 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / New Users / March 2006Access network shares from asp .net 2.0
Hi! I'm developing a web based filemanager and it should of course be able to read network shares inside our company. Everything works fine when I use basic authentication. But because we are planning to implement ADFS, we will only get to use Windows authentication (as far as I can understand). I have started to test Kerberos delegation and it works fine as long as the network resource is in the same domain as the application. But since we have multiple domains and fileservers spread accross them, we runt into problems. With constrained delegation we can only delegate access throug one domain. How do I access the network resources outside the domain the application resides in? We are using a Windows 2003 Forest and Windows 2003 R2 servers. /Mathias Not sure how to solve this, but I would audit the remote share and see what account is attempting to access the files. You may find that the account attempting access is not what you think it should be. If it is the account, use a runas on that account and attempt a straight pull from the share. If this does not work, correct and then retest your app. If it does not work, you have a couple of options: NTFS issue Active Directory issue Kerberos issue You need to heavily scan the machine with the share through both a success and a failure. Figure out what is being used in each case (domain authentication = works; Kerberos = fail, for example). Until you know precisely what is causing the failure, you are not going to get past it.  SignatureGregory A. Beamer MVP; MCP: +I, SE, SD, DBA *************************** Think Outside the Box! *************************** > Hi! > [quoted text clipped - 16 lines] > > /Mathias Thanks for the reply. I get the following 3 events when I audit the computer I can't access. EventID: 576 User: The calling computer account Category: Privilege Use Privileges: SeChangeNotifyPrivilege EventID: 540 User: The calling computer account Category: Logon/Logoff Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos EventID: 540 User: NT AUTHORITY\ANONYMOUS LOGON Category: Logon/Logoff Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM But if I add a trusted delegation to service cifs on a computer in the same domain I get the impersonation to work. The following 2 events are written. EventID: 540 User: The calling computer account Category: Logon/Logoff Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos EventID: 540 User: The username of the impersonated user Category: Logon/Logoff Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos To get theese result I use the WindowsIdentity(UPN) impersonate in the code. When I use ADFS for authentication the directory security on the IIS-server has to be anonymous. That would ecplain why I get anonymous login on my computer in the other domian. But how do I get the user to be impersonated across domains? /Mathias "Cowboy (Gregory A. Beamer) - MVP" skrev: > Not sure how to solve this, but I would audit the remote share and see what > account is attempting to access the files. You may find that the account [quoted text clipped - 33 lines] > > > > /Mathias
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.