0

I have a website that is using Windows authentication that calls an API. The API has the Authorize attribute:

[Authorize(Roles = @"myrole.local\role")]

The API then makes a call to a method in my business layer that does this:

string [] directories = Directory.GetDirectories("\\\\server\\folder\\folder2");

When running locally this works as intended. When my IT ops guy checks the audit logs, he sees that my login has accessed that folder.

Now when I deploy my website to our development environment, it no longer works (we get an "access denied" error for that folder). So we looked into it and found that the user trying to access the folder was our server (something like server$) tried to access folder and failed.

So my question is: how do I access the folder with the current user that is logged in? I have looked this up here on Stack Overflow and I see impersonation comes up a lot. I have tried this example with no luck:

public static List<DirectoryName> GetDirectories(IPrincipal user)
{
    string[] directories;
    using (WindowsImpersonationContext impersonationContext = ((WindowsIdentity)user.Identity).Impersonate())
    {
        //Insert your code that runs under the security context of the authenticating user here.
        directories = Directory.GetDirectories("\\\\server\\folder\\");
    }
}

I am still denied access.

I have the user that is logged in though, so I know I can 'see' them, but the folder I am trying to access says it's the server.

Does anyone know how to get around this? Am I missing something?

P.S. I have created the website with IIS and have set both the API and website to use windows authentication. (anon = false;); but still it says the server is trying to access the folder.

P.P.S. In the web.config for the API, I have these tags as well: 

<system.web>
  <!-- ... -->
  <authentication mode="Windows"/>
  <authorization>
    <allow roles="group.local\group" />
  </authorization>
</system.web>

Edit: So we were able to access the folder path with the logged in user but only when going to the website on the server.

If we go to the website off our dev server we will then get an access denied error. Also there is no audit line when this fails.

Hopefully this edit provides more insight.

jtslugmaster08
  • 182
  • 1
  • 16
  • 2
    Have a look at this question see if it solves your problem: https://stackoverflow.com/questions/1405612/impersonation-in-asp-net-mvc – Mohammad Mar 12 '19 at 16:51
  • Does it have to be the user's principal that access the directory? Couldn't you just allow your application's credentials to have access to the directory? – alans Mar 12 '19 at 16:52
  • @alans yes it does have to be the user's principal for audit reasons. – jtslugmaster08 Mar 12 '19 at 16:55
  • This is because when your running local, it is using your user account, when running on the server, it will use the application pool's account. Your going to have to allow impersonation if you want this to work without hacks... see @Neptune's comment – mxmissile Mar 12 '19 at 17:03
  • @Neptune unfortunately I made the changes to include delegation and still the audit says the server is trying to access the folder. Should I not use the using statement? – jtslugmaster08 Mar 13 '19 at 15:44
  • What happens when you allow impersonation? ` `. Dont think this will work with the delegation code. – mxmissile Mar 18 '19 at 21:26
  • @mxmissile It throws an error at runtime saying I cant have impersonate = true with an integrated pipeline. I believe I need an integrated pipeline with my current setup. the website is angular. the restful api with post, put and get calls uses .net4.7.2 and I am trying to use windows auth. I couldn't get the classic pipeline to work with CORS. unless you can point me in the right direction. I am all ears. – jtslugmaster08 Mar 19 '19 at 14:46
  • 1
    I've been in the same situation, I have used this in the past, it's kinda buggy and hacky and does not clean up well after itself, but... https://gist.github.com/mxmissile/8f2ef5ed3f5687e9053f – mxmissile Mar 19 '19 at 15:20
  • @mxmissile I will give that a try. Although you have user,password,domain as paramaters. but I don't know how to get password from the IPrincipal or from the logged on user. Do you know how? – jtslugmaster08 Mar 19 '19 at 15:33
  • No, you wont be able to do that, your going to have to save the pw when they login or something. Like I said, extremely hackish, and not a valid answer (hence the comment). I never used it to impersonate the logged in user, I had to impersonate a specific account so the credentials could be hard coded. – mxmissile Mar 19 '19 at 15:43
  • @mxmissile so this did the trick. I guess it would be nice to have impersonate work with an IPrinciple object but since its not native to Microsoft your solution/hack works for me. I will have the ops guy create a user account exclusively for our website and I will have to manually log or audit who is using the website. – jtslugmaster08 Mar 19 '19 at 19:50
  • If your doing to create a user account just for this, why not just set the `ApplicationPool` to use said user account? No hacks with doing that. – mxmissile Mar 19 '19 at 19:56

0 Answers0