Impersonation and Delegation in ASP.NET

Question

I'm having problems accessing a text file on a remote server with ASP.NET. The ASP.NET 1.1 application is running on Server 2003 using Impersonation with the requester's Windows Credentials. The client, webserver, and remote server are all on the same domain, and the user has permission to access the text file. The user can open the text file from their machine over a UNC share. When the user runs the site logged in directly on the server it works fine. However, when the user tries on their machine, it does not work. How should Impersonation be set up for this to work?

EDIT: Other features of the app work fine, it just accessing the remote file that doesn't work.

Answer 1

It sounds like you're running into the multi-hop problem. When you use integrated authentication, you can authenticate from your browser to IIS. But, you can't authenticate to any other machines on the domain. The reason is that with standard credentials, they can't verify who you are.

---

There are 2 primary workarounds that I'm familiar with:

1. Implement Kerberos, these certificates allow you to do a more advanced authentication, and allow for multiple-network hops.
2. Re-impersonate your user using the LogonUser win32 api (requires a password).

Answer 2

In IIS, Anonymous, and Basic authentication both need to be unchecked at a minimum on the application folders. You might want to check the application folder itself instead of just the root folders. There may be other configuration options, but this is the "low hanging fruit" option.

Answer 3

As a test, specify a username and password in the impersonation tag to force the application to always impersonate as a user you know has access to the file.

If the application can now access the text file, you will know it is the transfer of the user's credentials to the server.

If the application STILL can't access the text file, the credentials are not the problem and there's a server configuration issue.