| Groups | Blog | Home |
asp.net security : Win 2003 svr/ASP.NET 2.0 UNC share
On May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: > I'm trying to setup a simple test on writing to a file on an UNC share fr= om > an asp.net 2.0 webpage. This is whats happing in default.aspx: > > -------------------------------------------------------------------------= --=AD-------- > Dim path As String =3D "\\remoteserver\testshare" > > Response.Write(User.Identity.Name) > > My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good", > True) > -------------------------------------------------------------------------= --=AD-------- > > impersonation is enabled and windows auth is setup in IIS 6. > > 1. When I run this on my Vista PC - I'm correctly authenticated and the f= ile > is written perfectly to the remote share. > 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a sha= re > on this server \\mywebserver\testshare everything still works perfectly > 3. But - I if I try to write to a REMOTE share i.e \\myotherserver\testsh= are > it fails with "file not found" - no further explanation :-S I've tried to > scan for activity on the remote servers filesystem with Filemon - but it > does'nt even look like it tries to access the share at all.... Permissions > are set to everyone both at NTFS and share permissions at this share. > > ANY ideas guys?? > > Regards, > Roger do you use an impersonation or you run the application under asp.net account?
I'm trying to setup a simple test on writing to a file on an UNC share from
an asp.net 2.0 webpage. This is whats happing in default.aspx: ----------------------------------------------------------------------------------- Dim path As String = "\\remoteserver\testshare" Response.Write(User.Identity.Name) My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good", True) ----------------------------------------------------------------------------------- impersonation is enabled and windows auth is setup in IIS 6. 1. When I run this on my Vista PC - I'm correctly authenticated and the file is written perfectly to the remote share. 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a share on this server \\mywebserver\testshare everything still works perfectly 3. But - I if I try to write to a REMOTE share i.e \\myotherserver\testshare it fails with "file not found" - no further explanation :-S I've tried to scan for activity on the remote servers filesystem with Filemon - but it does'nt even look like it tries to access the share at all.... Permissions are set to everyone both at NTFS and share permissions at this share. ANY ideas guys?? Regards, Roger
I do impersonate. Testing with my own account - and it does have more than
sufficient permissions. [quoted text, click to view] "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: > I'm trying to setup a simple test on writing to a file on an UNC share > from > an asp.net 2.0 webpage. This is whats happing in default.aspx: > > ----------------------------------------------------------------------------------- > Dim path As String = "\\remoteserver\testshare" > > Response.Write(User.Identity.Name) > > My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's good", > True) > ----------------------------------------------------------------------------------- > > impersonation is enabled and windows auth is setup in IIS 6. > > 1. When I run this on my Vista PC - I'm correctly authenticated and the > file > is written perfectly to the remote share. > 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a > share > on this server \\mywebserver\testshare everything still works perfectly > 3. But - I if I try to write to a REMOTE share i.e > \\myotherserver\testshare > it fails with "file not found" - no further explanation :-S I've tried to > scan for activity on the remote servers filesystem with Filemon - but it > does'nt even look like it tries to access the share at all.... Permissions > are set to everyone both at NTFS and share permissions at this share. > > ANY ideas guys?? > > Regards, > Roger do you use an impersonation or you run the application under asp.net account?
well - if you are impersonating _and_ acccessing a remote resource - this
is called delegation and works only under specific pre-reqs: - Kerberos authentication (which implies a domain environment) - Delegation is set up (which is not the default) have a look here: http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > I do impersonate. Testing with my own account - and it does have more > than sufficient permissions. > > "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message > news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On May > 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: > >> I'm trying to setup a simple test on writing to a file on an UNC >> share >> from >> an asp.net 2.0 webpage. This is whats happing in default.aspx: >> --------------------------------------------------------------------- >> -------------- Dim path As String = "\\remoteserver\testshare" >> >> Response.Write(User.Identity.Name) >> >> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's >> good", True) >> --------------------------------------------------------------------- >> -------------- >> >> impersonation is enabled and windows auth is setup in IIS 6. >> >> 1. When I run this on my Vista PC - I'm correctly authenticated and >> the >> file >> is written perfectly to the remote share. >> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a >> share >> on this server \\mywebserver\testshare everything still works >> perfectly >> 3. But - I if I try to write to a REMOTE share i.e >> \\myotherserver\testshare >> it fails with "file not found" - no further explanation :-S I've >> tried to >> scan for activity on the remote servers filesystem with Filemon - but >> it >> does'nt even look like it tries to access the share at all.... >> Permissions >> are set to everyone both at NTFS and share permissions at this share. >> ANY ideas guys?? >> >> Regards, >> Roger > do you use an impersonation or you run the application under asp.net > account? >
you haven't read the article, did you?
Are you sure your SPNs are setup correctly - are you REALLY using Kerbers (check the security event log of the web server for logon events - which authentication package to you see?) ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Thanks Dominick, > > 1. The web server is a win2003/iis 6 box - same with the box I've > setup the share on for test purposes - both members of our domain > > 2. I am impersonating an using a domain account to access the site. > > 3. The site is setup with "Integrated auth" > > 4. The DC is running as "Windows 2000 native" at the domain functional > level > > 5. The webserver hosting the app is setup as "Trust computer for > delagation" > > Still doesn't work - what is the last piece of the puzzle - > anyone.....?? :-) > > Roger > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote > in message news:51eb3048f4808c95ea322af0140@news.microsoft.com... > >> well - if you are impersonating _and_ acccessing a remote resource - >> this is called delegation and works only under specific pre-reqs: >> >> - Kerberos authentication (which implies a domain environment) - >> Delegation is set up (which is not the default) >> >> have a look here: >> >> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default >> .aspx >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> I do impersonate. Testing with my own account - and it does have >>> more than sufficient permissions. >>> >>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On May >>> 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>> >>>> I'm trying to setup a simple test on writing to a file on an UNC >>>> share >>>> from >>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>> ------------------------------------------------------------------- >>>> -- >>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>> Response.Write(User.Identity.Name) >>>> >>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's >>>> good", True) >>>> ------------------------------------------------------------------- >>>> -- -------------- >>>> >>>> impersonation is enabled and windows auth is setup in IIS 6. >>>> >>>> 1. When I run this on my Vista PC - I'm correctly authenticated and >>>> the >>>> file >>>> is written perfectly to the remote share. >>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create >>>> a >>>> share >>>> on this server \\mywebserver\testshare everything still works >>>> perfectly >>>> 3. But - I if I try to write to a REMOTE share i.e >>>> \\myotherserver\testshare >>>> it fails with "file not found" - no further explanation :-S I've >>>> tried to >>>> scan for activity on the remote servers filesystem with Filemon - >>>> but >>>> it >>>> does'nt even look like it tries to access the share at all.... >>>> Permissions >>>> are set to everyone both at NTFS and share permissions at this >>>> share. >>>> ANY ideas guys?? >>>> Regards, >>>> Roger >>> do you use an impersonation or you run the application under asp.net >>> account? >>>
Thanks Dominick,
1. The web server is a win2003/iis 6 box - same with the box I've setup the share on for test purposes - both members of our domain 2. I am impersonating an using a domain account to access the site. 3. The site is setup with "Integrated auth" 4. The DC is running as "Windows 2000 native" at the domain functional level 5. The webserver hosting the app is setup as "Trust computer for delagation" Still doesn't work - what is the last piece of the puzzle - anyone.....?? :-) Roger "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:51eb3048f4808c95ea322af0140@news.microsoft.com... [quoted text, click to view] > well - if you are impersonating _and_ acccessing a remote resource - this
> is called delegation and works only under specific pre-reqs: > > - Kerberos authentication (which implies a domain environment) > - Delegation is set up (which is not the default) > > have a look here: > > http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications > (http://www.microsoft.com/mspress/books/9989.asp) > >> I do impersonate. Testing with my own account - and it does have more >> than sufficient permissions. >> >> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On May >> 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >> >>> I'm trying to setup a simple test on writing to a file on an UNC >>> share >>> from >>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>> --------------------------------------------------------------------- >>> -------------- Dim path As String = "\\remoteserver\testshare" >>> >>> Response.Write(User.Identity.Name) >>> >>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's >>> good", True) >>> --------------------------------------------------------------------- >>> -------------- >>> >>> impersonation is enabled and windows auth is setup in IIS 6. >>> >>> 1. When I run this on my Vista PC - I'm correctly authenticated and >>> the >>> file >>> is written perfectly to the remote share. >>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create a >>> share >>> on this server \\mywebserver\testshare everything still works >>> perfectly >>> 3. But - I if I try to write to a REMOTE share i.e >>> \\myotherserver\testshare >>> it fails with "file not found" - no further explanation :-S I've >>> tried to >>> scan for activity on the remote servers filesystem with Filemon - but >>> it >>> does'nt even look like it tries to access the share at all.... >>> Permissions >>> are set to everyone both at NTFS and share permissions at this share. >>> ANY ideas guys?? >>> >>> Regards, >>> Roger >> do you use an impersonation or you run the application under asp.net >> account? >> > >
Sorry - didn't see the article yesterday :-P
Excellent article - steped through the troubleshooting part - seems the two servers are negotiating NTLM between them.... - seems the client and webserver also negotiated NTLM Do you have any ideas on how the SPN should be setup? The webserver hosting the app is running IIS6 under the "Network Service" account and is called web1.mydomain.com Used LDP to find these SPN's already configured: servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; HOST/WEB1; HOST/WEB1.mydomain.com; Pretty much the same with the filesharing server only the name is web2: Regards, Roger "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... [quoted text, click to view] > you haven't read the article, did you?
> > Are you sure your SPNs are setup correctly - are you REALLY using Kerbers > (check the security event log of the web server for logon events - which > authentication package to you see?) > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications > (http://www.microsoft.com/mspress/books/9989.asp) > >> Thanks Dominick, >> >> 1. The web server is a win2003/iis 6 box - same with the box I've >> setup the share on for test purposes - both members of our domain >> >> 2. I am impersonating an using a domain account to access the site. >> >> 3. The site is setup with "Integrated auth" >> >> 4. The DC is running as "Windows 2000 native" at the domain functional >> level >> >> 5. The webserver hosting the app is setup as "Trust computer for >> delagation" >> >> Still doesn't work - what is the last piece of the puzzle - >> anyone.....?? :-) >> >> Roger >> >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote >> in message news:51eb3048f4808c95ea322af0140@news.microsoft.com... >> >>> well - if you are impersonating _and_ acccessing a remote resource - >>> this is called delegation and works only under specific pre-reqs: >>> >>> - Kerberos authentication (which implies a domain environment) - >>> Delegation is set up (which is not the default) >>> >>> have a look here: >>> >>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default >>> .aspx >>> >>> ----- >>> Dominick Baier (http://www.leastprivilege.com) >>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>> (http://www.microsoft.com/mspress/books/9989.asp) >>> >>>> I do impersonate. Testing with my own account - and it does have >>>> more than sufficient permissions. >>>> >>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On May >>>> 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>> >>>>> I'm trying to setup a simple test on writing to a file on an UNC >>>>> share >>>>> from >>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>> ------------------------------------------------------------------- >>>>> -- >>>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>>> Response.Write(User.Identity.Name) >>>>> >>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's >>>>> good", True) >>>>> ------------------------------------------------------------------- >>>>> -- -------------- >>>>> >>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>> >>>>> 1. When I run this on my Vista PC - I'm correctly authenticated and >>>>> the >>>>> file >>>>> is written perfectly to the remote share. >>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and create >>>>> a >>>>> share >>>>> on this server \\mywebserver\testshare everything still works >>>>> perfectly >>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>> \\myotherserver\testshare >>>>> it fails with "file not found" - no further explanation :-S I've >>>>> tried to >>>>> scan for activity on the remote servers filesystem with Filemon - >>>>> but >>>>> it >>>>> does'nt even look like it tries to access the share at all.... >>>>> Permissions >>>>> are set to everyone both at NTFS and share permissions at this >>>>> share. >>>>> ANY ideas guys?? >>>>> Regards, >>>>> Roger >>>> do you use an impersonation or you run the application under asp.net >>>> account? >>>> > >
what do you type into IE to open the web app?
----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Sorry - didn't see the article yesterday :-P > > Excellent article - steped through the troubleshooting part > - seems the two servers are negotiating NTLM between them.... > - seems the client and webserver also negotiated NTLM > Do you have any ideas on how the SPN should be setup? > > The webserver hosting the app is running IIS6 under the "Network > Service" > account and is called web1.mydomain.com > Used LDP to find these SPN's already configured: > servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; > HOST/WEB1; HOST/WEB1.mydomain.com; > Pretty much the same with the filesharing server only the name is > web2: > > Regards, > Roger > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote > in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... > >> you haven't read the article, did you? >> >> Are you sure your SPNs are setup correctly - are you REALLY using >> Kerbers (check the security event log of the web server for logon >> events - which authentication package to you see?) >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Thanks Dominick, >>> >>> 1. The web server is a win2003/iis 6 box - same with the box I've >>> setup the share on for test purposes - both members of our domain >>> >>> 2. I am impersonating an using a domain account to access the site. >>> >>> 3. The site is setup with "Integrated auth" >>> >>> 4. The DC is running as "Windows 2000 native" at the domain >>> functional level >>> >>> 5. The webserver hosting the app is setup as "Trust computer for >>> delagation" >>> >>> Still doesn't work - what is the last piece of the puzzle - >>> anyone.....?? :-) >>> >>> Roger >>> >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>> wrote in message >>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>> >>>> well - if you are impersonating _and_ acccessing a remote resource >>>> - this is called delegation and works only under specific pre-reqs: >>>> >>>> - Kerberos authentication (which implies a domain environment) - >>>> Delegation is set up (which is not the default) >>>> >>>> have a look here: >>>> >>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/defau >>>> lt .aspx >>>> >>>> ----- >>>> Dominick Baier (http://www.leastprivilege.com) >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>> I do impersonate. Testing with my own account - and it does have >>>>> more than sufficient permissions. >>>>> >>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On >>>>> May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>>> >>>>>> I'm trying to setup a simple test on writing to a file on an UNC >>>>>> share >>>>>> from >>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>>> ----------------------------------------------------------------- >>>>>> -- >>>>>> -- >>>>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>>>> Response.Write(User.Identity.Name) >>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's >>>>>> good", True) >>>>>> ----------------------------------------------------------------- >>>>>> -- -- -------------- >>>>>> >>>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>>> >>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated >>>>>> and >>>>>> the >>>>>> file >>>>>> is written perfectly to the remote share. >>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and >>>>>> create >>>>>> a >>>>>> share >>>>>> on this server \\mywebserver\testshare everything still works >>>>>> perfectly >>>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>>> \\myotherserver\testshare >>>>>> it fails with "file not found" - no further explanation :-S I've >>>>>> tried to >>>>>> scan for activity on the remote servers filesystem with Filemon - >>>>>> but >>>>>> it >>>>>> does'nt even look like it tries to access the share at all.... >>>>>> Permissions >>>>>> are set to everyone both at NTFS and share permissions at this >>>>>> share. >>>>>> ANY ideas guys?? >>>>>> Regards, >>>>>> Roger >>>>> do you use an impersonation or you run the application under >>>>> asp.net account? >>>>>
Hey,
First of all - thanks for you patience and excellent help on this one Dominick... :-) I use http://demoapp.mydomain.com I got kerberos working now between client and webserver by using setspn -A HTTP/demoapp.mydomain.com web1 Now I need to setup Kerberos between the web1 and fileserver web2. What service am I supposed to use for setspn on the fileserver? Roger "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:51eb3048f59e8c95f7427220f70@news.microsoft.com... [quoted text, click to view] > what do you type into IE to open the web app?
> > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications > (http://www.microsoft.com/mspress/books/9989.asp) > >> Sorry - didn't see the article yesterday :-P >> >> Excellent article - steped through the troubleshooting part >> - seems the two servers are negotiating NTLM between them.... >> - seems the client and webserver also negotiated NTLM >> Do you have any ideas on how the SPN should be setup? >> >> The webserver hosting the app is running IIS6 under the "Network >> Service" >> account and is called web1.mydomain.com >> Used LDP to find these SPN's already configured: >> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; >> HOST/WEB1; HOST/WEB1.mydomain.com; >> Pretty much the same with the filesharing server only the name is >> web2: >> >> Regards, >> Roger >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote >> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >> >>> you haven't read the article, did you? >>> >>> Are you sure your SPNs are setup correctly - are you REALLY using >>> Kerbers (check the security event log of the web server for logon >>> events - which authentication package to you see?) >>> >>> ----- >>> Dominick Baier (http://www.leastprivilege.com) >>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>> (http://www.microsoft.com/mspress/books/9989.asp) >>> >>>> Thanks Dominick, >>>> >>>> 1. The web server is a win2003/iis 6 box - same with the box I've >>>> setup the share on for test purposes - both members of our domain >>>> >>>> 2. I am impersonating an using a domain account to access the site. >>>> >>>> 3. The site is setup with "Integrated auth" >>>> >>>> 4. The DC is running as "Windows 2000 native" at the domain >>>> functional level >>>> >>>> 5. The webserver hosting the app is setup as "Trust computer for >>>> delagation" >>>> >>>> Still doesn't work - what is the last piece of the puzzle - >>>> anyone.....?? :-) >>>> >>>> Roger >>>> >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>> wrote in message >>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>> >>>>> well - if you are impersonating _and_ acccessing a remote resource >>>>> - this is called delegation and works only under specific pre-reqs: >>>>> >>>>> - Kerberos authentication (which implies a domain environment) - >>>>> Delegation is set up (which is not the default) >>>>> >>>>> have a look here: >>>>> >>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/defau >>>>> lt .aspx >>>>> >>>>> ----- >>>>> Dominick Baier (http://www.leastprivilege.com) >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>> I do impersonate. Testing with my own account - and it does have >>>>>> more than sufficient permissions. >>>>>> >>>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On >>>>>> May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>>>> >>>>>>> I'm trying to setup a simple test on writing to a file on an UNC >>>>>>> share >>>>>>> from >>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>>>> ----------------------------------------------------------------- >>>>>>> -- >>>>>>> -- >>>>>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>>>>> Response.Write(User.Identity.Name) >>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", "life's >>>>>>> good", True) >>>>>>> ----------------------------------------------------------------- >>>>>>> -- -- -------------- >>>>>>> >>>>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>>>> >>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated >>>>>>> and >>>>>>> the >>>>>>> file >>>>>>> is written perfectly to the remote share. >>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and >>>>>>> create >>>>>>> a >>>>>>> share >>>>>>> on this server \\mywebserver\testshare everything still works >>>>>>> perfectly >>>>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>>>> \\myotherserver\testshare >>>>>>> it fails with "file not found" - no further explanation :-S I've >>>>>>> tried to >>>>>>> scan for activity on the remote servers filesystem with Filemon - >>>>>>> but >>>>>>> it >>>>>>> does'nt even look like it tries to access the share at all.... >>>>>>> Permissions >>>>>>> are set to everyone both at NTFS and share permissions at this >>>>>>> share. >>>>>>> ANY ideas guys?? >>>>>>> Regards, >>>>>>> Roger >>>>>> do you use an impersonation or you run the application under >>>>>> asp.net account? >>>>>> > >
Hi,
you are welcome ;) try CIFS and HOST + the name of the machine as you use it in the UNC path. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Hey, > > First of all - thanks for you patience and excellent help on this one > Dominick... :-) > > I use http://demoapp.mydomain.com > > I got kerberos working now between client and webserver by using > setspn -A HTTP/demoapp.mydomain.com web1 > > Now I need to setup Kerberos between the web1 and fileserver web2. > What service am I supposed to use for setspn on the fileserver? > > Roger > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote > in message news:51eb3048f59e8c95f7427220f70@news.microsoft.com... > >> what do you type into IE to open the web app? >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Sorry - didn't see the article yesterday :-P >>> >>> Excellent article - steped through the troubleshooting part >>> - seems the two servers are negotiating NTLM between them.... >>> - seems the client and webserver also negotiated NTLM >>> Do you have any ideas on how the SPN should be setup? >>> The webserver hosting the app is running IIS6 under the "Network >>> Service" >>> account and is called web1.mydomain.com >>> Used LDP to find these SPN's already configured: >>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; >>> HOST/WEB1; HOST/WEB1.mydomain.com; >>> Pretty much the same with the filesharing server only the name is >>> web2: >>> Regards, >>> Roger >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>> wrote >>> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >>>> you haven't read the article, did you? >>>> >>>> Are you sure your SPNs are setup correctly - are you REALLY using >>>> Kerbers (check the security event log of the web server for logon >>>> events - which authentication package to you see?) >>>> >>>> ----- >>>> Dominick Baier (http://www.leastprivilege.com) >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>> Thanks Dominick, >>>>> >>>>> 1. The web server is a win2003/iis 6 box - same with the box I've >>>>> setup the share on for test purposes - both members of our domain >>>>> >>>>> 2. I am impersonating an using a domain account to access the >>>>> site. >>>>> >>>>> 3. The site is setup with "Integrated auth" >>>>> >>>>> 4. The DC is running as "Windows 2000 native" at the domain >>>>> functional level >>>>> >>>>> 5. The webserver hosting the app is setup as "Trust computer for >>>>> delagation" >>>>> >>>>> Still doesn't work - what is the last piece of the puzzle - >>>>> anyone.....?? :-) >>>>> >>>>> Roger >>>>> >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>> wrote in message >>>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>>> >>>>>> well - if you are impersonating _and_ acccessing a remote >>>>>> resource - this is called delegation and works only under >>>>>> specific pre-reqs: >>>>>> >>>>>> - Kerberos authentication (which implies a domain environment) - >>>>>> Delegation is set up (which is not the default) >>>>>> >>>>>> have a look here: >>>>>> >>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def >>>>>> au lt .aspx >>>>>> >>>>>> ----- >>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>> I do impersonate. Testing with my own account - and it does have >>>>>>> more than sufficient permissions. >>>>>>> >>>>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On >>>>>>> May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>>>>> >>>>>>>> I'm trying to setup a simple test on writing to a file on an >>>>>>>> UNC >>>>>>>> share >>>>>>>> from >>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>>>>> --------------------------------------------------------------- >>>>>>>> -- >>>>>>>> -- >>>>>>>> -- >>>>>>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>>>>>> Response.Write(User.Identity.Name) >>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", >>>>>>>> "life's >>>>>>>> good", True) >>>>>>>> --------------------------------------------------------------- >>>>>>>> -- >>>>>>>> -- -- -------------- >>>>>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>>>>> >>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated >>>>>>>> and >>>>>>>> the >>>>>>>> file >>>>>>>> is written perfectly to the remote share. >>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and >>>>>>>> create >>>>>>>> a >>>>>>>> share >>>>>>>> on this server \\mywebserver\testshare everything still works >>>>>>>> perfectly >>>>>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>>>>> \\myotherserver\testshare >>>>>>>> it fails with "file not found" - no further explanation :-S >>>>>>>> I've >>>>>>>> tried to >>>>>>>> scan for activity on the remote servers filesystem with Filemon >>>>>>>> - >>>>>>>> but >>>>>>>> it >>>>>>>> does'nt even look like it tries to access the share at all.... >>>>>>>> Permissions >>>>>>>> are set to everyone both at NTFS and share permissions at this >>>>>>>> share. >>>>>>>> ANY ideas guys?? >>>>>>>> Regards, >>>>>>>> Roger >>>>>>> do you use an impersonation or you run the application under >>>>>>> asp.net account? >>>>>>>
yep. also alternatively try the fully qualified domain name
----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Like this? setspn -A CIFS/web2 web2 > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote > in message news:51eb3048f5a38c95f7dba36ddf0@news.microsoft.com... > >> Hi, >> you are welcome ;) >> try CIFS and HOST + the name of the machine as you use it in the UNC >> path. >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Hey, >>> >>> First of all - thanks for you patience and excellent help on this >>> one Dominick... :-) >>> >>> I use http://demoapp.mydomain.com >>> >>> I got kerberos working now between client and webserver by using >>> setspn -A HTTP/demoapp.mydomain.com web1 >>> >>> Now I need to setup Kerberos between the web1 and fileserver web2. >>> What service am I supposed to use for setspn on the fileserver? >>> >>> Roger >>> >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>> wrote in message >>> news:51eb3048f59e8c95f7427220f70@news.microsoft.com... >>> >>>> what do you type into IE to open the web app? >>>> >>>> ----- >>>> Dominick Baier (http://www.leastprivilege.com) >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>> Sorry - didn't see the article yesterday :-P >>>>> >>>>> Excellent article - steped through the troubleshooting part >>>>> - seems the two servers are negotiating NTLM between them.... >>>>> - seems the client and webserver also negotiated NTLM >>>>> Do you have any ideas on how the SPN should be setup? >>>>> The webserver hosting the app is running IIS6 under the "Network >>>>> Service" >>>>> account and is called web1.mydomain.com >>>>> Used LDP to find these SPN's already configured: >>>>> servicePrincipalName: SMTPSVC/WEB1; >>>>> SMTPSVC/STRA-WEB1.mydomain.com; >>>>> HOST/WEB1; HOST/WEB1.mydomain.com; >>>>> Pretty much the same with the filesharing server only the name is >>>>> web2: >>>>> Regards, >>>>> Roger >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>> wrote >>>>> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >>>>>> you haven't read the article, did you? >>>>>> >>>>>> Are you sure your SPNs are setup correctly - are you REALLY using >>>>>> Kerbers (check the security event log of the web server for logon >>>>>> events - which authentication package to you see?) >>>>>> >>>>>> ----- >>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>> Thanks Dominick, >>>>>>> >>>>>>> 1. The web server is a win2003/iis 6 box - same with the box >>>>>>> I've setup the share on for test purposes - both members of our >>>>>>> domain >>>>>>> >>>>>>> 2. I am impersonating an using a domain account to access the >>>>>>> site. >>>>>>> >>>>>>> 3. The site is setup with "Integrated auth" >>>>>>> >>>>>>> 4. The DC is running as "Windows 2000 native" at the domain >>>>>>> functional level >>>>>>> >>>>>>> 5. The webserver hosting the app is setup as "Trust computer >>>>>>> for delagation" >>>>>>> >>>>>>> Still doesn't work - what is the last piece of the puzzle - >>>>>>> anyone.....?? :-) >>>>>>> >>>>>>> Roger >>>>>>> >>>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>>>> wrote in message >>>>>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>>>>> >>>>>>>> well - if you are impersonating _and_ acccessing a remote >>>>>>>> resource - this is called delegation and works only under >>>>>>>> specific pre-reqs: >>>>>>>> >>>>>>>> - Kerberos authentication (which implies a domain environment) >>>>>>>> - Delegation is set up (which is not the default) >>>>>>>> >>>>>>>> have a look here: >>>>>>>> >>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/d >>>>>>>> ef au lt .aspx >>>>>>>> >>>>>>>> ----- >>>>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>>>> I do impersonate. Testing with my own account - and it does >>>>>>>>> have more than sufficient permissions. >>>>>>>>> >>>>>>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>>>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... >>>>>>>>> On May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> I'm trying to setup a simple test on writing to a file on an >>>>>>>>>> UNC >>>>>>>>>> share >>>>>>>>>> from >>>>>>>>>> an asp.net 2.0 webpage. This is whats happing in >>>>>>>>>> default.aspx: >>>>>>>>>> ------------------------------------------------------------- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> -------------- Dim path As String = >>>>>>>>>> "\\remoteserver\testshare" >>>>>>>>>> Response.Write(User.Identity.Name) >>>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", >>>>>>>>>> "life's >>>>>>>>>> good", True) >>>>>>>>>> ------------------------------------------------------------- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> -- -- -------------- >>>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>>>>>>> 1. When I run this on my Vista PC - I'm correctly >>>>>>>>>> authenticated >>>>>>>>>> and >>>>>>>>>> the >>>>>>>>>> file >>>>>>>>>> is written perfectly to the remote share. >>>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and >>>>>>>>>> create >>>>>>>>>> a >>>>>>>>>> share >>>>>>>>>> on this server \\mywebserver\testshare everything still works >>>>>>>>>> perfectly >>>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>>>>>>> \\myotherserver\testshare >>>>>>>>>> it fails with "file not found" - no further explanation :-S >>>>>>>>>> I've >>>>>>>>>> tried to >>>>>>>>>> scan for activity on the remote servers filesystem with >>>>>>>>>> Filemon >>>>>>>>>> - >>>>>>>>>> but >>>>>>>>>> it >>>>>>>>>> does'nt even look like it tries to access the share at >>>>>>>>>> all.... >>>>>>>>>> Permissions >>>>>>>>>> are set to everyone both at NTFS and share permissions at >>>>>>>>>> this >>>>>>>>>> share. >>>>>>>>>> ANY ideas guys?? >>>>>>>>>> Regards, >>>>>>>>>> Roger >>>>>>>>> do you use an impersonation or you run the application under >>>>>>>>> asp.net account? >>>>>>>>>
this looks like that you are not impersonating when making the hop from web
to fileserver. Check the value of WindowsIdentity.GetCurrent().Name before doing the access - it should hold the username of the client and _not_ NETWORK SERVICE... ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > hmmmm.....auth seems to work using Kerberos between the webserver and
> client: > > event log from WEBSERVER: > -------------------------------- > Event Type: Success Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 540 > Date: 2007-05-08 > Time: 12:17:02 > User: MYDOMAIN\RLA > Computer: WEB1 > Description: > Successful Network Logon: > User Name: RLA > Domain: MYDOMAIN > Logon ID: (0x0,0x5FC7F2AC) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > Logon GUID: {624ca6b7-acdf-1e0c-f71d-b89a9ca74c6f} > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 10.1.1.99 > Source Port: 50135 > ----------------- > but not on the file server somthing seems odd. > It looks like me that the webserver tries to connect using Kerberos > first > using a user named WEB1$(??) and then NTLM an ANONYMOUS...... > eventlog of WEB2 > ------------------- > Event Type: Success Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 540 > Date: 08.05.2007 > Time: 12:20:12 > User: MYDOMAIN\WEB1$ > Computer: WEB2 > Description: > Successful Network Logon: > User Name: WEB1$ > Domain: MYDOMAIN > Logon ID: (0x0,0x52375B9) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > Logon GUID: {2981b3ae-a8dd-1971-830a-3dd64c0d27ac} > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 10.1.1.55 > Source Port: 0 > ------------------- > Event Type: Success Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 540 > Date: 08.05.2007 > Time: 12:20:12 > User: NT AUTHORITY\ANONYMOUS LOGON > Computer: WEB2 > Description: > Successful Network Logon: > User Name: > Domain: > Logon ID: (0x0,0x52375C4) > Logon Type: 3 > Logon Process: NtLmSsp > Authentication Package: NTLM > Workstation Name: WEB1 > Logon GUID: - > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 10.1.1.55 > Source Port: 0 > ------------------- > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote > in message news:51eb3048f5a38c95f7dba36ddf0@news.microsoft.com... > >> Hi, >> you are welcome ;) >> try CIFS and HOST + the name of the machine as you use it in the UNC >> path. >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Hey, >>> >>> First of all - thanks for you patience and excellent help on this >>> one Dominick... :-) >>> >>> I use http://demoapp.mydomain.com >>> >>> I got kerberos working now between client and webserver by using >>> setspn -A HTTP/demoapp.mydomain.com web1 >>> >>> Now I need to setup Kerberos between the web1 and fileserver web2. >>> What service am I supposed to use for setspn on the fileserver? >>> >>> Roger >>> >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>> wrote in message >>> news:51eb3048f59e8c95f7427220f70@news.microsoft.com... >>> >>>> what do you type into IE to open the web app? >>>> >>>> ----- >>>> Dominick Baier (http://www.leastprivilege.com) >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>> Sorry - didn't see the article yesterday :-P >>>>> >>>>> Excellent article - steped through the troubleshooting part >>>>> - seems the two servers are negotiating NTLM between them.... >>>>> - seems the client and webserver also negotiated NTLM >>>>> Do you have any ideas on how the SPN should be setup? >>>>> The webserver hosting the app is running IIS6 under the "Network >>>>> Service" >>>>> account and is called web1.mydomain.com >>>>> Used LDP to find these SPN's already configured: >>>>> servicePrincipalName: SMTPSVC/WEB1; >>>>> SMTPSVC/STRA-WEB1.mydomain.com; >>>>> HOST/WEB1; HOST/WEB1.mydomain.com; >>>>> Pretty much the same with the filesharing server only the name is >>>>> web2: >>>>> Regards, >>>>> Roger >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>> wrote >>>>> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >>>>>> you haven't read the article, did you? >>>>>> >>>>>> Are you sure your SPNs are setup correctly - are you REALLY using >>>>>> Kerbers (check the security event log of the web server for logon >>>>>> events - which authentication package to you see?) >>>>>> >>>>>> ----- >>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>> Thanks Dominick, >>>>>>> >>>>>>> 1. The web server is a win2003/iis 6 box - same with the box >>>>>>> I've setup the share on for test purposes - both members of our >>>>>>> domain >>>>>>> >>>>>>> 2. I am impersonating an using a domain account to access the >>>>>>> site. >>>>>>> >>>>>>> 3. The site is setup with "Integrated auth" >>>>>>> >>>>>>> 4. The DC is running as "Windows 2000 native" at the domain >>>>>>> functional level >>>>>>> >>>>>>> 5. The webserver hosting the app is setup as "Trust computer >>>>>>> for delagation" >>>>>>> >>>>>>> Still doesn't work - what is the last piece of the puzzle - >>>>>>> anyone.....?? :-) >>>>>>> >>>>>>> Roger >>>>>>> >>>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>>>> wrote in message >>>>>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>>>>> >>>>>>>> well - if you are impersonating _and_ acccessing a remote >>>>>>>> resource - this is called delegation and works only under >>>>>>>> specific pre-reqs: >>>>>>>> >>>>>>>> - Kerberos authentication (which implies a domain environment) >>>>>>>> - Delegation is set up (which is not the default) >>>>>>>> >>>>>>>> have a look here: >>>>>>>> >>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/d >>>>>>>> ef au lt .aspx >>>>>>>> >>>>>>>> ----- >>>>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
Like this? setspn -A CIFS/web2 web2
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:51eb3048f5a38c95f7dba36ddf0@news.microsoft.com... [quoted text, click to view] > Hi,
> you are welcome ;) > > try CIFS and HOST + the name of the machine as you use it in the UNC path. > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications > (http://www.microsoft.com/mspress/books/9989.asp) > >> Hey, >> >> First of all - thanks for you patience and excellent help on this one >> Dominick... :-) >> >> I use http://demoapp.mydomain.com >> >> I got kerberos working now between client and webserver by using >> setspn -A HTTP/demoapp.mydomain.com web1 >> >> Now I need to setup Kerberos between the web1 and fileserver web2. >> What service am I supposed to use for setspn on the fileserver? >> >> Roger >> >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote >> in message news:51eb3048f59e8c95f7427220f70@news.microsoft.com... >> >>> what do you type into IE to open the web app? >>> >>> ----- >>> Dominick Baier (http://www.leastprivilege.com) >>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>> (http://www.microsoft.com/mspress/books/9989.asp) >>> >>>> Sorry - didn't see the article yesterday :-P >>>> >>>> Excellent article - steped through the troubleshooting part >>>> - seems the two servers are negotiating NTLM between them.... >>>> - seems the client and webserver also negotiated NTLM >>>> Do you have any ideas on how the SPN should be setup? >>>> The webserver hosting the app is running IIS6 under the "Network >>>> Service" >>>> account and is called web1.mydomain.com >>>> Used LDP to find these SPN's already configured: >>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; >>>> HOST/WEB1; HOST/WEB1.mydomain.com; >>>> Pretty much the same with the filesharing server only the name is >>>> web2: >>>> Regards, >>>> Roger >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>> wrote >>>> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >>>>> you haven't read the article, did you? >>>>> >>>>> Are you sure your SPNs are setup correctly - are you REALLY using >>>>> Kerbers (check the security event log of the web server for logon >>>>> events - which authentication package to you see?) >>>>> >>>>> ----- >>>>> Dominick Baier (http://www.leastprivilege.com) >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>> Thanks Dominick, >>>>>> >>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've >>>>>> setup the share on for test purposes - both members of our domain >>>>>> >>>>>> 2. I am impersonating an using a domain account to access the >>>>>> site. >>>>>> >>>>>> 3. The site is setup with "Integrated auth" >>>>>> >>>>>> 4. The DC is running as "Windows 2000 native" at the domain >>>>>> functional level >>>>>> >>>>>> 5. The webserver hosting the app is setup as "Trust computer for >>>>>> delagation" >>>>>> >>>>>> Still doesn't work - what is the last piece of the puzzle - >>>>>> anyone.....?? :-) >>>>>> >>>>>> Roger >>>>>> >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>>> wrote in message >>>>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>>>> >>>>>>> well - if you are impersonating _and_ acccessing a remote >>>>>>> resource - this is called delegation and works only under >>>>>>> specific pre-reqs: >>>>>>> >>>>>>> - Kerberos authentication (which implies a domain environment) - >>>>>>> Delegation is set up (which is not the default) >>>>>>> >>>>>>> have a look here: >>>>>>> >>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def >>>>>>> au lt .aspx >>>>>>> >>>>>>> ----- >>>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>>> I do impersonate. Testing with my own account - and it does have >>>>>>>> more than sufficient permissions. >>>>>>>> >>>>>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On >>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>>>>>> >>>>>>>>> I'm trying to setup a simple test on writing to a file on an >>>>>>>>> UNC >>>>>>>>> share >>>>>>>>> from >>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>>>>>> --------------------------------------------------------------- >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>>>>>>> Response.Write(User.Identity.Name) >>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", >>>>>>>>> "life's >>>>>>>>> good", True) >>>>>>>>> --------------------------------------------------------------- >>>>>>>>> -- >>>>>>>>> -- -- -------------- >>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>>>>>> >>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated >>>>>>>>> and >>>>>>>>> the >>>>>>>>> file >>>>>>>>> is written perfectly to the remote share. >>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and >>>>>>>>> create >>>>>>>>> a >>>>>>>>> share >>>>>>>>> on this server \\mywebserver\testshare everything still works >>>>>>>>> perfectly >>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>>>>>> \\myotherserver\testshare >>>>>>>>> it fails with "file not found" - no further explanation :-S >>>>>>>>> I've >>>>>>>>> tried to >>>>>>>>> scan for activity on the remote servers filesystem with Filemon >>>>>>>>> - >>>>>>>>> but >>>>>>>>> it >>>>>>>>> does'nt even look like it tries to access the share at all.... >>>>>>>>> Permissions >>>>>>>>> are set to everyone both at NTFS and share permissions at this >>>>>>>>> share. >>>>>>>>> ANY ideas guys?? >>>>>>>>> Regards, >>>>>>>>> Roger >>>>>>>> do you use an impersonation or you run the application under >>>>>>>> asp.net account? >>>>>>>> > >
hmmmm.....auth seems to work using Kerberos between the webserver and
client: event log from WEBSERVER: -------------------------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 2007-05-08 Time: 12:17:02 User: MYDOMAIN\RLA Computer: WEB1 Description: Successful Network Logon: User Name: RLA Domain: MYDOMAIN Logon ID: (0x0,0x5FC7F2AC) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {624ca6b7-acdf-1e0c-f71d-b89a9ca74c6f} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.1.1.99 Source Port: 50135 ----------------- but not on the file server somthing seems odd. It looks like me that the webserver tries to connect using Kerberos first using a user named WEB1$(??) and then NTLM an ANONYMOUS...... eventlog of WEB2 ------------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 08.05.2007 Time: 12:20:12 User: MYDOMAIN\WEB1$ Computer: WEB2 Description: Successful Network Logon: User Name: WEB1$ Domain: MYDOMAIN Logon ID: (0x0,0x52375B9) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {2981b3ae-a8dd-1971-830a-3dd64c0d27ac} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.1.1.55 Source Port: 0 ------------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 08.05.2007 Time: 12:20:12 User: NT AUTHORITY\ANONYMOUS LOGON Computer: WEB2 Description: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x52375C4) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: WEB1 Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.1.1.55 Source Port: 0 ------------------- "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:51eb3048f5a38c95f7dba36ddf0@news.microsoft.com... [quoted text, click to view] > Hi,
> you are welcome ;) > > try CIFS and HOST + the name of the machine as you use it in the UNC path. > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications > (http://www.microsoft.com/mspress/books/9989.asp) > >> Hey, >> >> First of all - thanks for you patience and excellent help on this one >> Dominick... :-) >> >> I use http://demoapp.mydomain.com >> >> I got kerberos working now between client and webserver by using >> setspn -A HTTP/demoapp.mydomain.com web1 >> >> Now I need to setup Kerberos between the web1 and fileserver web2. >> What service am I supposed to use for setspn on the fileserver? >> >> Roger >> >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote >> in message news:51eb3048f59e8c95f7427220f70@news.microsoft.com... >> >>> what do you type into IE to open the web app? >>> >>> ----- >>> Dominick Baier (http://www.leastprivilege.com) >>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>> (http://www.microsoft.com/mspress/books/9989.asp) >>> >>>> Sorry - didn't see the article yesterday :-P >>>> >>>> Excellent article - steped through the troubleshooting part >>>> - seems the two servers are negotiating NTLM between them.... >>>> - seems the client and webserver also negotiated NTLM >>>> Do you have any ideas on how the SPN should be setup? >>>> The webserver hosting the app is running IIS6 under the "Network >>>> Service" >>>> account and is called web1.mydomain.com >>>> Used LDP to find these SPN's already configured: >>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; >>>> HOST/WEB1; HOST/WEB1.mydomain.com; >>>> Pretty much the same with the filesharing server only the name is >>>> web2: >>>> Regards, >>>> Roger >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>> wrote >>>> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >>>>> you haven't read the article, did you? >>>>> >>>>> Are you sure your SPNs are setup correctly - are you REALLY using >>>>> Kerbers (check the security event log of the web server for logon >>>>> events - which authentication package to you see?) >>>>> >>>>> ----- >>>>> Dominick Baier (http://www.leastprivilege.com) >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>> Thanks Dominick, >>>>>> >>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've >>>>>> setup the share on for test purposes - both members of our domain >>>>>> >>>>>> 2. I am impersonating an using a domain account to access the >>>>>> site. >>>>>> >>>>>> 3. The site is setup with "Integrated auth" >>>>>> >>>>>> 4. The DC is running as "Windows 2000 native" at the domain >>>>>> functional level >>>>>> >>>>>> 5. The webserver hosting the app is setup as "Trust computer for >>>>>> delagation" >>>>>> >>>>>> Still doesn't work - what is the last piece of the puzzle - >>>>>> anyone.....?? :-) >>>>>> >>>>>> Roger >>>>>> >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>>> wrote in message >>>>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>>>> >>>>>>> well - if you are impersonating _and_ acccessing a remote >>>>>>> resource - this is called delegation and works only under >>>>>>> specific pre-reqs: >>>>>>> >>>>>>> - Kerberos authentication (which implies a domain environment) - >>>>>>> Delegation is set up (which is not the default) >>>>>>> >>>>>>> have a look here: >>>>>>> >>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def >>>>>>> au lt .aspx >>>>>>> >>>>>>> ----- >>>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>>> I do impersonate. Testing with my own account - and it does have >>>>>>>> more than sufficient permissions. >>>>>>>> >>>>>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On >>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>>>>>> >>>>>>>>> I'm trying to setup a simple test on writing to a file on an >>>>>>>>> UNC >>>>>>>>> share >>>>>>>>> from >>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>>>>>> --------------------------------------------------------------- >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> --
Do you have SPNs for the below names?
----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) [quoted text, click to view] > Server Name: host/web2.mydomain > Target Name: host/web2.mydomain@mydomain
To me it looks like delagation doe not work - I'll try to reboot the damn
thing and see if it takes the new setting... :-P Roger "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:51eb3048f5a38c95f7dba36ddf0@news.microsoft.com... [quoted text, click to view] > Hi,
> you are welcome ;) > > try CIFS and HOST + the name of the machine as you use it in the UNC path. > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications > (http://www.microsoft.com/mspress/books/9989.asp) > >> Hey, >> >> First of all - thanks for you patience and excellent help on this one >> Dominick... :-) >> >> I use http://demoapp.mydomain.com >> >> I got kerberos working now between client and webserver by using >> setspn -A HTTP/demoapp.mydomain.com web1 >> >> Now I need to setup Kerberos between the web1 and fileserver web2. >> What service am I supposed to use for setspn on the fileserver? >> >> Roger >> >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote >> in message news:51eb3048f59e8c95f7427220f70@news.microsoft.com... >> >>> what do you type into IE to open the web app? >>> >>> ----- >>> Dominick Baier (http://www.leastprivilege.com) >>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>> (http://www.microsoft.com/mspress/books/9989.asp) >>> >>>> Sorry - didn't see the article yesterday :-P >>>> >>>> Excellent article - steped through the troubleshooting part >>>> - seems the two servers are negotiating NTLM between them.... >>>> - seems the client and webserver also negotiated NTLM >>>> Do you have any ideas on how the SPN should be setup? >>>> The webserver hosting the app is running IIS6 under the "Network >>>> Service" >>>> account and is called web1.mydomain.com >>>> Used LDP to find these SPN's already configured: >>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; >>>> HOST/WEB1; HOST/WEB1.mydomain.com; >>>> Pretty much the same with the filesharing server only the name is >>>> web2: >>>> Regards, >>>> Roger >>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>> wrote >>>> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >>>>> you haven't read the article, did you? >>>>> >>>>> Are you sure your SPNs are setup correctly - are you REALLY using >>>>> Kerbers (check the security event log of the web server for logon >>>>> events - which authentication package to you see?) >>>>> >>>>> ----- >>>>> Dominick Baier (http://www.leastprivilege.com) >>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>> Thanks Dominick, >>>>>> >>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've >>>>>> setup the share on for test purposes - both members of our domain >>>>>> >>>>>> 2. I am impersonating an using a domain account to access the >>>>>> site. >>>>>> >>>>>> 3. The site is setup with "Integrated auth" >>>>>> >>>>>> 4. The DC is running as "Windows 2000 native" at the domain >>>>>> functional level >>>>>> >>>>>> 5. The webserver hosting the app is setup as "Trust computer for >>>>>> delagation" >>>>>> >>>>>> Still doesn't work - what is the last piece of the puzzle - >>>>>> anyone.....?? :-) >>>>>> >>>>>> Roger >>>>>> >>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>>> wrote in message >>>>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>>>> >>>>>>> well - if you are impersonating _and_ acccessing a remote >>>>>>> resource - this is called delegation and works only under >>>>>>> specific pre-reqs: >>>>>>> >>>>>>> - Kerberos authentication (which implies a domain environment) - >>>>>>> Delegation is set up (which is not the default) >>>>>>> >>>>>>> have a look here: >>>>>>> >>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def >>>>>>> au lt .aspx >>>>>>> >>>>>>> ----- >>>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>>> I do impersonate. Testing with my own account - and it does have >>>>>>>> more than sufficient permissions. >>>>>>>> >>>>>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On >>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>>>>>> >>>>>>>>> I'm trying to setup a simple test on writing to a file on an >>>>>>>>> UNC >>>>>>>>> share >>>>>>>>> from >>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>>>>>> --------------------------------------------------------------- >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>>>>>>> Response.Write(User.Identity.Name) >>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", >>>>>>>>> "life's >>>>>>>>> good", True) >>>>>>>>> --------------------------------------------------------------- >>>>>>>>> -- >>>>>>>>> -- -- -------------- >>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>>>>>> >>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated >>>>>>>>> and >>>>>>>>> the >>>>>>>>> file >>>>>>>>> is written perfectly to the remote share. >>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and >>>>>>>>> create >>>>>>>>> a >>>>>>>>> share >>>>>>>>> on this server \\mywebserver\testshare everything still works >>>>>>>>> perfectly >>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>>>>>> \\myotherserver\testshare >>>>>>>>> it fails with "file not found" - no further explanation :-S >>>>>>>>> I've >>>>>>>>> tried to >>>>>>>>> scan for activity on the remote servers filesystem with Filemon >>>>>>>>> - >>>>>>>>> but >>>>>>>>> it >>>>>>>>> does'nt even look like it tries to access the share at all.... >>>>>>>>> Permissions >>>>>>>>> are set to everyone both at NTFS and share permissions at this >>>>>>>>> share. >>>>>>>>> ANY ideas guys?? >>>>>>>>> Regards, >>>>>>>>> Roger >>>>>>>> do you use an impersonation or you run the application under >>>>>>>> asp.net account? >>>>>>>> > >
1. Used kerbtray.exe and found the falg set to "ok as delagate" for the webserver. 2. WindowsIdentity.GetCurrent().Name gives the correct username.... *aaarghhhhh* [quoted text, click to view] "Langedal, Roger" <roglan19@hotmail.com> wrote in message news:%23xOXeyVkHHA.2552@TK2MSFTNGP06.phx.gbl... > To me it looks like delagation doe not work - I'll try to reboot the damn > thing and see if it takes the new setting... :-P > > Roger > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in > message news:51eb3048f5a38c95f7dba36ddf0@news.microsoft.com... >> Hi, >> you are welcome ;) >> >> try CIFS and HOST + the name of the machine as you use it in the UNC >> path. >> >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >>> Hey, >>> >>> First of all - thanks for you patience and excellent help on this one >>> Dominick... :-) >>> >>> I use http://demoapp.mydomain.com >>> >>> I got kerberos working now between client and webserver by using >>> setspn -A HTTP/demoapp.mydomain.com web1 >>> >>> Now I need to setup Kerberos between the web1 and fileserver web2. >>> What service am I supposed to use for setspn on the fileserver? >>> >>> Roger >>> >>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote >>> in message news:51eb3048f59e8c95f7427220f70@news.microsoft.com... >>> >>>> what do you type into IE to open the web app? >>>> >>>> ----- >>>> Dominick Baier (http://www.leastprivilege.com) >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>> >>>>> Sorry - didn't see the article yesterday :-P >>>>> >>>>> Excellent article - steped through the troubleshooting part >>>>> - seems the two servers are negotiating NTLM between them.... >>>>> - seems the client and webserver also negotiated NTLM >>>>> Do you have any ideas on how the SPN should be setup? >>>>> The webserver hosting the app is running IIS6 under the "Network >>>>> Service" >>>>> account and is called web1.mydomain.com >>>>> Used LDP to find these SPN's already configured: >>>>> servicePrincipalName: SMTPSVC/WEB1; SMTPSVC/STRA-WEB1.mydomain.com; >>>>> HOST/WEB1; HOST/WEB1.mydomain.com; >>>>> Pretty much the same with the filesharing server only the name is >>>>> web2: >>>>> Regards, >>>>> Roger >>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>> wrote >>>>> in message news:51eb3048f4a98c95ed3bb39c0a0@news.microsoft.com... >>>>>> you haven't read the article, did you? >>>>>> >>>>>> Are you sure your SPNs are setup correctly - are you REALLY using >>>>>> Kerbers (check the security event log of the web server for logon >>>>>> events - which authentication package to you see?) >>>>>> >>>>>> ----- >>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>> Thanks Dominick, >>>>>>> >>>>>>> 1. The web server is a win2003/iis 6 box - same with the box I've >>>>>>> setup the share on for test purposes - both members of our domain >>>>>>> >>>>>>> 2. I am impersonating an using a domain account to access the >>>>>>> site. >>>>>>> >>>>>>> 3. The site is setup with "Integrated auth" >>>>>>> >>>>>>> 4. The DC is running as "Windows 2000 native" at the domain >>>>>>> functional level >>>>>>> >>>>>>> 5. The webserver hosting the app is setup as "Trust computer for >>>>>>> delagation" >>>>>>> >>>>>>> Still doesn't work - what is the last piece of the puzzle - >>>>>>> anyone.....?? :-) >>>>>>> >>>>>>> Roger >>>>>>> >>>>>>> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> >>>>>>> wrote in message >>>>>>> news:51eb3048f4808c95ea322af0140@news.microsoft.com... >>>>>>> >>>>>>>> well - if you are impersonating _and_ acccessing a remote >>>>>>>> resource - this is called delegation and works only under >>>>>>>> specific pre-reqs: >>>>>>>> >>>>>>>> - Kerberos authentication (which implies a domain environment) - >>>>>>>> Delegation is set up (which is not the default) >>>>>>>> >>>>>>>> have a look here: >>>>>>>> >>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/def >>>>>>>> au lt .aspx >>>>>>>> >>>>>>>> ----- >>>>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>>>>> I do impersonate. Testing with my own account - and it does have >>>>>>>>> more than sufficient permissions. >>>>>>>>> >>>>>>>>> "Alexey Smirnov" <alexey.smirnov@gmail.com> wrote in message >>>>>>>>> news:1178308306.449322.237080@n76g2000hsh.googlegroups.com... On >>>>>>>>> May 4, 2:33 pm, "Langedal, Roger" <rogla...@hotmail.com> wrote: >>>>>>>>> >>>>>>>>>> I'm trying to setup a simple test on writing to a file on an >>>>>>>>>> UNC >>>>>>>>>> share >>>>>>>>>> from >>>>>>>>>> an asp.net 2.0 webpage. This is whats happing in default.aspx: >>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> -- >>>>>>>>>> -------------- Dim path As String = "\\remoteserver\testshare" >>>>>>>>>> Response.Write(User.Identity.Name) >>>>>>>>>> My.Computer.FileSystem.WriteAllText(path & "\myfile.txt", >>>>>>>>>> "life's >>>>>>>>>> good", True) >>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>> -- >>>>>>>>>> -- -- -------------- >>>>>>>>>> impersonation is enabled and windows auth is setup in IIS 6. >>>>>>>>>> >>>>>>>>>> 1. When I run this on my Vista PC - I'm correctly authenticated >>>>>>>>>> and >>>>>>>>>> the >>>>>>>>>> file >>>>>>>>>> is written perfectly to the remote share. >>>>>>>>>> 2. If I move my webapp to a Windows 2003/IIS 6 webserver and >>>>>>>>>> create >>>>>>>>>> a >>>>>>>>>> share >>>>>>>>>> on this server \\mywebserver\testshare everything still works >>>>>>>>>> perfectly >>>>>>>>>> 3. But - I if I try to write to a REMOTE share i.e >>>>>>>>>> \\myotherserver\testshare >>>>>>>>>> it fails with "file not found" - no further explanation :-S >>>>>>>>>> I've >>>>>>>>>> tried to >>>>>>>>>> scan for activity on the remote servers filesystem with Filemon >>>>>>>>>> - >>>>>>>>>> but >>>>>>>>>> it >>>>>>>>>> does'nt even look like it tries to access the share at all.... >>>>>>>>>> Permissions >>>>>>>>>> are set to everyone both at NTFS and share permissions at this >>>>>>>>>> share. >>>>>>>>>> ANY ideas guys?? >>>>>>>>>> Regards, >>>>>>>>>> Roger >>>>>>>>> do you use an impersonation or you run the application under >>>>>> |