Solution: Asp.Net and Smb shares - without impersonation

Granger Godbold

I've found a solution to this that I think I like, but I thought it wise to put
it out for all to see so people could punch holes in it as they wished. (Is
there a better way?)

I want a page in an Asp.Net site to be able to open/access a file that's on an
Smb share (ie. "Windows Share", "NetBios Share", etc.). I cannot use the
"ASPNET" username; that's a bad route to take anyhow (got to mess with the
"automatic" password settings and other worms in the can you'll be opening).

At first glance, everyone seems to suggest using the "identity" tag in
web.config to do impersonation. However, it's a huge PITA; there's more to it
than what's described in KB #317012 or at the following
http://msdn.microsoft.com/library/en...l/secmod15.asp
For example, your new user won't have permission to access
System.Diagnost ics.Process.Get CurrentProcess( ).Handle
among other various "gotchas". Impersonation is overkill.

The solution?
Use System.Diagnost ics.Process and run "net use" from the Asp.Net application
to authenticate to your network share. The authentication will last just like it
does when you call it from the command line (for the user you execute it as).

I believe this method to be the least invasive on existing code. For me, I have
a File.Exists check first. If that fails, then I try to open the file
(File.OpenText is what I tested with, but File.Open should be the same). If the
exception is

[System.IO.IOExc eption] Logon failure: unknown user name or bad password.

then I do the "net use" call to authenticate and try again. If it's not that
exception, then the file will actually not exist, and you get this error:

[System.IO.FileN otFoundExceptio n] Could not find file "<filename> "

and I then let the exception propagate to my error-handling stuff.

Nov 18 '05 #1

Subscribe Reply

2765

Ken Cox [Microsoft MVP]

Don't you have to give the ASPNET account broad permissions to execute "net
use"? It seems like that's a pretty big security hole.

I'd still prefer to use impersonation to authenticate to the network share.

"Granger Godbold" <gr************ *@invalid.prome tric.com> wrote in message
news:u0******** ******@tk2msftn gp13.phx.gbl...

I've found a solution to this that I think I like, but I thought it wise
to put it out for all to see so people could punch holes in it as they
wished. (Is there a better way?)

I want a page in an Asp.Net site to be able to open/access a file that's
on an Smb share (ie. "Windows Share", "NetBios Share", etc.). I cannot use
the "ASPNET" username; that's a bad route to take anyhow (got to mess with
the "automatic" password settings and other worms in the can you'll be
opening).

At first glance, everyone seems to suggest using the "identity" tag in
web.config to do impersonation. However, it's a huge PITA; there's more to
it than what's described in KB #317012 or at the following
http://msdn.microsoft.com/library/en...l/secmod15.asp
For example, your new user won't have permission to access
System.Diagnost ics.Process.Get CurrentProcess( ).Handle
among other various "gotchas". Impersonation is overkill.

The solution?
Use System.Diagnost ics.Process and run "net use" from the Asp.Net
application to authenticate to your network share. The authentication will
last just like it does when you call it from the command line (for the
user you execute it as).

I believe this method to be the least invasive on existing code. For me, I
have a File.Exists check first. If that fails, then I try to open the file
(File.OpenText is what I tested with, but File.Open should be the same).
If the exception is

[System.IO.IOExc eption] Logon failure: unknown user name or bad password.

then I do the "net use" call to authenticate and try again. If it's not
that exception, then the file will actually not exist, and you get this
error:

[System.IO.FileN otFoundExceptio n] Could not find file "<filename> "

and I then let the exception propagate to my error-handling stuff.

Nov 18 '05 #2

Paul Glavich [MVP - ASP.NET]

You could also try defining an application pool (I am assuming IIS6) and
define a specific identity to use/application account that has access to the
requested resource (as well as the same privileges as ASPNET user so that it
can run .Net apps). Alternatively (although I would also view this as
overkill) is you can define a COM+ component (ie. inherit from
ServicedCompone nt) and install the component that needs to access the remote
resource into COM+. You could then define a specific identity/user account
under which it would run, and again you would give/assign that user the
required access.

Just some other options.

--
- Paul Glavich
Microsoft MVP - ASP.NET
"Ken Cox [Microsoft MVP]" <BA************ @sympatico.ca> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. ..

Don't you have to give the ASPNET account broad permissions to execute "net use"? It seems like that's a pretty big security hole.

I'd still prefer to use impersonation to authenticate to the network share.
"Granger Godbold" <gr************ *@invalid.prome tric.com> wrote in message
news:u0******** ******@tk2msftn gp13.phx.gbl...
I've found a solution to this that I think I like, but I thought it wise
to put it out for all to see so people could punch holes in it as they
wished. (Is there a better way?)

I want a page in an Asp.Net site to be able to open/access a file that's
on an Smb share (ie. "Windows Share", "NetBios Share", etc.). I cannot use the "ASPNET" username; that's a bad route to take anyhow (got to mess with the "automatic" password settings and other worms in the can you'll be
opening).

At first glance, everyone seems to suggest using the "identity" tag in
web.config to do impersonation. However, it's a huge PITA; there's more to it than what's described in KB #317012 or at the following
http://msdn.microsoft.com/library/en...l/secmod15.asp
For example, your new user won't have permission to access
System.Diagnost ics.Process.Get CurrentProcess( ).Handle
among other various "gotchas". Impersonation is overkill.

The solution?
Use System.Diagnost ics.Process and run "net use" from the Asp.Net
application to authenticate to your network share. The authentication will last just like it does when you call it from the command line (for the
user you execute it as).

I believe this method to be the least invasive on existing code. For me, I have a File.Exists check first. If that fails, then I try to open the file (File.OpenText is what I tested with, but File.Open should be the same).
If the exception is

[System.IO.IOExc eption] Logon failure: unknown user name or bad password.
then I do the "net use" call to authenticate and try again. If it's not
that exception, then the file will actually not exist, and you get this
error:

[System.IO.FileN otFoundExceptio n] Could not find file "<filename> "

and I then let the exception propagate to my error-handling stuff.

Nov 18 '05 #3

Granger Godbold

No. You don't. I didn't have to change anything on the ASPNET account for it to
work correctly.
Ken Cox [Microsoft MVP] wrote:

Don't you have to give the ASPNET account broad permissions to execute
"net use"? It seems like that's a pretty big security hole.

I'd still prefer to use impersonation to authenticate to the network share.

"Granger Godbold" <gr************ *@invalid.prome tric.com> wrote in
message news:u0******** ******@tk2msftn gp13.phx.gbl...
I've found a solution to this that I think I like, but I thought it
wise to put it out for all to see so people could punch holes in it as
they wished. (Is there a better way?)

I want a page in an Asp.Net site to be able to open/access a file
that's on an Smb share (ie. "Windows Share", "NetBios Share", etc.). I
cannot use the "ASPNET" username; that's a bad route to take anyhow
(got to mess with the "automatic" password settings and other worms in
the can you'll be opening).

At first glance, everyone seems to suggest using the "identity" tag in
web.config to do impersonation. However, it's a huge PITA; there's
more to it than what's described in KB #317012 or at the following
http://msdn.microsoft.com/library/en...l/secmod15.asp
For example, your new user won't have permission to access
System.Diagnost ics.Process.Get CurrentProcess( ).Handle
among other various "gotchas". Impersonation is overkill.

The solution?
Use System.Diagnost ics.Process and run "net use" from the Asp.Net
application to authenticate to your network share. The authentication
will last just like it does when you call it from the command line
(for the user you execute it as).

I believe this method to be the least invasive on existing code. For
me, I have a File.Exists check first. If that fails, then I try to
open the file (File.OpenText is what I tested with, but File.Open
should be the same). If the exception is

[System.IO.IOExc eption] Logon failure: unknown user name or bad password.

then I do the "net use" call to authenticate and try again. If it's
not that exception, then the file will actually not exist, and you get
this error:

[System.IO.FileN otFoundExceptio n] Could not find file "<filename> "

and I then let the exception propagate to my error-handling stuff.

Nov 18 '05 #4

Similar topics

9018

DirectoryServices error: Authentication mechanism is unknown: Solution

by: David Moore | last post by:

Hello I posted a thread about this a while back, but I can't actually find it again so I can reply to it with the solution I found, so I'm making a new thread and hoping it goes to the top of the Google search results for the error like the previous thread. This is actually a solution to a problem, not a call for help, so you can stop reading now unless you're actually interested in the solution :)

.NET Framework

5157

Impersonation and UNC shares in a windows service

by: Chris | last post by:

Hello all, Here is my problem. I have a windows service (C#) that is supposed to move files from/to the local drive to/from a UNC share (\\domainserver\share). The service is running on a Win3k server not connected to a domain, as a local user. The service impersonates a local user (on domainserver) that has full permissions to that share. Any File.Move, File.Copy operations are successfull. Any Directory.GetFiles fail with "Logon...

.NET Framework

2561

Issue with ASP.NET client, COM Interop, and Identity impersonation

by: Anil Krishnamurthy | last post by:

We have an ASP.NET application that uses COM objects through Interop. The web application requires access to network and database resources and hence, needs to impersonate a domain account. The problem is that even when it is configured to run under a certain identity through Web.config, the impersonation is not carried through to COM library. Consequently, the code in COM object runs under a local account and any code that needs to access...

.NET Framework

1472

asp.net assemblies over UNC network shares

by: zerokarma | last post by:

I've recently setup a webfarm using win2k3 and a network disc array to store all the files served up by the webfarm. All web sites being hosted are configured to work over UNC. My problem is IIS doesn't load the .Net assembly from the UNC share (in the bin directory) and the page fails. Here is the error message: Parser Error Message: Could not load type aspnettest.Global'. Source Error: Line 1: <% @ Application...

ASP.NET

2114

check if user belong to a domain against active directory without impersonation

by: Caspy | last post by:

I just get stuck on how to check if a user is a member of network (domain). I am building an internal tracking system with ASP.Net with Form authentication. When an user is added into the system, it check if the user is a member of the domain account against Global Catalog. If not, the user is not allowed to added in. If is, get the user's first name and last name and insert into the database. Because the system need access to other...

ASP.NET

10173

Access network shares with filesystemobject

by: Josh Rolfe | last post by:

I have a page in classic asp that accces a network drive, The code is as follows: <% dim fso dim objFolder set fso=server.createObject("Scripting.FileSystemObject") set objFolder=fso.GetFolder("f:\") for each objFile in objFolder.files response.write objFile.name & "<br>" next

ASP.NET

1294

ASP.NET Accessing shares

by: Oliver | last post by:

Hi, I'm working on an ASP.NET application that allows users to upload images to a central storage area and view using a HTTP handler. This works great if the files are stored on a local drive on the web server. The problem I have is that when I move this storage area to a share on another machine with full permissions for everyone I still get System.IO.FileNotFoundException.

ASP.NET

1111

Accessing shares on other servers

by: Mantorok | last post by:

Hi I have an app and during some code-behind it attempts to fetch some files from another server-share, IIS is configured to use the users windows-login as authentication and although we have access to this share on the other server an exception is thrown, the app says "Access Denied" and waffles on about giving the ASPNET machine account access to the share - but we don't need to do this as we are using windows authentication. Any...

ASP.NET

4710

Remoting Questions

by: Wimpie van Lingen | last post by:

Hey I have some more questions with regards to Remoting in .NET 2. I'm using TCP with the Binary formatter. My solution consists of 4 projects: - Class Library containing the server classes which Inherits MarshalByRefObject (ok, at this stage it only contains one class... but its gonna grow) - Class Library containing common classes and interfaces that will be shared between all projects. This include interfaces for the server...

Visual Basic .NET

8182

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

8130

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

8627

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

8279

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

8433

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

7093

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

5540

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

4127

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

1747

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP