Win2003 Server - Access to the path is denied

On Wed, 17 Aug 2005 10:12:59 -0400, "Jody Gelowitz" <jg**************@blah.leevalley.com> wrote:

¤ We are having an issue in that when trying to read a file that is on Server2
¤ from Server1 (through our ASP.NET project), we receive the error:
¤ Access to the path "\\Server2\MyShare\MyFile.tif" is denied.
¤
¤
¤ Here is the server setup that we have:
¤ Dev - Development Computer on WinXP Pro SP2 (IIS5), VS2003 developing
¤ under .NET Framework 1.1
¤ Server1 - Web Server on Win2003 Server (IIS6)
¤ Server2 - File Server on Win2003 Server
¤ All servers are a part of the same domain
¤
¤
¤ The error only happens on Server1 (Win2003 w/IIS6). The error does not
¤ occur on Dev (WinXP Pro SP2 w/IIS5). We have also tried running this web
¤ application on another Win2003 server with the same error as Server1. On
¤ each server, we were logged on with an Administrator account (which has
¤ permission to Server2) even though log-in is not required.
¤
¤
¤ The line of code which generates the error is:
¤ iStream = New System.IO.FileStream(filepath, System.IO.FileMode.Open, _
¤ IO.FileAccess.Read, IO.FileShare.Read)
¤
¤
¤ Anonymous access to our web project has been disabled by doing the
¤ following:
¤ In the Web.Config of the ASP.NET project:
¤ <authentication mode="Windows"/>
¤ <identity impersonate="true"/> (this is only on the Dev machine and
¤ has been removed on Server1)
¤ <authorization>
¤ <deny users="?"/> <!-- Deny Anonymous users -->
¤ <allow users="*"/> <!-- Allow only authenticated users -->
¤ </authorization>
¤ Within IIS on Dev and Server1
¤ - "Anonymous access" has been disabled
¤ - "Integrated Windows authentication" has been enabled
¤
¤
¤ We have verified, before and after the error, that the user is the current
¤ Windows user (from the client machine) and that they are a part of the group
¤ assigned to the "MyShare" folder on Server2 with sufficient privileges. We
¤ have also tried using an Administrator account to no avail.
¤
¤
¤ The code used for checking the current user is:
¤ Me.User.Identity.Name
¤
¤ The code used for checking permissions is:
¤ HasPermission(New System.Security.Permissions.FileIOPermission( _
¤ System.Security.Permissions.FileIOPermissionAccess .AllAccess, _
¤ filepath))
¤
¤ Private Function HasPermission(ByVal permission As
¤ System.Security.CodeAccessPermission) As Boolean
¤ Dim bolReturn As Boolean
¤ Try
¤ If Not permission Is Nothing Then
¤ permission.Demand()
¤ End If
¤ bolReturn = True
¤ Catch
¤ bolReturn = False
¤ End Try
¤ Return bolReturn
¤ End Function
¤
¤
¤ We have also tried running the following code before trying to read the
¤ file:
¤ AppDomain.CurrentDomain.SetPrincipalPolicy(Princip al.PrincipalPolicy.WindowsPrincipal)
¤
¤ ' Thread.CurrentPrincipal represents the Windows Authenticated user
¤ Thread.CurrentPrincipal = New
¤ Principal.WindowsPrincipal(Principal.WindowsIdenti ty.GetCurrent())
¤
¤ 'Thread.CurrentPrincipal.Identity
¤ 'HttpContext.Current.User
¤ Dim wic As WindowsImpersonationContext =
¤ CType(HttpContext.Current.User.Identity,
¤ System.Security.Principal.WindowsIdentity).Imperso nate()
¤
¤
¤ The "MyShare" folder on Server2 has restricted permissions set for a
¤ specific group of people when the error occurs. If we add "Everybody" to
¤ the permissions list and give "Everybody" read access, then we are able to
¤ download the file. Even though this works, it is not a solution that we are
¤ happy with.
¤
¤
¤ We tried accessing the file directly from the Web Service (on Server2) when
¤ called from Server1, but that also failed with the same "Access to the path
¤ ..." error message. Something that did work successfully was to create the
¤ following structure on Server2:
¤ Business Tier (COM+ DLL running under local Admin account)
¤ Web Service
¤ The web project would call a Web Service function which would then call a
¤ Business Tier function to return a byte array of a specified file.
¤
¤
¤ We also noticed that if you copy the path in the error message and paste it
¤ directly into Windows/Internet Explorer, that the file can be accessed
¤ without any problems. This, to me, indicates that the opening of the
¤ FileStream is not being called under the permission of the authenticated
¤ user.
¤
¤
¤ Based on the Web.Config and IIS settings, I was under the assumption that
¤ the user would impersonated on Server1 which should also give them access to
¤ the appropriate resources on Server2. Even though the username is correct
¤ and the HasPermission function which checks for AllAccess permission on the
¤ file on Server2 was successful, the error message when trying to read the
¤ file makes it seem as if the impersonation failed.
¤
¤
¤ The questions that I have are:
¤ 1. Why is this happening?
¤ 2. What is the solution?
¤

Thanks for the comprehensive description and information.

I think you're hung up on the delegation issue. IIS cannot delegate credentials to a remote resource
when authenticating with Integrated Windows security. NTLM handles the authentication and the
credentials are never passed on to IIS.

If the goal is to impersonate and then delegate using Integrated Windows authentication you need to
implement Kerberos. There are some other workarounds that might be acceptable. See the following
document:

http://msdn.microsoft.com/library/de...delegation.asp

BTW, this probably works w/your DEV box because you're already authenticated locally as opposed to
being authenticated via IIS.
Paul
~~~~
Microsoft MVP (Visual Basic)