4

I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.

Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.

The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.

I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.

Can you help me please?

Thank you very much

EDIT:

When I try to execute a statement like 

Directory.CreateDirectory(@"\\my\network\path");

from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.

The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)

Cristiano Ghersi
  • 1,944
  • 1
  • 20
  • 46

2 Answers2

1

I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.

runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”

I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.

If I've misunderstood the issue, sorry for the noise.

wicker95
  • 131
  • 1
  • 10
  • Sounds like the most likely explanation for the problem. Windows security can be pretty clumsy in some situations :-( – chris Aug 14 '14 at 16:47
  • It's a pain to set up initially, but it allowed me to bring my own gear to a contract, and saved me from using crappy in-house hardware, more than once. – wicker95 Aug 14 '14 at 16:51
  • Thank you @wicker95 for your solution, unfortunately this doesn't solve my issue. See my edit. Is there a way to try your solution with /netonly but applying this approach to the App Pool User of my local IIS? – Cristiano Ghersi Aug 14 '14 at 20:56
1

Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.

Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:

How do you do Impersonation in .NET?

See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:

https://www.nuget.org/packages/SimpleImpersonation

Community
  • 1
  • 1
Bill Sambrone
  • 4,334
  • 4
  • 48
  • 70
  • Hi Bill, thank you for the answer, but still not working :( same problem... Moreover, I cannot change the code to use the NuGet package – Cristiano Ghersi Aug 15 '14 at 02:01