Solved

ASP.Net, Access to the path is denied from remote, works from local

Posted on 2009-04-03
5
1,308 Views
Last Modified: 2012-06-21
I am trying to find out why an ASP.net program works when accessed from the same machine that has the web server, but fails when accessed from another machine in the local network.

I have an ASP.net program that puts a list of files into a list box. The files are in a network directory that resides on a 3rd machine, accessed via \\mach3\myDir\... I logon into machine A (where the web browser resides) and bring up the web page. All of the files are in the list box. I logon to machine B and bring up the web page, I get an error (see above). What is IIS doing differently to tasks that originate from the local machine and tasks that originate from another machine? Some other info:

- The security type is integrated windows, no annomyous user
- On both machines, the Environment.UserName returns the same value  (myUser)
- On both machines the HttpContext.Current.User.Identity.Name returns the same value
  (MyDomain\myUser)
- Both machines are Windows 2003 SBS
- Before refering to the fixe as a UNC name (\\mach3\myDir...), I referred to the dir using a mapped drive (X:\myDir\...). I worked on the local drive and didnt on the remote drive. The error was "Path xxx not found".  (Maybe local and remote tun under a different process?)

- My test machine is XP/Pro, VS 2008, allow annonomous. It is on a different Domain. Environment.UserName returns ASPNET and HttpContext.Current.User.Identity.Name returns MyDomain\myUser

I know that the CustomErrors field in web.config can make the server work differently when the client is not on the local machine. Are there other differences that must be set up or considered?

Thank you.
0
Comment
Question by:MikeBroderick
  • 3
  • 2
5 Comments
 
LVL 22

Accepted Solution

by:
cj_1969 earned 500 total points
ID: 24061295
You have a security problem in the network directory access.
By default any network resource is going to use the machine account of the IIS server to access the resource.  You can grant this account access to get around the issue or you can incorporate user authentication.

To incorporate user authentication you have 2 options.
1. Use the account of the application pool
2. Use the credentials of the user accessing the page/app.

For both of these, you need to incorporate impersonation into your code to change the default credentials that the system uses to access the network resource.

in option 1 you just leave the credential references blank and it will pull the account information that is used to run the code, then you just change the account that the application pool or the anonymous account to a domain account and grant it access to the resource.

In option 2, this gets a little more complicated.  To do this you ahve to use kerberos authentication as credentials will not pass 2 hops using NTLM (the default method) and they are going from the browser to the IIS server to the network resource (the code will work if you test on the IIS server itself because you are then only going 1 hop since the browser and IIS are the same machine).  for this, you still incorporate the impersonation code but then you also have to grant delegation rights in the AD tools to the IIS server and then you have to publish the service for kerberos authentication on the destination server.  Once this is done then you can get pass-through authentication working from the browser to the network resource passing through the IIS server.
0
 

Author Comment

by:MikeBroderick
ID: 24064459
OK,  Thanks. A couple of questions:
1) How do I find the machine account if the IIS (6.0) server. Do I look at the identity tab on the application pool (which is Network Service), or somewhere else (web.config or machine.config), or is it hard-coded to Network Service?

2) I think I would rather do user authentication. When you say impersonation, do you mean put the following into a web.config's <system.web? section:
    <identity impersonate="true" />

3) in Option 1, can I just use Network Services?

4) In Option 2, is Windows Authorization (specified from the directory security tab) considered Kerberos?

5) In Option 2, what in our example is the destination server? Is it the one with the data that the web server is trying to access, the web server machine, or is it the web client's machine?

Thank you.
PS, to get something running, I am trying option 1, but first I need our network admin to get me connected.
0
 

Author Comment

by:MikeBroderick
ID: 24225016
I tried option 1. I granted everyone I could think of full authority to the network dir. Still doesnt work.
0
 
LVL 22

Assisted Solution

by:cj_1969
cj_1969 earned 500 total points
ID: 24225313
The machine account is the machine name in AD ... every user and machine that is a "member of the domain" has a domain account.  The machine account is typically in the form of ad\machinename$

What you tried to implement for option 1 is really part of option 2 ... authenticating the individual user to the network resource.

Take a look at this page ... you might be able to handle this through a web.config file in the directory where the virtual directory reference is ...
Syntax ... http://msdn.microsoft.com/en-us/library/72wdk8cc(VS.71).aspx
Example ... http://www.velocityreviews.com/forums/t91905-when-impersonation-doesnt-seem-to-work.html
0
 

Author Comment

by:MikeBroderick
ID: 24229477
I made a mistake. I assumed if you dont have an impersonate statement in your app's web.config, it will be off. On my customer's machine, someone put a web.config file in the root dir that has an impersonate true statement. When I realized this I set impersonate to false and walla, it worked. Why Network Service can access the Remote Share and my ID cannot, I do not know, but this works fine.

Thank you for your help. Sorry for the mistake.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now