I have developed an ASP.NET MVC 3 which must access to a SharePoint Remote Folder.
To do that, during the development, before to run the Visual Studio Development Server, I try to access to the remote folder. Then, I must introduce the credentials of the user who has permission to see the remote resource. After this, using the following code:
string path = #"\\tests.sharepoint.es\folder1";
DirectoryInfo di = new DirectoryInfo(path);
DirectoryInfo[] dis = di.GetDirectories();
The access to the folder is successful. However, this fails when I executed my web application from the IIS, getting the next error:
Access to the path '\tests.sharepoint.es\folder1\' is denied.
Even if I set for the Application Pool the same user that runs the Visual Studio Development Server, it continues failing.
I have identified that the users who runs the World Wide Web Publish Service (W3SVC) is SYSTEM (an account who obviously doesn't have permission to access to the folder) but I can't change this and I am not sure if this causes the problem.
Also, I have read some posts about using SPSecurity.RunWithElevatedPrivileges but I can't use it because my IIS server doesn't have Sharepoint installed (it is in another machine) and therefore, I can't use Microsoft.Sharepoint.dll as far as I know.
UPDATE: When I try to access to the resource using my windows explorer, I have read that OS uses WebDav instead of NetBios. Can IIS use this protocol to access to the resource?
If you really need to access remote resource with Windows permissions from Windows web server (or any other server that impersonates remote client) than you must run such code under account directly signed in on the server box. This is caused by "NTLM one hop" policy - user's credentials can be used only on machine user directly signed in to or machine user directly communicates to (and not on third one that this second machine tries to connect to).
Safest approach is to run process under account that have access to remote resource and run code in that process. You can run IIS process under such account, but you may need to revert impersonation back to process if running code during requests.
You can also directly impersonate particular user but you'll need to have plain text login information. This is most likely against security policy for most companies.
Note: you very well may end up building anonymization proxy - be very careful to understand what it means to access remote resource under account different from actual user's account.
Fortunately, I have found how to resolve the access problem.
I have used the solution described in this post.
My code seems like this:
PinvokeWindowsNetworking.connectToRemote(#"\\tests.sharepoint.es\folder1", "domain\user", "password");
//manage files and folders of my remote resource
//...
PinvokeWindowsNetworking.disconnectRemote(#"\\tests.sharepoint.es\folder1");
Related
I wrote a C# WCF server and I am trying to get it up in IIS but everything I try to go to my endpoint I get this error:
I checked the Permissions on the site and I have Authenticated Users others:
so I am not sure what to do now...
I imagine that the root of the problem is that you are trying to create an application on the server that points to files on your own computer using a Remote Desktop Connection drive share. The \\?\UNC\tsclient\C\... path is a dead giveaway.
This is a definite no. You cannot run a web service this way. The tsclient path is specific to your individual connection and will not work from any other context. Any other user account - including the service account that the IIS instance is running from - will not be able to access those files.
To resolve this issue you need to copy the files from your machine to a location on the server and recreate the IIS application entry, referencing the location on the server. You might still need to monkey with the security on the server-local folder.
I was trying to browse a file(S:\Scalable Development\DRD_ToolPointManagement.doc) from shared location trough web browser using application. when I run my application in local, it is working where as if I push the code to dev and QA environment, not able to open a file
There are two different problems, firstly using a mapped drive and secondly access rights to the folder. Both of these depend upon which account the application is running under. Have a look at http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis
You need the built in group IIS_WPG which covers the application pool to have access to the network drive. If the S: drive is not mapped on the web server, you will also need to use the UNC path. If you look in Windows Explorer, your S: drive will appear something like
myshare (\\myserver) (S:) which should be translated to \\myserver\myshare\Scalable Development\DRD_ToolPointManagement.doc
Your domain administrator may need to allow access to the network share, and you may need to consider impersonation
When using the Web browser control, you're using the Internet Explorer. Thus, security settings may apply.
You need to change these in the Control Panel's internet settings of every machine you want to deploy to.
For example you may have to add the location to the trusted zone. Also, the target IE may not be configured to open Office documents in-place.
I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.
Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.
The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.
I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.
Can you help me please?
Thank you very much
EDIT:
When I try to execute a statement like
Directory.CreateDirectory(#"\\my\network\path");
from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.
The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)
I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.
runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”
I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.
If I've misunderstood the issue, sorry for the noise.
Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.
Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:
How do you do Impersonation in .NET?
See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:
https://www.nuget.org/packages/SimpleImpersonation
I have a service that I have created for Windows. The service works fine. The problem I am having is a permission issue. My service accesses a .mdf SQL Server database file that is created when the service is installed (using Installshield VS 2012).
The service itself is running as user. When I install I input my credentials and I can successfully start the service. The service starts fine. However, when I get to the part in my code where I have to open the .mdf I get an error because the database log file does not exists and the service does not have permissions to create it.
The only way I can fix it is by adding my username or authenticated users for example to the security section of my program files folder. This allows the SQL Server .log file to be created and my service continues running.
What is the best solution to getting around this? Basically I want to be able to run the service and local system and it have the privileges to install and create the .mdf.
Thank you for the help.
You should create the database log file during the installation. You can run custom code during the installation to do that (the code may be similar to what triggers creation of the log file in your regular code). That will use the user with elevated permissions so it will work well and is correct from the security point of view (all administrative tasks should be done during the installation in this case).
It's better not to add permissions for a normal user to SQL Server data folder as that will lower security.
I have a WCF Service running on Windows Server 2008 R2 Enterprise. The IIS Version is 7.5. One of the methods in the service reads from a file on the network. It's failing when it tries to do this, but I can't log a proper error to find out why. My guess is that this is a permissions issue, but not being savvy with IIS, I don't know where to start.
The site running my service is using an App Pool with NetwrokService as the Identity. I have tried other built-in accounts, but I get the same problem. When looking at the running processes in Task Manager, I see w3wp.exe is running under the NetworkService account - which is how the App Pool is configured.
I'm trying to reach a share such as: \Machine1\SharedFiles\MyFile.txt. I can access this same share easily from file explorer so I know it's valid. Every other part of the service runs as expected which leads me to believe my IIS configuration is fine - other than possibly a permission setting that allows reading of files on other machines.
Anyone have any idea what I am doing wrong?
Thanks,
Start here:
http://learn.iis.net/page.aspx/624/application-pool-identities/
It is a permission issue. The share, and the files within it, need to grant access to the IIS servers machine account.