File copy via ASP.NET access errors?

[Stu]

Using IIs 6.0 on a Server 2003 box, and using ASP.NET I'm trying to do the
following code snippit...
Dim NewName As String = "\\network_share_path\edit_me.ppt"

Dim PubName As String = "\\network_share_path\show_me.ppt"

Dim PubFile As System.IO.File

If PubFile.Exists(PubName) Then

PubFile.Move(PubName, PubName + "BAK" + Format(Now, "hhmmss-MMddyyyy"))

End If

PubFile.Copy(NewName, PubName)



to replace one file that is displayed on a monitor with another that has
been edited. I get System.UnauthorizedAccessException errors. the
\\network_share_path\ is on a different server on the same domain.
Impsonate = true is set in the web.config file. I've also tried
\\IIsserver\shared_path\show_me.ppt , since I don't have admin on the
\\network_share_path\ machine but I do on the IIs server. I've tried using
absolute paths and relative paths on the server. I've checked the
permissons both on the share side and the file path side (on the IIS
machine) and even tried tossing the EVERYONE account with full control. I
tried adding the share as a virtual directory and assigning write
permissions to the ASP.NET page.

Got me stumped, about out of ideas of what else to try.

Thanks in Advance!

Stu

 

[Scott Allen]

Hi Stu:

Standard windows authentication doesn't make more than one hop across
the network - when you impersonate the user on the web server that
context won't flow to the machine with the network share unless you
enable delegation.

There are some more details here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod05.asp

Another option is to run your application under a domain account with
access to the network share.

HTH,

 

[Ken Schaefer]

Hi,

Where are the user credentials coming from? If you have hard coded them into
the <impersonate> web.config setting, then are you using a domain account?

On the other hand, if you are getting the user to supply the credentials,
then you will need to use Basic Authentication if you do not want to enable
Delegation. Basic Authentication means that IIS has the user's
username/password in clear text, and can directly impersonate the user to
get access to remote resources.

Any other auth type (Digest, Integrated etc) means that IIS merely has an
access token that doesn't have permissions (by default) to logon to remote
resources. If you ensure that the client is authenticating using Kerberos,
you can enable delegation, and thus allow IIS to get a service ticket on
behalf of the user to access the remote resource. If you want to go down
this path, please let us know, and I'll post some instructions.

Cheers
Ken