Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1350
  • Last Modified:

ASP.Net, Access to the path is denied from remote, works from local

I am trying to find out why an ASP.net program works when accessed from the same machine that has the web server, but fails when accessed from another machine in the local network.

I have an ASP.net program that puts a list of files into a list box. The files are in a network directory that resides on a 3rd machine, accessed via \\mach3\myDir\... I logon into machine A (where the web browser resides) and bring up the web page. All of the files are in the list box. I logon to machine B and bring up the web page, I get an error (see above). What is IIS doing differently to tasks that originate from the local machine and tasks that originate from another machine? Some other info:

- The security type is integrated windows, no annomyous user
- On both machines, the Environment.UserName returns the same value  (myUser)
- On both machines the HttpContext.Current.User.Identity.Name returns the same value
  (MyDomain\myUser)
- Both machines are Windows 2003 SBS
- Before refering to the fixe as a UNC name (\\mach3\myDir...), I referred to the dir using a mapped drive (X:\myDir\...). I worked on the local drive and didnt on the remote drive. The error was "Path xxx not found".  (Maybe local and remote tun under a different process?)

- My test machine is XP/Pro, VS 2008, allow annonomous. It is on a different Domain. Environment.UserName returns ASPNET and HttpContext.Current.User.Identity.Name returns MyDomain\myUser

I know that the CustomErrors field in web.config can make the server work differently when the client is not on the local machine. Are there other differences that must be set up or considered?

Thank you.
0
MikeBroderick
Asked:
MikeBroderick
  • 3
  • 2
2 Solutions
 
cj_1969Commented:
You have a security problem in the network directory access.
By default any network resource is going to use the machine account of the IIS server to access the resource.  You can grant this account access to get around the issue or you can incorporate user authentication.

To incorporate user authentication you have 2 options.
1. Use the account of the application pool
2. Use the credentials of the user accessing the page/app.

For both of these, you need to incorporate impersonation into your code to change the default credentials that the system uses to access the network resource.

in option 1 you just leave the credential references blank and it will pull the account information that is used to run the code, then you just change the account that the application pool or the anonymous account to a domain account and grant it access to the resource.

In option 2, this gets a little more complicated.  To do this you ahve to use kerberos authentication as credentials will not pass 2 hops using NTLM (the default method) and they are going from the browser to the IIS server to the network resource (the code will work if you test on the IIS server itself because you are then only going 1 hop since the browser and IIS are the same machine).  for this, you still incorporate the impersonation code but then you also have to grant delegation rights in the AD tools to the IIS server and then you have to publish the service for kerberos authentication on the destination server.  Once this is done then you can get pass-through authentication working from the browser to the network resource passing through the IIS server.
0
 
MikeBroderickAuthor Commented:
OK,  Thanks. A couple of questions:
1) How do I find the machine account if the IIS (6.0) server. Do I look at the identity tab on the application pool (which is Network Service), or somewhere else (web.config or machine.config), or is it hard-coded to Network Service?

2) I think I would rather do user authentication. When you say impersonation, do you mean put the following into a web.config's <system.web? section:
    <identity impersonate="true" />

3) in Option 1, can I just use Network Services?

4) In Option 2, is Windows Authorization (specified from the directory security tab) considered Kerberos?

5) In Option 2, what in our example is the destination server? Is it the one with the data that the web server is trying to access, the web server machine, or is it the web client's machine?

Thank you.
PS, to get something running, I am trying option 1, but first I need our network admin to get me connected.
0
 
MikeBroderickAuthor Commented:
I tried option 1. I granted everyone I could think of full authority to the network dir. Still doesnt work.
0
 
cj_1969Commented:
The machine account is the machine name in AD ... every user and machine that is a "member of the domain" has a domain account.  The machine account is typically in the form of ad\machinename$

What you tried to implement for option 1 is really part of option 2 ... authenticating the individual user to the network resource.

Take a look at this page ... you might be able to handle this through a web.config file in the directory where the virtual directory reference is ...
Syntax ... http://msdn.microsoft.com/en-us/library/72wdk8cc(VS.71).aspx
Example ... http://www.velocityreviews.com/forums/t91905-when-impersonation-doesnt-seem-to-work.html
0
 
MikeBroderickAuthor Commented:
I made a mistake. I assumed if you dont have an impersonate statement in your app's web.config, it will be off. On my customer's machine, someone put a web.config file in the root dir that has an impersonate true statement. When I realized this I set impersonate to false and walla, it worked. Why Network Service can access the Remote Share and my ID cannot, I do not know, but this works fine.

Thank you for your help. Sorry for the mistake.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now