views:

82

answers:

1

I have some code running in an asp.mvc app inside IIS 7. The code is supposed to save a file to a UNC share. This function is called from some controller code, with the filePathname = "\MYSRV\sites\docs\10080003\egg.txt'

public void EnsureDocument(string filePathName ,string content,WindowsIdentity identity )
{
  System.Security.Principal.WindowsImpersonationContext impersonationContext = null;
  try
  {
    impersonationContext = ((System.Security.Principal.WindowsIdentity)identity).Impersonate();
    File.WriteAllText(filePathName, content);
  }
  finally
  {
    impersonationContext.Undo();
  }
}

The call from the asp.net mvc controller looks like this ...

  // pass running identity
documentSvc.EnsureDocument(filePathname, content, WindowsIdentity.GetCurrent());
//documentSvc.EnsureCaseDocument(filePathname,content,System.Security.Principal.WindowsIdentity)User.Identity);

The call from an NUnit test looks like this ...

documentSvc.EnsureDocument(filePathname, content, WindowsIdentity.GetCurrent() ); 

The symptoms are that the NUnit code drops the file BUT the call from asp.net mvc does not drop the file.

*Test 1 : PASSES, DROPS FILE * The Nunit code sends through an identity { AuthType=Keberos, ImpersonationLevel=none , Name="DOMAIN\Fred Blogs" } and this drops the file on the unc.

*test 2: FAILS, DOES NOT DROP FILE * With impersonate="true" in the web.config, and making the call

documentSvc.EnsureDocument(filePathname, content, WindowsIdentity.GetCurrent());

The asp.net mvc code sends through { AuthType=Keberos, ImpersonationLevel=Delegation, Name="DOMAIN\Fred Blogs" } and the file is not dropped.

*test 3: FAILS, DOES NOT DROP FILE * Without impersonate="true" in the web.config and calling and making the call

documentSvc.EnsureCaseDocument(filePathname,content,System.Security.Principal.WindowsIdentity)User.Identity);

The asp.net mvc code sends through { AuthType=Negotiate, ImpersonationLevel=Delegation, Name="DOMAIN\Fred Blogs" } and the file is not dropped.

?

A: 

NUnit's running identity is you, while MVC's running identiy is likely IUSR_... I think it's just a security problem.

Rudu
Yes, it is a security problem ; on my dev box the code runs as IIS APPOOL\ASP.NET 4.0 and on the staging box the code runs as NETWORK SERVICE ; The purpose of the impersonate=true in the web.config and the code impersonationContext = ((System.Security.Principal.WindowsIdentity)identity).Impersonate(); code is to make the code run as the user who is using the the IE browser. cheers
UNC / IIS security is always tricky (I love when you have impersonate on it stores passwords in plain text - for shame!). Catchy username btw.
Rudu