views:

569

answers:

1

I have an ASP.NET app using Windows authentication, and I'm testing for the existence of a file on a remote server.

I'm authenticating as MYDOMAIN\my.username - this works.

The file is \MYSERVER\WebShare\example.txt. This file exists. I can open it from various hosts whilst logged in as MYDOMAIN\my.username. Under Windows Explorer, the effective permissions indicate that MYDOMAIN\my.username has full control of this file.

If I attach a debugger and type $user in the watch window, I can see that the current thread is running as MYDOMAIN\my.username, whilst the current process is still running as NT AUTHORITY\NETWORK SERVICE - the relevant bits of the watch window are reproduced below:

$user  {...}  $user register
 +- Process  {...}  TOKEN
 |  +- Name                 NT AUTHORITY\NETWORK SERVICE  User Name
 |  +- User                 SID  S-1-5-20                 SID
 |  +- Session Id           0                             DWORD
 |  +- Loggin Id            000003e4-00000000             LUID
 |  +- Impersonation Level  N/A (not impersonating)       SECURITY_IMPERSONATION_LEVEL
 +- Thread  {...}  TOKEN
    +- Name                 MYDOMAIN\my.username          User Name
    +- User SID             S-1-5-21-...                  SID
    +- Session Id           0                             DWORD
    +- Loggin Id            018622ef-00000000             LUID
    +- Impersonation Level  Impersonate                   SECURITY_IMPERSONATION_LEVEL

The server that's running ASP.NET is a member of the MYDOMAIN\Webservers group, which in turn has full control of the shared file.

Here's what I don't understand:

  1. When .NET tries to query File.Exists, is it the thread or process identity that is being used?
  2. If it's using the process credentials - how can I either force the process to run as MYDOMAIN\my.username, or give the NETWORK SERVICE account permission to read the file? (I thought this has already done by adding my computer account - but it doesn't work...)
  3. If it's using the thread's credentials - why can't I read the file?

Any pointers or useful debugging tips would be most gratefully received.

Thanks,

Dylan

+2  A: 

In these situations I always fire up Sysinternals Process Monitor and filter out the file in question. From there, you can see what account is actually accessing the file.

In general, if you are not impersonating, the account that is running the application pool will be used. What is your application pool account?

Regarding question 2: You can set correct permissions on the file by right-clicking on it in Explorer and selected permissions. From there you can add the Network Service account and give it read permissions.

What OS are you running? Depending on the OS , the default application pool account is either Network Service or AppPoolIdentity so make sure you are checking the right one.

Magnus Johansson
Hadn't thought of trying Process Monitor - turns out it's a complex combination of ASP.NET Impersonation and various other factors, but Process Monitor absolutely helped in tracking down what was going on - thanks.
Dylan Beattie