Solved

Reading a file into a buffer from in asp.net: error "Logon failure: unknown user name or bad password."

Posted on 2004-10-06
9
900 Views
Last Modified: 2008-01-09
Hello experts!
  We are facing an interesting problem.
  We have some tiff image files located on a remote shared folder, say
\\172.23.45.66\Shared\Images
  Only specific logins are given access to this folder.
  Now, on my webpage, if I place an image control, and set its src value as follows:
  myImg.Src = @"\\172.23.45.66\Shared\Images\tmpin.jpg";"

  Then the code works and the image is displayed.
  But, If we try to read the image into a buffer as follows:

byte[] buf = null;
System.IO.FileStream fs = new System.IO.FileStream(myImg.Src, System.IO.FileMode.Open, System.IO.FileAccess.Read);

buf = new byte[fs.Length];
fs.Read(buf, 0, buf.Length);
fs.Close();

  then we get the following error:
"Logon failure: unknown user name or bad password. "

  It is very important that we load the file into a buffer.
  So, can some one suggest what could be the problem and how it can be solved?
  Note that it is not possible for us to create additional shares or virtual Web folders for the file directory, because the address can be anything that the user has rights to: it is not necessarily one single folder.
  So, we are looking for a generic solution to load a file into a buffer from an ASP .net page if the current windows user has rights to access the folder.
Looking forward to your help.
Thanks,
...Shu
0
Comment
Question by:snehanshu
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 17

Expert Comment

by:AerosSaga
ID: 12236893
Dim r As New StreamReader(file1.PostedFile.InputStream())
        Dim strBuffer As String = r.ReadToEnd
       
        'DO SOMETHING HERE WITH strBuffer
       
        r.Close()
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 12236909
<form runat="server" enctype="multipart/form-data" ID="Form2">
  <P>
    <input type="file" id="file1" runat="server" NAME="file1">
  </P>
  <P>
    <asp:Button id="btn1" runat="server" text="Upload" onclick="upload" />
  </P>
</form>

--------------------------------------------------------------------------------------

Imports System.Data
Imports System.Data.SqlClient

Public Sub Upload(ByVal sender As Object, ByVal e As System.EventArgs)
        Dim b(file1.PostedFile.InputStream.Length - 1) As Byte

        file1.PostedFile.InputStream.Read(b, 0, file1.PostedFile.InputStream.Length)

        Dim con As New SqlConnection(ConfigurationSettings.AppSettings("ConnectionStringSQL"))

        Dim sql As String = "INSERT INTO MY_TABLE(MyID, DATABLOB) VALUES(1,@BlobData) "
        Dim cmd As New SqlCommand(sql, con)

        Dim parmBlob As New SqlParameter("@BlobData", SqlDbType.VarBinary, _
                     b.Length, ParameterDirection.Input, False, 0, _
                     0, Nothing, DataRowVersion.Current, b)
                     
        cmd.Parameters.Add(parmBlob)

        con.Open()
        cmd.ExecuteNonQuery()
        con.Close()
End Sub

Aeros
0
 
LVL 15

Expert Comment

by:praneetha
ID: 12237839
System.IO.FileStream fs = new System.IO.FileStream(@"\\172.23.45.66\Shared\Images\tmpin.jpg", System.IO.FileMode.Open, System.IO.FileAccess.Read);

try hardcoding it for a while...

also try (@"\\172.23.45.66\\Shared\\Images\\tmpin.jpg",
0
 
LVL 10

Accepted Solution

by:
jnhorst earned 500 total points
ID: 12238941
What kind of authentication is involved with the website?  If you are allowing anonymous connections, there are two possibilities:

1) If you do not have <identity impersonate="true" /> in web.config, the code that is trying to read the file into a buffer is trying it under the security context of the local ASPNET account (local to the machine running IIS).  That account will surely not have permissions on the network share.

2) If you do have <identity impersonate="true" /> in web.config and are allowing anonymous connections, the code is being executed in the context of the local account that IIS is using to authenticate anonymous requests.  This is usually named IUSR_<machine name>.  You can check this by opening the IIS Admin application, clicking the Directory Security tab and then the Edit button for the section on anonymous requests.

The problem here is that both IUSR_... and ASPNET are local accounts (local to the box running IIS) and would not have permissions on a network share.  A third option exists if you are autheticating the user using Windows or Forms authentication.  Under that scenario, if <identity impersonate="true" /> is NOT in web.config, #1 above applies; the local ASPNET account is being used.  If you DO have <identity impersonate="true" /> in web.config, then the code is executing under the security context of the authenticated user.

So if you are allowing anonymous requests and want the image to load into the buffer regardless of which user is requesting the page, you'll want to do the following:

1) Create a domain or Active Directory account that will only be used for anonymous requests to the IIS box.  Go to the IIS Admin utility and reset the account that authenticates anonymous requests to use that account instead of the local IUSR_... account.

2) Give this new account read permissions on the network share.

3) Make sure <identity impersonate="true" /> is in web.config.

John
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 5

Author Comment

by:snehanshu
ID: 12284057
jnhorst,
  Thanks for your comment.
  Your comment helped us understand the problem and we have made changes to the design based on this understanding.
Thanks again,
...Shu
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12284138
Glad to help.

John
0
 
LVL 5

Author Comment

by:snehanshu
ID: 12284229
John,
  May I ask a follow-up question please?
  If I want to use option 3, can you tell me how to do it?
  I would like to take take the windows username and password from a database and execute the file access code under that user (security context or whatever it is called).
  I know that for windows based application, we have APIs to impersonate a certain user and execute parts of code as a different user. Are there any web-equivalents of this: that only certain part of my code is executed as a partucluar username/password that I know (have as string variables)?

...Shu
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12287531
You can do this (having certain code running under a particular user's account) in a COM+ application that you instantiate in your web app, but I have not done this in .NET, only back in old school asp.  But if you want to use a certain account for a web app (the whole app), you can do this:

<identity impersonate="true" username="userslogin" password="password" />

I do not like doing this (putting secure info in a clear text file that exists on the server) but it can be done.

John
0
 
LVL 5

Author Comment

by:snehanshu
ID: 12294817
Thanks again John!
We will try this.
...Shu
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now