 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Security / July 2007Accessing Virtural directory on remote machine
I have a .net application that I need to write to a directory on a different server. 1. When the dotnet application runs I have initial setup with iss using a virtual directory on same machine. This works fine. 2. Virtual directory to another machine (created the authentication account and saved in iss virtual directory setup) - does not work. 3. Tried a persistant mapped drive T: with saved credentials which are on the DACL of the remote machine. - does not work. This is in a DMZ workgroup environment. Any ideas how I can get this to work. Is this possible with DOTNET? Thanks, Turbot Hello TurboT, Which Version of IIS are you using? under which account does your worker process run? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > I have a .net application that I need to write to a directory on a > different server. [quoted text clipped - 14 lines] > > Turbot Hello Dominick, We are testing on both IIS 5 and IIS6 worlds. Same results. Worker Process - Default DOTNET account?? How could I check this. (I am the network person working with the dotnet developer) Thanks > Hello TurboT, > [quoted text clipped - 24 lines] >> >> Turbot We are investigating passing and "impersonation" account with the code.. Any ideas on this? > Hello Dominick, > [quoted text clipped - 33 lines] >>> >>> Turbot Hello TurboT, why? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > We are investigating passing and "impersonation" account with the > code.. [quoted text clipped - 38 lines] >>>> >>>> Turbot Hello TurboT, well - the asp.net app runs under an account - that differs with the IIS version used - i can only recommend using IIS6 under IIS6 the default account is NETWORK SERVICE - if this account talks to a machine in a domain environment it will used the machine account, e.g. SERVER$ in non-domains it will be ANONYMOUS you can run the worker process under a custom account . this is configured in the application pool settings - then this account needs access to the resources.. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hello Dominick, > [quoted text clipped - 33 lines] >>> >>> Turbot Dominick, Let me see if I understand. 1. If you are running in IIS6, then by default your code is running as "Network Service". I believe it is actaully gaining these rights through the IIS_WPG group. Network Service is the security context that DOTNET runs on a local machine. Between machines it is anonymous in a workgroup so in effect no authentication is passed, but within a domain environment rights are passed through the machine account. So. Q1 - defining a virtural directory in IIS6 under the DOTNET application - will run as Network Service if the virtural directory is on this server? - This does work.. and BTW the code that is calling access to the virtural directory is a server.mappath in the code. (Is this right?) Q2. - if the same definition as above but the virtual directory is remote (by doing this I have to put credentials in IIS6 to access the virtual directory on server B) When are these credentials ever used? and if therefore dotnet never looks at this virtual directory definition it itherefore is trying to access the remote virtual directory as anonymous (same as a http webpage?). I guess if I throw IIS5 out of the picture and decide to make this work on IIS6 I am still a little confused on the detail. ie. If I have two Win 2003 servers in a workgroup, one is running the IIS6 services other has a directory required for R/W and shared as ServerB\Data? This is still anonymous access by default even in IIS6? Does IIS6 have to be running on both servers? Thanks Dominick for any clarrification and your time. Turbot > Hello TurboT, > [quoted text clipped - 51 lines] >>>> >>>> Turbot I think we're all getting a little confused here. a) ASP.NET runs (by default) as Network Service, because that's the default account configured for Web Application Pools in IIS 6.0. To set a different account, open the IIS Manager, locate the Web App Pool hosting your web application/web site, and enter a different user account. b) Mapped drive letters are not going to work. Drive letters are mapped for the logged on user only - not for any other account. So, if you logon and map a drive letter, then Network Service is not going to see that drive letter c) IF you want to use a fixed identity to connect to the remote share, then: i) create a user account, with the same name, on both machines. Set the same password ii) in IIS Manager, create a virtual directory that points to a UNC share iii) specify the credentials that you created in (i) as the credentials to be used when connecting to the remote share d) However, if you are forcing the user to authenticate, and wish the user's credentials to flow through to the backend server, then you need to read this document: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/weba pp/iis/remstorg.mspx Cheers Ken : Dominick, Let me see if I understand. : [quoted text clipped - 10 lines] : Q1 - defining a virtural directory in IIS6 under the DOTNET application - : will run as Network Service if the virtural directory is on this erver? - : This does work.. and BTW the code that is calling access to the virtural : directory is a server.mappath in the code. (Is this right?) [quoted text clipped - 71 lines] : >>>> : >>>> Turbot Ken thank you.. just a little more clarrification. I have done exactly what you have mentioned. and in this document. 1. same local account and password on both machines. 2. same credentials for UNC in virtual directory definition I am wondering if we are using the incorrect code to reference this directory. I believe it is server.mappath in the code..?? >I think we're all getting a little confused here. > [quoted text clipped - 135 lines] > : >>>> > : >>>> Turbot Currently I am facing a problem. I have two .NET Applications on Different Server. Both have the Windows Authentication “Integrated windows Authentication”. There is a link on both applications to redirect on each other. Now the problem is if I login in my one application and click the link for another application it should not ask for the userid and password again. Currently its asking the user id and password for both application. I try Impersonation for that but its not working. My both application is on Single Domain right now. But I have to implement it on Deferent domains also. Please solve my problem. From http://www.developmentnow.com/g/14_2005_10_0_0_627845/Accessing-Virtural-directo ry-on-remote-machine.ht Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.