הערה
הגישה לדף זה מחייבת הרשאה. באפשרותך לנסות להיכנס או לשנות מדריכי כתובות.
הגישה לדף זה מחייבת הרשאה. באפשרותך לנסות לשנות מדריכי כתובות.
Question
Wednesday, September 2, 2015 8:41 PM
Might be in the wrong forum but cant find an IIS specific forum...
Running IIS on Windows 2012 64 bit. The application pool is v4.0 integrated with the ApplicaionPoolIdentiy
On a domain server, I have a share that an account has readonly rights to.
If i login using the readonly account credentials and go to \172.xxx.xxx.xxx\Document\folder\1.pdf
I have access without any problems, so apparently, the account permissions are correc.
In IIS, I have a dll with vb.net code that impersonates the ready only account.
My logs, generated internally from inside the dll, show that the impersonation was done correctly.
"just called aa.impersonation which returned True and the user is now ABC\ReadAccount "
then in the dll, the following code:
Filename As String = s
objReader As System.IO.StreamReader
Try
objReader = New System.IO.StreamReader(Filename, True)
Catch ...etc...
I get an exception:
Access to the path '\172.xxx.xxx.xxx\Document\folder\1.pdf' is denied.
Any thoughts?
Thanks
T
GADOI
All replies (15)
Thursday, September 3, 2015 4:13 PM ✅Answered | 1 vote
I don't think it's going to work with impersonation unless you authenticate with the remote resource. The discussion below may apply to your scenaro, or may offer a workaround:
If you are using Windows Auth only an authentication token is passed to the web app. This token will not pass to another machine (double hop) unless there is a trust relationship, which usually involves a Kerberos implementation. It doesn't sound like you are doing this but I thought I would mention it.
Paul ~~~~ Microsoft MVP (Visual Basic)
Wednesday, September 2, 2015 8:43 PM | 1 vote
Might be in the wrong forum but cant find an IIS specific forum...
Wednesday, September 2, 2015 9:08 PM
I don't think this is an IIS issue. Is the impersonation and the attempt to open the file all performed in a single call?
Paul ~~~~ Microsoft MVP (Visual Basic)
Thursday, September 3, 2015 11:27 AM
Yes it is...
Dim myID As WindowsIdentity = WindowsIdentity.GetCurrent()
Display MyID: the Current Identity is: IIS APPPOOL\something
Dim Success as Boolean = aa.ImpersonateUser(MyImpersonationUser,
"XXX", MyImpersonationPsw)
myID As WindowsIdentity = WindowsIdentity.GetCurrent()
Display MyID: the Current Identity is: XXX\ReadAccount
Dim objReader As System.IO.StreamReader
try
objReader = New System.IO.StreamReader(Filename, True)
catch
Error generated by exception: Access to the path '\172.xxx.xxx.xxx\Document\folder\1.pdf' is denied.
GADOI
Thursday, September 3, 2015 12:15 PM
If you copy the file to the web server (locally) and access it there, do you still get the "access denied" exception?
Paul ~~~~ Microsoft MVP (Visual Basic)
Thursday, September 3, 2015 12:34 PM
Its a good test but - I will check...
I did and yes it failed.....same exact message..
GADOI
Thursday, September 3, 2015 12:50 PM
well - yes it works. The above error was generated when the folder's sharing was not set. I set it and it worked.
I my real /production case, the Read account has the same exact permissions as the test in the local folder. This tells me that the reach to a remote server is one thing that is different.
GADOI
Thursday, September 3, 2015 1:26 PM
When I remote to IIS using the XXX\ReadAccount, it has no problem, from IIS, seing and opening \172.xxx.xxx.xxx\Document\folder\1.pdf
GADOI
Thursday, September 3, 2015 1:55 PM
So if I understand correctly, it works if the file is local (on the web server) but not remote? What type of application are you working with? Web service? Web application?
Paul ~~~~ Microsoft MVP (Visual Basic)
Thursday, September 3, 2015 1:57 PM
Web Application - asp.net using vb.net
IIS gets a file path and file name from a DB and passes to a dll. Inside the dll, I create an impersonation for the Read only account on that path and try opening the file. It is at that point that it fails.
GADOI
Thursday, September 3, 2015 2:19 PM
I have feeling that your ApplicationPoolIdentity credentials are being used when accessing the remote server when impersonation is not enabled (in code or in the IIS config), and apparently your security configuration allows this. Once you enable impersonation and run under different credentials, there is no trust with the remote server so authentication would be required. This would be my guess, although I don't know what type of authentication you are using for the web application or what your domain configuruation is.
Can you just run under the ApplicationPoolIdentity instead of enabling impersonation? Otherwise, you may need to map a path to the remote resource on-the-fly, and pass credentials to authenticate, before the resource can be accessed.
Paul ~~~~ Microsoft MVP (Visual Basic)
Thursday, September 3, 2015 3:08 PM
Hmmm - I ll check on that - authentication is a bit complicated -
I tested and changed the applicationpool account the XXX\ReadAccount with the correct credentials, and it still did not work.
The overarching issue is ... security... I don't want users on IIS to have access to the files - even for read purposes - so the dll should open the file - stream it back to the browser - without the user knowing where it came from, its path or anything like that.
I also need to mention that users access the website using their windows authentication cached credentials.
GADOI
Thursday, September 3, 2015 4:02 PM
Hmmm - I ll check on that - authentication is a bit complicated -
I tested and changed the applicationpool account the XXX\ReadAccount with the correct credentials, and it still did not work.
The overarching issue is ... security... I don't want users on IIS to have access to the files - even for read purposes - so the dll should open the file - stream it back to the browser - without the user knowing where it came from, its path or anything like that.
I also need to mention that users access the website using their windows authentication cached credentials.
GADOI
Why don't you just change the file share on the Windows machine to have permission on the share for the Everyone user group, Authenticated user group or Domain user group that can access the file share with the proper permissions?
http://windowsitpro.com/systems-management/understanding-authenticated-users-group
Thursday, September 3, 2015 4:05 PM
too many files - 1.8 million of them - permissions are set from database.
1) here is a list of files you have rights to ...
2) click on a file to open (you wont see where it comes from).. This means other files are protected from access. These files are mostly secrets so we really don't want "ANYONE" to have access to them...
GADOI
Thursday, September 3, 2015 6:20 PM
too many files - 1.8 million of them - permissions are set from database.
1) here is a list of files you have rights to ...
2) click on a file to open (you wont see where it comes from).. This means other files are protected from access. These files are mostly secrets so we really don't want "ANYONE" to have access to them...
GADOI
Maybe, you need to take a different approach and use a WCF service over NetTCP that can be used with Windows Authentication or user-id and psw no impersonation.
And the WCF services can be hosted on a machine via Windows service, Console Application, Windows forms exe with all forms stripped out of it or it can be a self hosting exe WCF service.