I've inherited a working site that walks the file server for directory listings and presents the finding on a webpage, all is good. However with the DR migration, and subsequent virtualization, they are moving the IIS Server away from a single AD/IIS6/file
server to separate machines and it has broken the logic.
The old server is 2k3 and the new PDC, webserver and fileserver are all 2k8r2. I am testing with a windows 7 pro client.
Observations:
From the event viewer -> security, on the old working system I can see a single validated client authenticating, albeit, on the same server as the filesystem (using impersonalization). (win2K3)
However on the new system I can see that the process that is connecting to the fileserver is SYSTEM, if I hard wire another account in the identity impersonate area of web.config, I can see that user authenticate to IIS as it should on the fileserver, but it
somehow manages to change to SYSTEM on the fileserver.
I have attempted every authentication combination on the IIS7 server to get it to pass the credentials through, but to no avail. (Win2K8R2)
I then read about delegation and I thought it would be my saviour, but alas, no joy as yet.
I have followed 'How to configure an ASP.NET application for a delegation scenario' but still cant make sense of it.
The website is utilizing system calls: System.IO.Directory.Exists which does not appear to have any authentication options, so I expected that it would use the impersonated user, however it appears to only work when I hardwire an impersonalized user in
the web.config. although it kills the personalisation of the site.
I currently have ASP.NET impersonation enabled along with Windows Authentication and tried all providers in various orders. I got excited when it suggested I use Kernel-mode authentication, but it did not help, it gave me a 401:
401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the
credentials that you supplied.
I've been iisreset ing all day, any help would be appreciated.
setspn -a http/webdevsvr domain\IntranetUser
setspn -a http/webdevsvr.domain.com domain\IntranetUser
I was then able to set that user for uncontrained delegation..
I also set this user as the Process Model Identity for the Application Pool within IIS.
The end game with this setup is that it does not work. Event Viewer states it is connecting with the local system account and therefore the IO calls fail.
If there is anything else that would help, please ask...
You provided enough information for your problem. As my understanding, in a nutshell, you had a permission problem when accessing the directory. If I don't misunderstand your issue. I suggest you to check this article about
Secure Content in IIS Through File System ACLs(while it elaborates how to secure content, I think it may help you to figure out your practice issue as well)
debuggerAu
1 Post
How to implement impersonalisation delegation with ASP.NET on an IIS7 Server to gain access to an...
May 02, 2012 06:56 AM|LINK
Background:
I've inherited a working site that walks the file server for directory listings and presents the finding on a webpage, all is good. However with the DR migration, and subsequent virtualization, they are moving the IIS Server away from a single AD/IIS6/file server to separate machines and it has broken the logic.
The old server is 2k3 and the new PDC, webserver and fileserver are all 2k8r2. I am testing with a windows 7 pro client.
Observations:
From the event viewer -> security, on the old working system I can see a single validated client authenticating, albeit, on the same server as the filesystem (using impersonalization). (win2K3)
However on the new system I can see that the process that is connecting to the fileserver is SYSTEM, if I hard wire another account in the identity impersonate area of web.config, I can see that user authenticate to IIS as it should on the fileserver, but it somehow manages to change to SYSTEM on the fileserver.
I have attempted every authentication combination on the IIS7 server to get it to pass the credentials through, but to no avail. (Win2K8R2)
I then read about delegation and I thought it would be my saviour, but alas, no joy as yet.
I have followed 'How to configure an ASP.NET application for a delegation scenario' but still cant make sense of it.
http://support.microsoft.com/kb/810572
http://msdn.microsoft.com/en-us/library/ff647404.aspx
The website is utilizing system calls: System.IO.Directory.Exists which does not appear to have any authentication options, so I expected that it would use the impersonated user, however it appears to only work when I hardwire an impersonalized user in the web.config. although it kills the personalisation of the site.
I currently have ASP.NET impersonation enabled along with Windows Authentication and tried all providers in various orders. I got excited when it suggested I use Kernel-mode authentication, but it did not help, it gave me a 401:
401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the
credentials that you supplied.
I've been iisreset ing all day, any help would be appreciated.
Here is some of the config:
applicationHost.config
<location path="Intranet">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
<extendedProtection tokenChecking="Allow" />
</windowsAuthentication>
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
web.config
<authentication mode="Windows" />
<identity impersonate="true" />
(I had an explicitly defined user specified, which works, but without personalisation)
Today, I tried to configure a domain user SPN from this article.
http://www.phishthis.com/2009/10/24/how-to-configure-ad-sql-and-iis-for-two-hop-kerberos-authentication-2/
setspn -a http/webdevsvr domain\IntranetUser
setspn -a http/webdevsvr.domain.com domain\IntranetUser
I was then able to set that user for uncontrained delegation..
I also set this user as the Process Model Identity for the Application Pool within IIS.
The end game with this setup is that it does not work. Event Viewer states it is connecting with the local system account and therefore the IO calls fail.
If there is anything else that would help, please ask...
Thanks
--------------------------------------------------------------------------------
Greg
Mamba Dai - ...
651 Posts
Microsoft
Re: How to implement impersonalisation delegation with ASP.NET on an IIS7 Server to gain access t...
May 07, 2012 11:28 AM|LINK
Hi,
You provided enough information for your problem. As my understanding, in a nutshell, you had a permission problem when accessing the directory. If I don't misunderstand your issue. I suggest you to check this article about Secure Content in IIS Through File System ACLs(while it elaborates how to secure content, I think it may help you to figure out your practice issue as well)
http://learn.iis.net/page.aspx/583/secure-content-in-iis-through-file-system-acls/
This is a great article about Appliation Pool Identity :
http://learn.iis.net/page.aspx/624/application-pool-identities/
Hope these are useful to you!
Feedback to us
Develop and promote your apps in Windows Store