"The provided folder does not exist or is unaccessible!" error when trying to access files on network shared drive from IIS10 server

Question

"The provided folder does not exist or is unaccessible!" error when trying to access files on network shared drive from IIS10 server

Shastri, Shrinivas 5

Hi,

I am facing "The provided folder does not exist or is unaccessible!" error for files on shared network drive.

Client Environment:

-Windows 2022 Server that hosts web site/web api in IIS10. Web Site is developed in Angular and Web Api in .Net4.8

-IIS is configured to use Windows Authentication. IIS is running under dedicated domain account.

-MS SQL database hosted in another Windows 2022 server

-There is shared network drive that has files in different directories

-All servers are in same domain

When web site is opened on IIS Server itself, everything works fine. Web site gets all data from database and can access shared drive files. All data and files access is done via Web Apis.

.Net Code in Web Api file access:

status = System.IO.File.Exists(documentFullPath);

if(status)

{

Byte[] bytes = System.IO.File.ReadAllBytes(documentFullPath);

}

Issue: But when web site is opened from another workstation (Windows 11) in same domain, it gets all data from database but can't access shared drive files. The HTTP call shows error "The provided folder does not exist or is unaccessible!". When I type the file network path in File Exploreron workstation, I can see files. Proper delegations have been created for IIS domain account, IIS Server and Shared File Server in AD for CFS. Is it related to Windows Authentication not propagating correctly? What other configuration/setting is needed here?

Please help.

Sri

2 answers

Your answer

Answer 1

Hi Shastri, Shrinivas,

From what you described, it sounds like the issue is related to how Windows Authentication handles access to network resources when the site is accessed remotely. This is a common problem called “double-hop”, where credentials aren’t passed from the client to the file server.

Here are a few things you should check to make sure it is working properly:

Make sure your IIS Application Pool is running under a domain account (not the default identity).
Confirm that Kerberos is being used for Windows Authentication by enabling IIS logs, as it supports delegation and NTLM doesn’t.
In Active Directory, set up constrained delegation for the domain account so it can access the file server (CIFS service).
Double-check that the domain account has read access to the shared folder — both share and NTFS permissions.

Link: https://learn.microsoft.com/en-us/iis/web-hosting/configuring-servers-in-the-windows-web-platform/configuring-share-and-ntfs-permissions

If you have the time, you can take a quick look at these documents:

Best regards,

Tom Tran

Tom Tran (WICLOUD CORPORATION) 10 Reputation points Microsoft External Staff

2025-06-23T02:39:05.7766667+00:00

Hi Shastri, Shrinivas,

Hope things are going smoothly on your end! Just following up to see if the previous steps helped resolve the issue. Let me know if you need anything else.
Shastri, Shrinivas 5 Reputation points

2025-07-08T19:03:44.6266667+00:00

I got issue resolved with Microsoft technical support. The solution was to change delegation of IIS server from any protocol to cifs plus add IIS domain account delegation for HOST service. Thanks all for your suggestions.

Answer 2

Bruce (SqlWork.com) 78,161 Volunteer Moderator

you are correct. you are hitting the one hop rule. by default, for file access IIS uses the windows identity, not the pool account to access files. you have 2 options:

file access uses the thread's windows identity. you probably have impersonation enabled. if so, impersonate a domain account to access the share. if not needed, disable impersonation. be sure the anonymous account also uses the pool account.
switch to kerberos, and enable delegation.
https://techcommunity.microsoft.com/blog/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/347882

Shastri, Shrinivas 5 Reputation points

2025-06-06T14:49:39.48+00:00
Option #1: Are you suggesting to do impersonation using a dedicated domain user before calling File IO method? I have this code in Start.cs file. Is it not enough to impersonate current logged user when user opens web site from remote workstation in same domain?

app.Use(async (context, next) =>

{ using (WindowsImpersonationContext impersonationContext = ((WindowsIdentity)context.User.Identity).Impersonate()) { await next.Invoke(); } });
Bruce (SqlWork.com) 78,161 Reputation points Volunteer Moderator

2025-06-06T17:08:56.57+00:00
that code is causing the issue.

Your app only has a secondary token, because it was passed from a remote client. when remote client is the IIS server you get a primary token. you can not delegate a secondary token (the one hop rule).

for this code to work, you have two options:

switch to basic authentication, which will give IIS a primary user token

switch to kerberos authentication, and enable server delegation.

note: nt authentication has a one hop rule. when you login you get a primary token. this can be used to access a network resource. the network resource has a secondary token, and this token can not be used to access a third network resource.

with IIS NT authentication the workstation has the primary, and IIS has the secondary. kerberos tokens do not have this limitation. instead delegation rules are defined.

Share via

"The provided folder does not exist or is unaccessible!" error when trying to access files on network shared drive from IIS10 server

2 answers

Your answer