I have this load balanced asp.net application which needs to upload files to a shared location. The web app is not impersonated, which means it will cross the machine boundry using network service credentials. Now my question is, to which account do I need to assign permissions on the folder where the files are being uploaded? How can I say the network service of these web servers need write permissions?
If your server is part of AD domain, then you can add the Server itself from the security permission dialog to have read/write permission (in fileshare server). Remember to select "Computers" when searching Active Directory. Depending on your setup, might have to search from the root of your Active Directory or select "Entire Directory". You will have to add all of your servers that are part of load-balanced ring to have permission in fileshare server's directory.
If your server is not within an AD domain, then your local server's network service will not have any security context to write on another server; which means only generic permission will work (e.g. giving write permission to "Everyone").
Otherwise you will have to use UNC authentication. An example is posted here.
Related
We have 2 servers in DMZ. First one is application server, let's call it APP machine. The other is a file server, let's call it FILE. Web site running on APP machine under IIS is trying to create a file in a shared directory located at FILE server.
When application pool is running with some user in IUSR_IUSRS or NETWORK SERVICE writing to remote location fails. I cant authorize this user in shared folder, because that FILE machine can only see local users.
I created a user X on APP machine (APP/X) and another one with the same username on FILE (FILE/X). Then I added FILE/X user to credential manager on APP machine. When APP/X and FILE/X users have different passwords writing fails again. But when passwords are the same then writing just works.
I cant understand why passwords matter. At the end of the day they are two different users APP/X and FILE/X. Could someone clarify this phenomenon?
When the local user account on APP attempts to connect to the FILE server it passes it's credentials (username and password). If that combination isn't an exact match against a user on the FILE machine then it will fail.
There are multiple ways to do this "correctly". The most common would be to have a domain setup in which the site on the APP server runs under. That way you could just authorize the user to have rights on the FILE server.
If you can't have a domain controller, then the username and passwords must be kept in sync on the two machines.
I have ASP.NET WebService as a part of ASP.NET application. However, some of its methods are not supposed to be invoked directly from browser, they are just accessed by winservice from within the same local network. Is there any way to protect web service from remote access by means of web.config files or IIS configuration with no firewall configuration involved?
Change ACLs on your "non accessable" resources so that IIS_USER has no rights. Create another website that binds to localhost:80. Create a new user account and set that as the login account for the new website. Grant that user read/execute to the files you're trying to obscure.
I face a situation where my web service needs to access partion D in server hard disk and can send, receive files to/from client.
Is it true that a web service can do that even when there's no permission on the folder?
I know that I can add to the folder of asp.net path using mappath function...
Can any one illustrate to me how this would be done and how can the web service access the server local disk?
In order for the web service to be able to either read or write files to a folder on your server it must have permission to do so.
The first question you need to determine is what user is the web service executing under? Once you know that then you can set the appropriate rights to the folder in question.
"Is it true that a web service can do that even when there's no permission on the folder?"
NO
My ASP.NET MVC 2 application runs under built-in local NETWORK SERVICE account. I want to set up access permissions for the folder which resides in another computer, but in the same domain. I located that folder right-clicked to open its properties form, clicked to Security tab and pressed Add button which displayed Add user form with correct domain name in the location field. I referred to the account with following syntax:
<domain name>\<server name>$
because I learned that NETWORK SERVICE account uses machine account when connected to other computers in the domain.
However, the system couldn't find the account, so refuses to add the account. Without the domain name it adds a user, but that user seems to be local user, not web server's NETWORK SERVICE account. What am I doing wrong?
By the way, the above syntax worked when I created login for the sql server which is different computer from the web server.
OK, I will answer my own question. The above syntax \$ was correct. Just make sure to select computers checkbox in the object type, when adding user permissions.
I have been in this same situation before. I don't think I got it to work with the Server/Network Service but this might be worth a try.
Figure out the account network service is using to access the network resource.
Configure windows auditing (on the server the folder is located) to log the failed security events of the folder.
or monitor the folder with something like filemon.exe
.. from here you can try and add the account to the security settings of the forlder. (IIRC I did'nt ever get this to work)
Alternatively you can ensure the action is performed under the context of a domain user. Either by:
Impersonating the user in code and performing the action (my preference)
Setting the impersonation settings in web.config to a named user
setting the application pool to run as a domain user.
We have to access a network UNC share which is say allowing access to USER1. Our exe is running with LOCAL SYSTEM account. In the exe, we do Impersonation with "USER1" credentials so that exe can access UNC share. But after doing the impersonation, we are still getting error "Access denied" while accessing that UNC share.
After the impersonation, we are enabling following privileges on the Impersonated thread:
SE_BACKUP_NAME
SE_CHANGE_NOTIFY_NAME
SE_CREATE_GLOBAL_NAME
SE_DEBUG_NAME
SE_IMPERSONATE_NAME
SE_RESTORE_NAME
SE_SECURITY_NAME
SE_TAKE_OWNERSHIP_NAME
SE_TCB_NAME
Do we need to enable any other privileges or we are missing something else?
Thanks
-- Nitin
If you're on an Active Directory domain you need to configure for delegation.
Given the following:
Server A hosting the EXE
Server B hosting the UNC share
Both servers on a domain managed by Active Directory
You must configure AD so that server A has the right to "delegate" for users on the domain or, to be more secure, for server B only.
For more help, check out serverfault.com.