0

Environment: IIS 7.5, Windows 7 Pro, Visual Studio 2012, Webapp uses Framework 4.0

I tried to get a directory listing from a fileserver using path like \\server\share\directory by a webservice (asmx).

I use the following configuration in web.config:

<identity impersonate="true" />
<authentication mode="Windows" />

I check User.Identity.Name and Threading.Thread.CurrentPrincipal.Identity.Name and get the used Domain\Username for login. A "System.UnauthorizedAccessException" is thrown if i try to get a directory listing of "\\server\share\directory" .

I tried many things, even to use local system, local service or the domain administrator as identity for the application-pool.

When I change the configuration system.webServer/serverRuntime authenticatedUserOverride from UseAuthenticatedUser to UseWorkerProcessUser, i can reach the network share, but under the identity of the application-pool user and not of the user, that uses the webservice. In this configuration i cannot get Information about the login, that was used, instead i get as identity always the user for the application-pool.

Is possible to get the windows-login-user without impersonate? Or what have to be done to get successfull access to networkfilesystem?

I think UAC is dissabled on my machine.

user9904434
  • 1
  • 2
  • Is \server\share\directory a typo in your question or do you use single backslash at the beginning in your code? Two backslashes are expected \\server\share\directory. Are you sure you have access rights of both - the directory itself and the sharing security as well? Checking CurrentPrincipal should ensure that your impersonating works as expected. – PavlinII Jun 06 '18 at 21:26
  • Sorry! The double backslash is shown as single backslash. I edit the post. – user9904434 Jun 07 '18 at 11:29
  • The netshares are normally mapped as networkdrive (for example K:\, I:\) to the "impersonated" user, when he is logged on at his workstation. So i think the access rights should be OK. – user9904434 Jun 07 '18 at 11:36
  • Check the value of System.Security.Principal.WindowsIdentity.GetCurrent.Name, this is the method I was using before. There might be something wrong in ApplicationPool settings. Try to experiment with AdvancedSettings/ProcessModel/Identity and LoadUserProfile fields. – PavlinII Jun 07 '18 at 12:32

1 Answers1

0

After trying a lot of things i found this solution (not perfect, but it works for me):

ADS/Domaincontroller:

  • Add a new user "IIS-User" to active directory
  • Add Group Domain Admins to "IIS-User"
  • set Domain Admins to primary Group
  • Edit/add attribute servicePrincipalName by the attribute-editor : http/[computername of iis]
  • save and close usereditor in ADS-Server-Manager
  • open usereditor -> new tab "delegation" -> Allowing user "IIS-User" the delegation of services

PC/Server with IIS:

  • open IIS-Manger
  • edit application-pool: set identity to new user for the application-pool, that is used for the webservice/asp-app
  • edit configuration with configuration editor of IIS-manger:
  • system.web/authentication mode=Windows
  • system.web/identity impersonate=True
  • system.webServer/security/authentication/windowsAuthentication enabled=True, useAppPoolCredebtials=True
  • system.webServer/serverRuntime authenticatedUserOverride=UseAuthenticatedUser
  • system.webServer/validation validateIntegratedModeConfiguration=false

Now the webservice can access the netshare with the rights of the new user ("IIS-User"), but the property User.Identity.Name returns the name of the login user. But now i can check, wether the login user has access to files/directory and show only for the user accessible files/directories.

Maybe there are some unnecessary configuration settings, but after searching many hours for a solution i'm glad to found a working solution.

   Private Shared Function getSecId4User(user As IPrincipal) As SecurityIdentifier
    Return getSecId4Username(user.Identity.Name)
End Function

Private Shared Function getSecId4Username(username As String) As SecurityIdentifier
    Dim account As New NTAccount(username)
    Return account.Translate(GetType(SecurityIdentifier))
End Function

Private Shared Function isVisible4User(di As DirectoryInfo, secId As SecurityIdentifier) As Boolean
    Dim dirSec As DirectorySecurity = di.GetAccessControl
    Dim authRules As AuthorizationRuleCollection = dirSec.GetAccessRules(True, True, GetType(SecurityIdentifier))
    For Each ar As FileSystemAccessRule In authRules
        If secId.Equals(CType(ar.IdentityReference, SecurityIdentifier)) Then
            Dim fileSystemRights As FileSystemRights = ar.FileSystemRights
            Select Case fileSystemRights
                Case System.Security.AccessControl.FileSystemRights.FullControl
                    Return True
                Case System.Security.AccessControl.FileSystemRights.AppendData
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ChangePermissions
                    Return True
                Case System.Security.AccessControl.FileSystemRights.CreateDirectories
                    Return True
                Case System.Security.AccessControl.FileSystemRights.CreateFiles
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Delete
                    Return True
                Case System.Security.AccessControl.FileSystemRights.DeleteSubdirectoriesAndFiles
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ExecuteFile
                    Return True
                Case System.Security.AccessControl.FileSystemRights.FullControl
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ListDirectory
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Modify
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Read
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadAndExecute
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadAttributes
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadData
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadExtendedAttributes
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadPermissions
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Synchronize
                    Return True
                Case System.Security.AccessControl.FileSystemRights.TakeOwnership
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Traverse
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Write
                    Return True
                Case System.Security.AccessControl.FileSystemRights.WriteAttributes
                    Return True
                Case System.Security.AccessControl.FileSystemRights.WriteData
                    Return True
                Case System.Security.AccessControl.FileSystemRights.WriteExtendedAttributes
                    Return True

                Case Else

            End Select
        End If
    Next
    Return False
End Function

Private Shared Function isVisible4User(fi As FileInfo, secId As SecurityIdentifier) As Boolean
    Dim filesec As FileSecurity = fi.GetAccessControl
    Dim authRules As AuthorizationRuleCollection = filesec.GetAccessRules(True, True, GetType(SecurityIdentifier))
    For Each ar As FileSystemAccessRule In authRules
        If secId.CompareTo(CType(ar.IdentityReference, SecurityIdentifier)) = 0 Then
            Dim fileSystemRights As FileSystemRights = ar.FileSystemRights
            Select Case fileSystemRights
                Case System.Security.AccessControl.FileSystemRights.FullControl
                    Return True
                Case System.Security.AccessControl.FileSystemRights.AppendData
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ChangePermissions
                    Return True
                Case System.Security.AccessControl.FileSystemRights.CreateDirectories
                    Return True
                Case System.Security.AccessControl.FileSystemRights.CreateFiles
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Delete
                    Return True
                Case System.Security.AccessControl.FileSystemRights.DeleteSubdirectoriesAndFiles
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ExecuteFile
                    Return True
                Case System.Security.AccessControl.FileSystemRights.FullControl
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ListDirectory
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Modify
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Read
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadAndExecute
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadAttributes
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadData
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadExtendedAttributes
                    Return True
                Case System.Security.AccessControl.FileSystemRights.ReadPermissions
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Synchronize
                    Return True
                Case System.Security.AccessControl.FileSystemRights.TakeOwnership
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Traverse
                    Return True
                Case System.Security.AccessControl.FileSystemRights.Write
                    Return True
                Case System.Security.AccessControl.FileSystemRights.WriteAttributes
                    Return True
                Case System.Security.AccessControl.FileSystemRights.WriteData
                    Return True
                Case System.Security.AccessControl.FileSystemRights.WriteExtendedAttributes
                    Return True

                Case Else

            End Select
        End If
    Next
    Return False
End Function

Checking of accessibility

user9904434
  • 1
  • 2