|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Access network shares from asp .net 2.0I'm developing a web based filemanager and it should of course be able to read network shares inside our company. Everything works fine when I use basic authentication. But because we are planning to implement ADFS, we will only get to use Windows authentication (as far as I can understand). I have started to test Kerberos delegation and it works fine as long as the network resource is in the same domain as the application. But since we have multiple domains and fileservers spread accross them, we runt into problems. With constrained delegation we can only delegate access throug one domain. How do I access the network resources outside the domain the application resides in? We are using a Windows 2003 Forest and Windows 2003 R2 servers. /Mathias Not sure how to solve this, but I would audit the remote share and see what
account is attempting to access the files. You may find that the account attempting access is not what you think it should be. If it is the account, use a runas on that account and attempt a straight pull from the share. If this does not work, correct and then retest your app. If it does not work, you have a couple of options: NTFS issue Active Directory issue Kerberos issue You need to heavily scan the machine with the share through both a success and a failure. Figure out what is being used in each case (domain authentication = works; Kerberos = fail, for example). Until you know precisely what is causing the failure, you are not going to get past it. -- Show quoteHide quoteGregory A. Beamer MVP; MCP: +I, SE, SD, DBA *************************** Think Outside the Box! *************************** "Mathias Erlandsson" wrote: > Hi! > > I'm developing a web based filemanager and it should of course be able to > read network shares inside our company. > > Everything works fine when I use basic authentication. But because we are > planning to implement ADFS, we will only get to use Windows authentication > (as far as I can understand). > > I have started to test Kerberos delegation and it works fine as long as the > network resource is in the same domain as the application. But since we have > multiple domains and fileservers spread accross them, we runt into problems. > > With constrained delegation we can only delegate access throug one domain. > How do I access the network resources outside the domain the application > resides in? > > We are using a Windows 2003 Forest and Windows 2003 R2 servers. > > /Mathias > Thanks for the reply.
I get the following 3 events when I audit the computer I can't access. EventID: 576 User: The calling computer account Category: Privilege Use Privileges: SeChangeNotifyPrivilege EventID: 540 User: The calling computer account Category: Logon/Logoff Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos EventID: 540 User: NT AUTHORITY\ANONYMOUS LOGON Category: Logon/Logoff Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM But if I add a trusted delegation to service cifs on a computer in the same domain I get the impersonation to work. The following 2 events are written. EventID: 540 User: The calling computer account Category: Logon/Logoff Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos EventID: 540 User: The username of the impersonated user Category: Logon/Logoff Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos To get theese result I use the WindowsIdentity(UPN) impersonate in the code. When I use ADFS for authentication the directory security on the IIS-server has to be anonymous. That would ecplain why I get anonymous login on my computer in the other domian. But how do I get the user to be impersonated across domains? /Mathias "Cowboy (Gregory A. Beamer) - MVP" skrev: Show quoteHide quote > Not sure how to solve this, but I would audit the remote share and see what > account is attempting to access the files. You may find that the account > attempting access is not what you think it should be. > > If it is the account, use a runas on that account and attempt a straight > pull from the share. If this does not work, correct and then retest your app. > If it does not work, you have a couple of options: > > NTFS issue > Active Directory issue > Kerberos issue > > You need to heavily scan the machine with the share through both a success > and a failure. Figure out what is being used in each case (domain > authentication = works; Kerberos = fail, for example). Until you know > precisely what is causing the failure, you are not going to get past it. > > -- > Gregory A. Beamer > MVP; MCP: +I, SE, SD, DBA > > *************************** > Think Outside the Box! > *************************** > > > "Mathias Erlandsson" wrote: > > > Hi! > > > > I'm developing a web based filemanager and it should of course be able to > > read network shares inside our company. > > > > Everything works fine when I use basic authentication. But because we are > > planning to implement ADFS, we will only get to use Windows authentication > > (as far as I can understand). > > > > I have started to test Kerberos delegation and it works fine as long as the > > network resource is in the same domain as the application. But since we have > > multiple domains and fileservers spread accross them, we runt into problems. > > > > With constrained delegation we can only delegate access throug one domain. > > How do I access the network resources outside the domain the application > > resides in? > > > > We are using a Windows 2003 Forest and Windows 2003 R2 servers. > > > > /Mathias > >  |
|||||||||||||||||||||||
Other interesting topics