tags:

views:

160

answers:

4
Q: 

Writing to a network location in ASP.NET (using AD)

Hey guys,

I'm running into a (hopefully) small issue. I have a web app written in ASP.NET, that will be running off of a Windows 2003 Server machine using IIS 6.0. When I run it locally, it works perfect. When I run it from the server, the site works fine. The issue lies in writing to a remote folder. I have a network folder using AD permissions that the application writes to. With my AD account (when I write it locally) it authenticates properly, but when using the IIS account it does not. Has anyone come across this? Any solutions available?

So far, I've tried using my AD account as the "Guest Account" in IIS that the site runs off of, but that still didn't work.

Any thoughts, explanations, or suggestions would be greatly appreciated!

Thanks.

A: 

Might it be related to the account that the Application Pool is running under?

Jeremy  2009-09-11 14:33:17
+3  A: 

By default ASP.NET runs under the context of a local user account, which will not have access to your AD machines. You can reconfigure the connection pool to run as a domain account and lo, it gets access. You should give the domain account as little privileges as possible, and add it to the IIS_WPG on the IIS machine and give it Run as service rights on that box.

blowdart  2009-09-11 14:34:08
A: 

You might also consider doing as suggested in this SO answer:

http://stackoverflow.com/questions/1411013/asp-net-windows-authentication-impersonate-problem

Wrap the code that is doing the writing to a remote location and everything else could be left alone. This will give you the best security for the web app since you are only impersonating an account with these writes for the code that needs it instead of all of it.

klabranche  2009-09-11 14:47:39
Seeing as how that's my answer ... *grin* I wouldn't do that if at all possible, because (a) it won't work in that case and (b) to make it work you need to hard code a username and password of a domain account to switch context. Which is bad.
blowdart  2009-09-11 14:50:43
@blowdart - I am missing something then.... Why wouldn't it work?
klabranche  2009-09-11 14:54:15
Well the impersonation in that answer needs windows auth, the person who asked said he switched it to test, not that it's a permanent setting
blowdart  2009-09-11 15:02:29
Gotcha.... I thought you meant there was a REAL limitation in that it wouldn't actually work. We have done this as laid out by others in setting the impersonation up at the web.config and in the connection pool for the app but I thought your way is ingenious in that it really limits the security to just that operation. I do agree the username/pwd being hard coded is yucky. :)
klabranche  2009-09-11 15:16:42
+1  A: 

The way I normally tackle these situations is to do a couple of steps.

  • In AD create an account for the service.
  • Add this account to the network share you wish to access.
  • Then have your ASP.Net application run using that service account instead of the local IIS account.

  • In your web.config file you put the following line under

    <system.web>
     <identity impersonate="true"/>
    </system.web>

Demetri  2009-09-11 14:56:10
Hmmm...I have the account created in AD and I've added the permissions needed on the share. I changed the Application Pool user from "Network Service" to the new AD user. I have also changed the Allow Anonymous account to the AD user account as well. The web.config file was also changed. It will won't write out to that folder. Any thoughts?!
SlackerCoder  2009-09-11 15:55:40
Well make sure the setting are applies for you app not at the top level in IIS. Also, under directory security -> Authentication and Access Control -> Edit - Make sure the Integrated Windows Authentication is checked.
Demetri  2009-09-11 19:31:56
One more thing to make sure of, is that all errors are being written out to some log. Usually when it fails to write it will throw an error with some info that will probably help.
Demetri  2009-09-11 19:34:00

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps