have not got something that reads like this :
if you do, remove it because you re trying to impersonate / get asp.net to run within the context of the guest account for internet users connecting to the server.
There is more on the topic here ...
http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx
Something worth noting is that application configs "inherit settings from parent applications", this means if you have a web app running that works with this, and then in a child folder deploy a new web app that does not have the right to do this then it will break because of the parent applications settings.
This may or may not be relevant to your situation but i feel its worth noting.
I have ASP.NET project which do some file access and manipulation, the methods which I use for file access are below. Now I need to access files on another server shared folder, how to do that? I easily can change file path to shared folder path but I get "can't access" error because shares are password protected.
As I understand I need somehow to send credentials to remote server before executing methods below. How to do that?
FileStream("c:\MyProj\file.doc", FileMode.OpenOrCreate, FileAccess.Write)
Context.Response.TransmitFile("c:\MyProj\file.doc");
Regards,
Tomas
An ASP.NET application (by default) will execute in IIS6 under the "ASPNET" computer account. You therefore have a couple of options:
Configure your ASPNET application to run under a (weak) domain account with permissions to access the remote computer's share
Set the permissions on the share to enable access to "Everybody" (not recommended)
Disable Forms authentication and use Windows authentication in your ASP.NET app. Turn off impersonation in web.config and IIS should pass the credentials of the user who is currently using your web application through to the underlying share (I think).
The latter option is only useful, of course, if your users all have domain accounts on your intranet, for instance. I'll continue to look around for ways to add credentials but I'm not sure off the top of my head if that's possible.
HTH,
Richard.
I constantly trip on this when writing apps for our intranet.
Let's say we have a network share called "\\server1\myfolder", and I'm writing an app that needs to read a text file from there. Access to the share is very limited, which is fine. If someone doesn't have access to the folder, the app catches the error and tells the user they don't have access.
This works fine when I run it locally, but when I publish the app to the test server, it never has access to the folder, no matter who is running the app. Ideally the app would impersonate the user and use their credentials, but I never seem to be able to set it up correctly.
My web.config is set up like this:
<authentication mode="Windows"/>
<identity impersonate="true"/>
I've also tried impersonate="false", but it doesn't make a difference. Can someone explain what is going on here, to someone with a very limited knowledge of IIS (this is running on IIS 6 by the way)? Any idea how this should be set up, or is it impossible?
This previous post is similar and contains a valid answer:
Access files from network share in c# web app
as does this one
Asp.net Access To Network Share
Check your IIS directory security settings. You need to have anonymous authentication turned off and Windows authentication turned on.