How to access network shared folders from IIS, windows authenticated

zc2
zc2 used Ask the Experts™
on
There is an intranet site under IIS which has to use the Windows authentication as required by the corporate policy. The web application is an ISAPI extension and it must be able to access files located on shared folders of domain servers as the currently logged in user. That works fine if the site uses Basic authentication, but neither Windows or Digest authenticated users are able to access the network shared folders.
I used the Sysinternals' ProcMon utility and I can see the the w3wp process tryes to access the files being impersonated to the logged in user account.
It fail with the Windows authentication enabled:
Date & Time:	3/16/2018 5:03:22 PM
Event Class:	File System
Operation:	CreateFile
Result:	ACCESS DENIED
Path:	\\Server\Share\Folder\
TID:	9888
Duration:	0.1380666
Desired Access:	Read Data/List Directory, Synchronize
Disposition:	Open
Options:	Directory, Synchronous IO Non-Alert
Attributes:	n/a
ShareMode:	Read, Write, Delete
AllocationSize:	n/a
Impersonating:	DOMAIN\User

Open in new window

But works fine with the Basic authentication:
Date & Time:	3/16/2018 5:05:24 PM
Event Class:	File System
Operation:	CreateFile
Result:	SUCCESS
Path:	\\Server\Share\Folder\
TID:	9888
Duration:	0.0014367
Desired Access:	Read Data/List Directory, Synchronize
Disposition:	Open
Options:	Directory, Synchronous IO Non-Alert, Open For Backup
Attributes:	n/a
ShareMode:	Read, Write, Delete
AllocationSize:	n/a
Impersonating:	DOMAIN\User
OpenResult:	Opened

Open in new window


I saw on an internet forum the following explanation:
When using Windows Auth only an authentication token is passed to the web app. This token will not pass to another machine (double hop) unless there is a trust relationship, which usually involves a Kerberos implementation.
But I don't understand how can the trust relationship could be established and what is a Kerberos implementation.

Please advise.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
This article describes authentication types and their abilities to access network resources.
For Windows authentication, the provider has to be "Negotiate:Kerberos".
The Kerberos based trusted relationship has to be properly configured in the active directory.
Here is some additional information.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial