We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

ASP.net authentication issue?

Medium Priority
387 Views
Last Modified: 2012-08-13
Morning all. Let me start by saying i don't know much about ASP.net programming so forgive me if this comes across as a lamer... i'm just the guy who's getting hollered at because it does not work.

My company's programmers have setup an ASP website that connects to a remote windows 2003 server file share and lists the folders and files. The users can access the site and open the folders and files.

Occasionally the users will get an access denied message when trying to open the file (folders always work). They will click "ok" on the denied message and then if they try to open the file again it will work.
side note:

The web.config file is setup to impersonate and to use windows authentication. i have included part of the web.config file in the code section.

IIS on the server is configured for integrated windows authentication

looking in the security event log on the file server i can see an "NT Authority\anonymous logon" event id 540 success message at the time the user gets the access denied. right after that i will see a logon from the user using kerberos. I assume this is when they click on the file again.

I have ran a wireshark capture on the file server. From that it looks like when the user is navigation through the folders using the web app the conversation is from workstation to web app to file server. Then when the user clicks on the file to open the conversation changes to between the workstation and file server directly.

the path the user use to access the web app is http://cpapps/reports/reportsicon.aspx.
If the user access the file share directly from a unc path, everything opens file all the time. So i know it's not the NTFS permissions or the file server.

Basically i've spent a lot of time on this and have not really gotten anywhere. I think it's either a timeout (if the user leave the sire open for a while then tries to open a report they definatley get the access denied message) or an authentication configuration issue.

Thanks in advance.
<system.web>
    <identity impersonate="true"/>
    <authentication mode="Windows"/>
    <pages>
      <controls>
        <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      </controls>
    </pages>
    <httpRuntime  executionTimeout="1200"/>
    <sessionState timeout ="60"/>
    <!--
          Set compilation debug="true" to insert debugging
          symbols into the compiled page. Because this
          affects performance, set this value to true only
          during development.
    -->
    <compilation>
      <assemblies>
        <add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.Web.Extensions.Design, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
        <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
        <add assembly="CrystalDecisions.CrystalReports.Engine, Version=11.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />
        <add assembly="CrystalDecisions.Shared, Version=11.5.3700.0, Culture=neutral, PublicKeyToken=692FBEA5521E1304" />
        <add assembly="System.Data.OracleClient, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
      </assemblies>
    </compilation>
    <httpHandlers>
      <remove verb="*" path="*.asmx"/>
      <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/>
    </httpHandlers>
    <httpModules>
      <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    </httpModules>
  </system.web>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules>
      <add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    </modules>
    <handlers>
      <remove name="WebServiceHandlerFactory-Integrated"/>
      <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
      <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    </handlers>
  </system.webServer>

Open in new window

Comment
Watch Question

How are the files linked in the webapp?  When a user clicks on a link to open a file, does it try to open "http://cpapps/files/file.doc" for example, or does it try to open "\\cpapps\files\file.doc"

Is the app used internally only?  Is there some sort of check in/check out function when downloading a file or do they just download it?

Author

Commented:
it looks like it is using the UNC path. I can see a java script execute at the bottom of IE and then i get the file download prompt that says from \\servername\share\......

the app is internal only.

No check-in/out they just open it.

Author

Commented:
btw.... cpapps is an alias for the web server svr133. the files are opened from a different server svr113.
Ok, so the user can browse through the folders as intended, and then when they click the link to download the file, which is a UNC path, they get an access denied?

If they are clicking a link that is a UNC path to a completely different server, it wouldn't have anything to do with the web app, that sounds like a security issue on the other server.  When browsing to a UNC path in your browser, it uses the current user's security identity.

If you are on a domain, something you could try doing is mapping a path to the file directory in the login.bat file, and then modify the links.  So if the drive was mapped as S drive, you could change the links to file:///S:/files/file.doc

Mapping the drive should maintain security permissions to the server, which is why I think the user is getting an access denied the first time they try to download the file.

Author

Commented:
The access denied is not consistent and not always when they first try to open the file. Often they will access the web app go to a file, open and  it to review and discuss with others in the meeting and then they go to open the next file and get the access denied. that's why i think is a timeout issue of some sort.

If the user goes directly to the file server using the unc path, they never get a denied message. the files always open.
The link is directly to the UNC path isn't it?

So if they click a link, it would open up \\svr113\files\whatever.doc?

Or is the web server trying to open the file on svr113 and serve it through svr133?
Something you could try, is to create a virtual directory on the IIS machine, point it to the UNC path of the files, and set the user as a domain user that has access to those files.  This way you could go to http://cpapps/files/file.doc and download the file from there... in the back end IIS would connect over to the other server, get the file, and serve it through IIS.   But the links would need to be changed from UNC paths to virtual paths.

Author

Commented:
I think the web server is trying to open the file for the user.
 
here is a couple screen shots of it when it is working

 

workingreportsicon.doc
When you hover over the 01 - Entire Sales Log link, does it show the UNC link down in the status bar?  Or does it show a postback function?  If it's a postback, you may need to look at the code behind for MenuFiles to see what it is doing.

Author

Commented:
it does a dopostback. I'm not sure where the code is for the menufiles. I will get with the programmer on monday and see what i can figure out.

I really do appreciate the input.
If the asp.net project isn't pre-compiled, you should be able to view it on the server.

If it's in VB
\\cpapps\reports\reporticon.aspx.vb

or if it's in C#
\\cpapps\reports\reporticon.aspx.cs

Author

Commented:
i've attahced the reportsicon.aspx page.
reporticon.txt
Is there a reportsicon.aspx.vb file?

Specifically this function: MenuFiles_MenuItemClick

Author

Commented:
nope. i searched the drive for reportsicon.aspx.vb and came up with nothing. there are some dll files in the bin folder under this site. one of which was referenced in the aspx page. app_web_report.aspx.cdcab7d2.dll.

Ok, the web app is pre-compiled into the dll file then, you'll have to ask your developers about it.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
That you very much for your time!!! you've helped point me in a good direction to follow.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.