Solution: Asp.Net and Smb shares - without impersonation

I've found a solution to this that I think I like, but I thought it wise
to put it out for all to see so people could punch holes in it as they
wished. (Is there a better way?)

I want a page in an Asp.Net site to be able to open/access a file that's
on an Smb share (ie. "Windows Share", "NetBios Share", etc.). I cannot use
the "ASPNET" username; that's a bad route to take anyhow (got to mess with
the "automatic" password settings and other worms in the can you'll be
opening).

At first glance, everyone seems to suggest using the "identity" tag in
web.config to do impersonation. However, it's a huge PITA; there's more to
it than what's described in KB #317012 or at the following
http://msdn.microsoft.com/library/en...l/secmod15.asp
For example, your new user won't have permission to access
System.Diagnostics.Process.GetCurrentProcess().Han dle
among other various "gotchas". Impersonation is overkill.

The solution?
Use System.Diagnostics.Process and run "net use" from the Asp.Net
application to authenticate to your network share. The authentication will
last just like it does when you call it from the command line (for the
user you execute it as).

I believe this method to be the least invasive on existing code. For me, I
have a File.Exists check first. If that fails, then I try to open the file
(File.OpenText is what I tested with, but File.Open should be the same).
If the exception is

[System.IO.IOException] Logon failure: unknown user name or bad password.

then I do the "net use" call to authenticate and try again. If it's not
that exception, then the file will actually not exist, and you get this
error:

[System.IO.FileNotFoundException] Could not find file "<filename>"

and I then let the exception propagate to my error-handling stuff.

Don't you have to give the ASPNET account broad permissions to execute "net use"? It seems like that's a pretty big security hole.

I'd still prefer to use impersonation to authenticate to the network share.
"Granger Godbold" <gr*************@invalid.prometric.com> wrote in message
news:u0**************@tk2msftngp13.phx.gbl...

I've found a solution to this that I think I like, but I thought it wise
to put it out for all to see so people could punch holes in it as they
wished. (Is there a better way?)

I want a page in an Asp.Net site to be able to open/access a file that's
on an Smb share (ie. "Windows Share", "NetBios Share", etc.). I cannot use the "ASPNET" username; that's a bad route to take anyhow (got to mess with the "automatic" password settings and other worms in the can you'll be
opening).

At first glance, everyone seems to suggest using the "identity" tag in
web.config to do impersonation. However, it's a huge PITA; there's more to it than what's described in KB #317012 or at the following
http://msdn.microsoft.com/library/en...l/secmod15.asp
For example, your new user won't have permission to access
System.Diagnostics.Process.GetCurrentProcess().Han dle
among other various "gotchas". Impersonation is overkill.

The solution?
Use System.Diagnostics.Process and run "net use" from the Asp.Net
application to authenticate to your network share. The authentication will last just like it does when you call it from the command line (for the
user you execute it as).

I believe this method to be the least invasive on existing code. For me, I have a File.Exists check first. If that fails, then I try to open the file (File.OpenText is what I tested with, but File.Open should be the same).
If the exception is

[System.IO.IOException] Logon failure: unknown user name or bad password.
then I do the "net use" call to authenticate and try again. If it's not
that exception, then the file will actually not exist, and you get this
error:

[System.IO.FileNotFoundException] Could not find file "<filename>"

and I then let the exception propagate to my error-handling stuff.

Don't you have to give the ASPNET account broad permissions to execute
"net use"? It seems like that's a pretty big security hole.

I'd still prefer to use impersonation to authenticate to the network share.

"Granger Godbold" <gr*************@invalid.prometric.com> wrote in
message news:u0**************@tk2msftngp13.phx.gbl...

I've found a solution to this that I think I like, but I thought it
wise to put it out for all to see so people could punch holes in it as
they wished. (Is there a better way?)

I want a page in an Asp.Net site to be able to open/access a file
that's on an Smb share (ie. "Windows Share", "NetBios Share", etc.). I
cannot use the "ASPNET" username; that's a bad route to take anyhow
(got to mess with the "automatic" password settings and other worms in
the can you'll be opening).

At first glance, everyone seems to suggest using the "identity" tag in
web.config to do impersonation. However, it's a huge PITA; there's
more to it than what's described in KB #317012 or at the following
http://msdn.microsoft.com/library/en...l/secmod15.asp
For example, your new user won't have permission to access
System.Diagnostics.Process.GetCurrentProcess().Han dle
among other various "gotchas". Impersonation is overkill.

The solution?
Use System.Diagnostics.Process and run "net use" from the Asp.Net
application to authenticate to your network share. The authentication
will last just like it does when you call it from the command line
(for the user you execute it as).

I believe this method to be the least invasive on existing code. For
me, I have a File.Exists check first. If that fails, then I try to
open the file (File.OpenText is what I tested with, but File.Open
should be the same). If the exception is

[System.IO.IOException] Logon failure: unknown user name or bad password.

then I do the "net use" call to authenticate and try again. If it's
not that exception, then the file will actually not exist, and you get
this error:

[System.IO.FileNotFoundException] Could not find file "<filename>"

and I then let the exception propagate to my error-handling stuff.