Developer Forum

Any ideas how to overcome this problem when accessing a network share within
an asp.net web app?

This runs internally on the network. The following is in my web.config:
<identity impersonate="true"/>
<authentication mode="Windows" />

I check WindowsIdentity.GetCurrent().Name before I attempt my directory
access. By default this has always been PC\ASPNET. Changing the
impersonate to true and turning off anonymous login and using integrated
windows login changes this to domain\user which works when I run it under
localhost. However, when I run it from another pc it fails even though the
user has the appropriate rights.

In testing IIS changes the only setting I found that gave me the desired
results was to force basic authentication in IIS. This gave the unwanted
popup login window when you launch the page, but did everything else
correctly. I was able to create directories assuming the user had the
appropriate rights.

Why would it work under basic and not windows integrated ... at least that
would prevent that extra popup? Under both setups the windowsIdentity Name
is the same.

Thanks,

Andrew

setting identity impersonate has the asp.net thread impersonate the identity
of the iis request thread. if you turn off anonymous, this will be the
actual user as you have found.

if iis is setup with windows authenication, then the users secuirty token is
a secondary token (passed from the client machine). the ntlm security (1 hop
rule) prevents the users creditials from being forwarded or used to access
any network resource.

if iis is setup with basic, the username and password is sent to iis, and
iis has a primary token (as it was created by iis itself). in this case the
token can be used to access any network resource with the users security
rights.

you have a third option, that is to enable kerberos security, and enable
creditals forwarding on the servers.

-- bruce (sqlwork.com)

Thanks very much for the explanation. Obviously there was a difference and
I didn't know what it was.

I am going to explore this third option as I would like this application to
be able to run outside of the company network using a more secure login (
similar to outlook web access ).

If you could point me in the right direction I would greatly appreciate it.

Thanks

AJ