"Dominick Baier" <dotnet@leastprivilege.com> wrote in message
news:O7XGdROpEHA.3668@TK2MSFTNGP15.phx.gbl...
> if you are impersonating depends on the impersonate=true/false switch in
web.config.
>
> trust for delegation is a active directory setting.
>
>
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<u9SE2XNpEHA.3460@TK2MSFTNGP15.phx.gbl>
>
> Thanks for your prompt reply Dominick
>
> I'm not sure which is the case as I am not the server administrator -
they
> are away :-(
> But I'm a bit confused as to the machine account needing to be trusted
for
> delegation?
> Is this an option in IIS admin?
>
> Regards
> Iain
>
> "Dominick Baier" <dotnet@leastprivilege.com> wrote in message
> news:%23muBcHNpEHA.1460@TK2MSFTNGP12.phx.gbl...
> > hi,
> >
> > i don't know if you are running on w2k3 or w2k and if you intend to
> impersonate or not...
> >
> > here are the 2 scenarios
> >
> > 1. no impersonation
> >
> > Your asp.net app runs under the ASPNET (wk2/xp) account or Network
Server
> (w2k3). The local ASPNET account has no network credentials on another
> machine -> use a domain account instead. The Network Service account has
the
> credentials of the machine (MachineName$) when in Active Directory or
none
> if stand-alone. Also here - use a domain account or a account that
matches
> on both machines
> >
> > 2. impersonation
> >
> > if you are impersonating you are doing a second hop with the client
> credentials. your machine/service account has to be trusted for
delegation
> to achieve this.
> >
> >
> >
> > ---
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
> >
> >
>
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<#EFytMMpEHA.3900@TK2MSFTNGP10.phx.gbl>
> >
> > Hi,
> > I'm really stuck with this one - wondering if you can spot the problem?
> > I think that it's a webserver problem that goes deeper than web.config.
> > I've not been able to write to a file on a network share via ASP.NET.
The
> > network share is not the same as the webserver.
> >
> > relevant section of web.config:
> > <appSettings>
> > <!-- the location we cannot write to. My staging server
> > doesn't have write permissions here, but I do if authenticating as
> > myself -->
> > <add key="ProjectCollection"
> > value=\\my_server\userhome\MyAccount\websiteTests\test.txt />
> > </appSettings>
> > <!-- Neither of these work!
> > I have write perms here for my user accunt and believe that
> > my staging server has write perms here too
> > add key="ProjectCollection"
> > value=\\my_server\commondocuments\websiteTests\test.txt />
> > -->
> > </appSettings>
> > <system.web>
> > <!-- I have also tried "None" here -->
> > <authentication mode="Windows" />
> >
> > <!-- I have tried leaving this out -->
> > <identity impersonate="true" />
> >
> > <authorization>
> > <allow users="mydomain\myusername" />
> > <deny users="*" />
> > <!-- I have tried allow users="*" but I think that then my server
> > tries to authenticate as ASPNET. This certainly should not access my
home
> > folder, but should??? access the common share. I believe that my
> > administrator has set up access privs for my server on the common
share.
> It
> > doesn't access it however! -->
> > </authorization>
> > </system.web>
> > Relevant code:
> > Private Sub btnSearch_Click(ByVal sender As System.Object, ByVal e As
> > System.EventArgs) Handles btnSearch.Click
> > 'identity we are running as - 2 ways of getting the same
> > information
> > ' returns my username if I am impersonating and
> > authenticating in web.config
> > 'however, still cannot write to either folder no
> > matter what I am impersonating or not
> > Trace.Write(Page.User.Identity.Name)
> >
> >
Trace.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name)
> > 'filename we are trying to write to
> > Dim strFileName As String =
> > ConfigurationSettings.AppSettings("ProjectCollection")
> > Trace.Write(strFileName)
> > 'fails here. This creates a file in location specified by
> > Config setting above
> > Dim fs As FileStream = New FileStream(strFileName,
> > FileMode.Append)
> > Dim w As New StreamWriter(fs)
> > w.WriteLine("Test")
> > w.Close()
> > fs.Close()
> > End Sub
> > Any Ideas?
> > Many thanks
> > Sorry for long post
> > Iain
> >
> >
> >
> > [microsoft.public.dotnet.framework.aspnet.security]
>
>
>
> [microsoft.public.dotnet.framework.aspnet.security]

>-----Original Message-----
>hi,
>
>
>
> check out the machine settings in active directory users
and computers.
>
>
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>

>
> Thanks again for the reply.
>
> How can I find out if trust for delegation is enabled?
Is it enabled on a
> machine specific basis, and if so, is it the webserver
or the smb server
> providing that share which should have trust enabled?
>
> Regards
> Iain
>
>
>
> "Dominick Baier" <dotnet@leastprivilege.com> wrote in
message
> news:O7XGdROpEHA.3668@TK2MSFTNGP15.phx.gbl...
> > if you are impersonating depends on the
impersonate=true/false switch in
> web.config.
> >
> > trust for delegation is a active directory setting.
> >
> >
> >
> > ---
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
> >
> >
>

> >
> > Thanks for your prompt reply Dominick
> >
> > I'm not sure which is the case as I am not the server
administrator -
> they
> > are away :-(
> > But I'm a bit confused as to the machine account
needing to be trusted
> for
> > delegation?
> > Is this an option in IIS admin?
> >
> > Regards
> > Iain
> >
> > "Dominick Baier" <dotnet@leastprivilege.com> wrote in
message
> > news:%23muBcHNpEHA.1460@TK2MSFTNGP12.phx.gbl...
> > > hi,
> > >
> > > i don't know if you are running on w2k3 or w2k and
if you intend to
> > impersonate or not...
> > >
> > > here are the 2 scenarios
> > >
> > > 1. no impersonation
> > >
> > > Your asp.net app runs under the ASPNET (wk2/xp)
account or Network
> Server
> > (w2k3). The local ASPNET account has no network
credentials on another
> > machine -> use a domain account instead. The Network
Service account has
> the
> > credentials of the machine (MachineName$) when in
Active Directory or
> none
> > if stand-alone. Also here - use a domain account or a
account that
> matches
> > on both machines
> > >
> > > 2. impersonation
> > >
> > > if you are impersonating you are doing a second hop
with the client
> > credentials. your machine/service account has to be
trusted for
> delegation
> > to achieve this.
> > >
> > >
> > >
> > > ---
> > > Dominick Baier - DevelopMentor
> > > http://www.leastprivilege.com
> > >
> > >
> >
>

> > >
> > > Hi,
> > > I'm really stuck with this one - wondering if you
can spot the problem?
> > > I think that it's a webserver problem that goes
deeper than web.config.
> > > I've not been able to write to a file on a network
share via ASP.NET.
> The
> > > network share is not the same as the webserver.
> > >
> > > relevant section of web.config:
> > > <appSettings>
> > > <!-- the location we cannot write to. My staging
server
> > > doesn't have write permissions here, but I do if
authenticating as
> > > myself -->
> > > <add key="ProjectCollection"
> > >

> > > </appSettings>
> > > <!-- Neither of these work!
> > > I have write perms here for my user accunt and
believe that
> > > my staging server has write perms here too
> > > add key="ProjectCollection"
> > >
value=\\my_server\commondocuments\websiteTests\test.txt />
> > > -->
> > > </appSettings>
> > > <system.web>
> > > <!-- I have also tried "None" here -->
> > > <authentication mode="Windows" />
> > >
> > > <!-- I have tried leaving this out -->
> > > <identity impersonate="true" />
> > >
> > > <authorization>
> > > <allow users="mydomain\myusername" />
> > > <deny users="*" />
> > > <!-- I have tried allow users="*" but I think that
then my server
> > > tries to authenticate as ASPNET. This certainly
should not access my
> home
> > > folder, but should??? access the common share. I
believe that my
> > > administrator has set up access privs for my server
on the common
> share.
> > It
> > > doesn't access it however! -->
> > > </authorization>
> > > </system.web>
> > > Relevant code:
> > > Private Sub btnSearch_Click(ByVal sender As
System.Object, ByVal e As
> > > System.EventArgs) Handles btnSearch.Click
> > > 'identity we are running as - 2 ways of getting the
same
> > > information
> > > ' returns my username if I am impersonating and
> > > authenticating in web.config
> > > 'however, still cannot write to either folder no
> > > matter what I am impersonating or not
> > > Trace.Write(Page.User.Identity.Name)
> > >
> > >
> Trace.Write

> > > 'filename we are trying to write to
> > > Dim strFileName As String =
> > > ConfigurationSettings.AppSettings
("ProjectCollection")
> > > Trace.Write(strFileName)
> > > 'fails here. This creates a file in location
specified by
> > > Config setting above
> > > Dim fs As FileStream = New FileStream(strFileName,
> > > FileMode.Append)
> > > Dim w As New StreamWriter(fs)
> > > w.WriteLine("Test")
> > > w.Close()
> > > fs.Close()
> > > End Sub
> > > Any Ideas?
> > > Many thanks
> > > Sorry for long post
> > > Iain
> > >
> > >
> > >
> > > [microsoft.public.dotnet.framework.aspnet.security]
> >
> >
> >
> > [microsoft.public.dotnet.framework.aspnet.security]
>
>
>
> [microsoft.public.dotnet.framework.aspnet.security]
>.