0

I have an asp.net 4.0 web app running on our company intranet. It is using Windows authentication. It needs to do some file IO stuff with files on a network drive. I am getting permission errors, because the IIS App Pool account obviously does not have access to those files.

If I add <identity impersonate="true /> to the web.config file, I get the same error.

If I add <identity impersonate="true" username="myname" password="..."> to the web.config file, then the app works if for cases where I have access to the files in question - but I need other people to be able to use it to process files on their departments' network share.

There is no way the security guys will let me give blanket permission for the IIS default account or a new batch admin on this server to have permissions all over the network (and rightly so). Users should only be able to run this app on files they already have access to.

How do get the app to run the file IO processes as the logged-in user?

Jay Irvine
  • 234
  • 4
  • 13
  • I think I want delegation rather than just impersonation but I can't find anything about that more up to date than ASP.NET 2.0/IIS 5?? – Jay Irvine Jan 05 '18 at 20:30

2 Answers2

1

What you need is called Impersonation, which is by default disabled. To enable Impersonation, put below configuration in your web.config

<configuration>
  <system.web>
    <identity impersonate="true"/>
  </system.web>
</configuration>

To learn more about ASP.NET Impersonation, check here

Evan Huang
  • 1,245
  • 9
  • 16
  • If I use identity impersonate to specifically use my account, it works. If I just use identity impersonate=true without specifying an account, I still get the error - so it's clearly not passing my credentials through. – Jay Irvine Jan 05 '18 at 19:55
  • According to that documentation: "That is, if you specify the user name and password for the impersonated user, you can connect to another computer on the network and request resources, such as files or access to SQL Server, using integrated security. If you enable impersonation and do not specify a domain account as the identity, you will not be able to connect to another computer on the network unless your IIS application is configured to use Basic authentication." Does that mean there's no way to do what I need? – Jay Irvine Jan 05 '18 at 19:59
0

So what I've done is created a login page and had the user re-enter their credentials, and then create the windows identity token and impersonate it in codebehind, following the instructions here: Impersonate user in codebehind

I don't know if there's a better solution, but it works.

Jay Irvine
  • 234
  • 4
  • 13