Access network shares from asp .net 2.0

[Guest]

Hi!

I'm developing a web based filemanager and it should of course be able to
read network shares inside our company.

Everything works fine when I use basic authentication. But because we are
planning to implement ADFS, we will only get to use Windows authentication
(as far as I can understand).

I have started to test Kerberos delegation and it works fine as long as the
network resource is in the same domain as the application. But since we have
multiple domains and fileservers spread accross them, we runt into problems.

With constrained delegation we can only delegate access throug one domain.
How do I access the network resources outside the domain the application
resides in?

We are using a Windows 2003 Forest and Windows 2003 R2 servers.

/Mathias

 

[Guest]

Not sure how to solve this, but I would audit the remote share and see what
account is attempting to access the files. You may find that the account
attempting access is not what you think it should be.

If it is the account, use a runas on that account and attempt a straight
pull from the share. If this does not work, correct and then retest your app.
If it does not work, you have a couple of options:

NTFS issue
Active Directory issue
Kerberos issue

You need to heavily scan the machine with the share through both a success
and a failure. Figure out what is being used in each case (domain
authentication = works; Kerberos = fail, for example). Until you know
precisely what is causing the failure, you are not going to get past it.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

***************************
Think Outside the Box!
***************************

 

[Guest]

Thanks for the reply.

I get the following 3 events when I audit the computer I can't access.
EventID: 576
User: The calling computer account
Category: Privilege Use
Privileges: SeChangeNotifyPrivilege

EventID: 540
User: The calling computer account
Category: Logon/Logoff
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

EventID: 540
User: NT AUTHORITY\ANONYMOUS LOGON
Category: Logon/Logoff
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM

But if I add a trusted delegation to service cifs on a computer in the same
domain I get the impersonation to work. The following 2 events are written.

EventID: 540
User: The calling computer account
Category: Logon/Logoff
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

EventID: 540
User: The username of the impersonated user
Category: Logon/Logoff
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

To get theese result I use the WindowsIdentity(UPN) impersonate in the code.
When I use ADFS for authentication the directory security on the IIS-server
has to be anonymous. That would ecplain why I get anonymous login on my
computer in the other domian. But how do I get the user to be impersonated
across domains?

/Mathias

"Cowboy (Gregory A. Beamer) - MVP" skrev: