views:

541

answers:

2

Edit 6:
Using Windows Integrated authentication (with an account that has access to the share and the database), I can get the list of files/directories. However, refresh the page and get an UnauthorizedAccessException. Perhaps a NetBIOS or ActiveDirectory limitation.

5 months and still no solution, other than 'use impersonation' (via P/Invoke it seems, since the built in .NET way seems so flaky), but that will also have the same problem. Hard coding username/password is not an option.

Development (Windows 7) box (using IIS or Visual Studio's) built in web server) works fine..

Edit 5:
From what I have read on the internet and in this question, the only ways for this to work are:

  • Basic Authentication
  • Impersonation
  • Have files on same server as Web Application

None of these are an option as either

  • Users have to login each time - downside: extra barrier to entry, should be a seamless experience
  • User name and password hard coded - downside: passwords change, the user coded (asp.net account) in won't have access to the files
  • Too many files to store on the web server, not enough disk space

Since there must be Windows Forms applications that can access UNC shared files, I would have thought this would work. That, and the fact when remotely connecting to the web server and using Windows Explorer I can access the files.

Maybe ASP.NET/IIS security prevents it from ever working without impersonation via P/Invoke. Or maybe being blocked by a firewall?

Edit 4:
One thing that does work is using Basic Authentication - Integrated Windows Authentication and Digest Authentication do not. However, that is not really an option as the password is sent in clear text and the user would get a prompt when they visit the page (not something I want to do).

Edit 3:
No matter what I try, I can not get a list of files or directories on a UNC path (both a combination of these and individually turned on)

  1. Given 'Everyone' full access to the folder (not just read)
  2. Given the ASP.NET account 'Act as part of the operating system'
  3. Given IIS_WPG group 'Act as part of the operating system'
  4. Used <authentication mode="Windows" />
  5. Used <identity impersonate="true"/>

If I remotely connect (using RDP) to the server with the same account as I use to log into the site, I can access the files fine. It just doesn't work through code.

Edit 2:
What I have tried is:

  1. Turn on Windows Authentication: files can only be accessed when on same machine (not UNC share), cannot connect to database
  2. Turn on Forms Authentication, can connect to database but not access files (due to InvalidCastException as Identity is now a GenericIdentity)

I can't use Windows Authentication, as I have no way to add roles. I don't want to prompt for a username / password as that is an extra step and it is not over a secure connection (i.e. SSL). Also I can't give the ASP.NET account access to the files (since I am not a domain administrator).

Edit:
The path is a UNC path, not on the local PC.

Using forms authentication, when I try to cast the current user identity to a WindowsIdentity in Visual Studio and debugging I get an InvalidCastException. I simply have:

WindowsIdentity id = (WindowsIdentity)HttpContext.Current.User.Identity;

Then the error I get is:

Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'System.Security.Principal.WindowsIdentity'

I am using impersonation to get a list of files, since the ASP.NET account does not have access to these files. It works when using IIS, but not in Visual Studio:

WindowsIdentity id = (WindowsIdentity)User.Identity;
using (System.Security.Principal.WindowsImpersonationContext context = id.Impersonate())
{
 files = Directory.GetFiles("\\server\share");
 context.Undo();
}

Adding <identity impersonate="true" /> to the web.config does not do anything - although I don't want to do that as I am using the ASP.NET account to query a database, which the user does not have access rights to (resulting in Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON').

When I turn on Windows authentication through the web.config I then get UnauthorizedAccessException when trying to get the list of files from a remote share (which I could otherwise access if I remotely connected onto the IIS box as the same user on the client PC).

In addition, the ASP.NET account is an account set up in Active Directory, not local to IIS.

+1  A: 

As RichardOD says, you are going to have trouble running the code as given on both IIS and WebDev.

Your best option is to Project>Properties>Web>Use local IIS web server.

Otherwise you need to modify the access control strategy.

Edit in response to comments: I appears OP needs to do some hardcore impersonation:

I have used this code in the past to connect to a UNC as another user from a codebehind. There is also a more current version that looks good, but I haven't used it so cannot vouch.

This may help, may not. Worth a try.

Sky Sanders
That works, although forms authentication is used to log into the site for admin purposes. Trying to do a hybrid-style system though, since a lot of the site already uses forms authentication and the roles system to determine what the user can access and do.
Sam
@Sam, then why are you trying to swim against the stream dude? ;-) Grant NTFS permissions to yourself on the dev machine, as that is the identity that is running cassini.Mixing modes is a really bad idea and will lead to smelly code.
Sky Sanders
I want to use custom roles that are not part of Active Directory, since I have no rights to create security groups. When turning on Windows authentication I can't then use the forms authentication roles like 'admin' or 'documents' etc.
Sam
@sam, my answer currently reflects your question. If we solve your problem here in comments I will update my answer. So, to reiterate, use forms auth, define your roles and give yourself permissions to access the files (as if YOU are the IIS process, which you are when using cassini)
Sky Sanders
@sam, as you provide more detail the question gets more interesting. You may have a slight problem running that code both IIS and WebDev. RichardOD had a good solution. your only solution actually, given the situation. And this assumes that your box is in the domain.
Sky Sanders
@Sam- from your comments it sounds like you want to use Windows authentication combined with the SqlRoleProvider- http://forums.asp.net/t/932456.aspx? Did you know this was possible?
RichardOD
Still can't access the files over a UNC share, despite having followed instruction from various articles on how to access data on shares
Sam
@Sam, sounds like you need to do some hardcore impersonation. Let me track down some code that I know works in a situation such as you describe.
Sky Sanders
@Sam - see updated answer and let me know.
Sky Sanders
A: 

Do you mean using the Built in Web Server (Cassini)? Impersonation does not work the same as in IIS (see Cassini considered harmful). You can use IIS as the Web Server in Visual Studio. I usually do as it prevents weird deployment time issues like this.

RichardOD