I need to let an aspx.cs file run code to enumerate the contents of a directory on another server altogether. Basically, use a Directory object, etc.
Here is what I can piece together (I'm really not a network rights guy at all, so this is all confusing to me.) When a user loads my aspx page, that page, code behind, is actually running under some kind of windows user account. IUSR_ or something.
For some reason, the server I need to reach (it's a Page Flex server) will not let me change the "Location" to search for users in so I can't go find /IUSR... and give it rights.
Is there some way to pass credentials as I try to enumerate the contents of a remote server's directories?
I really hope that made sense.
I don't know all your security constraints, but you may want to look into delegation
http://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx
There's lots of other articles on it if you search google
EDIT:
From: http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx
<!-- Web.config file. -->
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
The idea is to have the web request run as whatever domain user does have access to the share, instead of the default (IUSR_* or ASPNET user, I can't remember)
I believe you can do this for just a subdirectory or script if you want to limit what scripts are running as this user, see http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx
<location path="ReadUNC.aspx">
<system.web>
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
</system.web>
</location>
And if you want to do the impersonation programmatically, maybe this will help get you started: http://www.west-wind.com/WebLog/posts/1572.aspx
Related
when I debug my website locally using Visual Studio, the change to the web.config goes into the effect without any problem.
However, when I make the same change to the web.config on my server host (running IIS 7.5) it looks like the site is still running off the old version of web.config when I load it up in my browser. The new changes aren't applied.
I have tried stopping and starting my site's application pool on the server using IIS Manager, but still no change. I've also tried stopping and starting IIS, which isn't working either.
The change I am making to my web.config involves removing entries in the block to allow and deny users.
It is currently set up to prompt for credentials, and if valid, the site is accessible. If not, access is denied. The change I am trying to make is to allow access to all users and not prompt them for their credentials.
BEFORE:
<authorization>
<deny users="?" />
<allow roles="admins" />
<deny users="*" />
</authorization>
AFTER:
<authorization>
<allow users="*" />
</authorization>
What is the reason for this?
You have to reset IIS. Just open command prompt and run IISRESET and you should be good.
I have found that if I attempt to modify the Web.config directly through the file system (on an IIS server), my changes fail to be saved, and thus, are not applied. This is what I have found works for me, provided you have access to IIS on the host server:
NOTE: These instructions are based on IIS 8 on Windows Server 2012, but may still work for IIS 7.5.
Go to the IIS Manager on the host server
Drill down in the Sites until you find your application
Using the Features view, double-click the Authorization Rules
Use the Add Allow Rule... and Add Deny Rule... link in the Actions panel (on the right) to configure all your authorization rules.
This process updates the Web.config for you. If you need to edit or delete a rule, click on the applicable rule, then click the Edit... or Remove link in the Actions panel.
I hope this helps.
Are you deploying,publishing or copying? Make sure that your debug and release settings are the same. There are also instances when the virtual directory is not setup correctly and the correct webconifg is not loading.
Copy the web.config file from your server and place it in your local machine and modify according to your requirements. And then delete the web.config file in the server and copy and paste the modified web.config from local machine to server.
This work for me, but for me connectionstring was the Issue.
From MSDN - Web.Config
Any changes to the web.config file will require restarting the "Microsoft IIS Administration" service to take effect.
Maybe, maybe and maybe it help some one. I have the same problem. with IIS reset not work. with recycling AppPool not work. Maybe your drive have not free space.
This work sometimes after I delete some unwanted files. but I think important reason is Permission. we must use Editor like notepad or Run editor as administrator or web.Config need permission to change and then change Web.config. then Save.This works for me.
For me the problem was that I was building multiple solutions in the Azure DevOps pipeline and the deploy.cmd took the first web.config file as given. Therefore, I had changed the wrong web.config and the solution was to build via the csproj file and not via the solution.
Hope this helps somebody! :-)
You have to do following action
Click the BUILD menu
select the Clean Solution
after then
select the Re-build Application
Published the files (codes)
Above this action done, It is working fine without issue.
Reflecting changes in IIS services
How can I prevent a User to see the file system in asp.net ? Do I need to change something in my IIS settings or on my Web.config ?
Thanks for help and fast answer
Lets starts from the fact that a remote user to been able to see a file is must know the full path of it on the browser.
To prevent that you disable the directory browsing and/or you have a default.aspx page on each directory. When there is a default page, then the IIS show that page.
Now the second security measure is not let the asp.net application user that runs yous site to have accesss to any file beyond the site running files.
The site is run under two accounts. One for the IIS, and one for the Pool. both this accounts must have limited access only to your site directory and only for read, and for write only on the files/directories that needed to your application.
Additional you can use a web.config on some directories to prevent the run of any aspx page as:
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
but this is not prevend to see files that are not pass from asp.net (like images)
Also you can read
How to find out which account my ASP.NET code is running under?
Firstly I just want to say I'm not an ASP developer, I'm PHP through n through...
So my problem is this, all of a sudden a client site has started prompting for users to be logged in when viewing pages in a sub directory, when I download the web.config file I can see the authentication mode set to "Windows" this would appear to be an issue but it was working up until now, so I set it to None and uploaded the file (there isn't a web.config in the sub directory, just the site root) and it continues to prompt me for the login.
Is there something I need to do to "refresh" the server or something? I've looked through the hosting control panel and can't find anything about anonymous access or restarting the server, its on a shared hosting account and the control panel is pretty below average
Any help is greatly appreciated!! I'm in a panic and the hosting company don't have ASP support on hand
Thanks,
Mark
In the folder that you want anonymous access, just use the web.config authorization section to allow anonymous users:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
The * essentially means Everyone so it just saying that for the current directory, everyone is allowed access- you only need this in the web.config...nothing more.
If you are still receiving prompts after this, then the folder itself must have permissions at the operating centre level (NTFS permissions) which do not allow Anonymous access...Although you say the ASP support isn't at hand, I presume you can raise help tickets with them to enable this access?
Edit
I should add that this setting of authorization is different to setting an Authentication scheme (Windows Authentication, Forms Authentication etc). For example, you might have Forms Authentication for your website but specifically want anonymous access to a folder (like this case) so setting your authentication option isn't actually relevant.
I have my ASP.NET web.config set with impersonation
<identity impersonate="true" userName="domainName\userName" password="userPassword" />
I'm running some a method like
IO.Directory.GetFiles(somePath)
And monitoring the file system access with Process Monitor
I keep getting all the access requests from the aspnet_wp.exe process to the folder, as the ASPNET user.
Why am I not seeing the access as the impersonated user?
My guess is you have anonymous access on ?
As a result it will use the system account... see
Disable anonymous access, and it will use the impersonation account.
#Nix's answer sounds like it might fit the ticket, but you should also check your authorizations in the .config file to make sure they're not conflicting with your impersonation in some way. Have a look at this question for a brief discussion on the subject of grant/deny, and the link in the accepted answer with more info.
Why is <deny users="?" /> included in the following example?
BTW, I have not had conflicts with impersonations and leaving anonymous access on before, so ...
I currently have an ASP.NET 3.5 SP1 running on IIS 7. I have enabled forms authentication using .NET Membership and setup some folders that are restricted according to roles I have created. For instance, if an anonymous visitor tries to access the file http://www.example.com/restricted/foo.txt, he/she will be redirected to a login page, as expected. So far so good.
What I would like to do is provide access to protected files by allowing visitors to specify their login credentials in a query string, something alone the lines of:
http://www.example.com/foo.txt?user=username&pass=pwd
Is this possible at all?
you should be able to write an http module that intercepts the request and authenticates the user based on the querystring. However, just for the sake of completeness, I'd like to question whether it's a good idea to provide users their username and (in particular) password in plaintext.
You could easily create a download page that would authenticate the user and then forward them to the requested file. Something like navigating to Download.aspx?user=username&pass=pwd&file=foo.txt.
This however is NOT recommended. You should never require users to pass login information via a URL.
A secondary answer based on comments you've made to other questions is that you could simply put your download page in a directory. The subfolder could have a web.config that allows unauthenticated users access to the contents within :-)
something like:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>