通过IIS 7上的.NET Web App访问网络文件

Question

I have been trying to use Windows Authentication to impersonate the current authenticated user who is accessing the web site hosted on IIS 7, but when I try to access a file on a separate server the log in requests are still appearing in the event log of the server with the file I am trying to access as ANONYMOUS LOGON:

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:       ANONYMOUS LOGON
    Account Domain:     NT AUTHORITY
    Logon ID:       0x1e47ea9
...

If I run the WebApp from either the dev enviorment or on local host on the IIS server directly it uses the correct user credentials and works just fine.

my Web.config has

<authentication mode="Windows" />
    <identity impersonate="true" />

In IIS Authentication I have Anonymous authentication disabled, Asp .NET impersonation enabled, and windows authentication enabled.

In the code I have tried (c# with .NET framework 4)

string path = @"\\server1\project\test.csv";
            ((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();
            StreamWriter sw = File.AppendText(path);

also

using (HostingEnvironment.Impersonate(WindowsIdentity.GetCurrent().Token))
{
//code
}



using (HostingEnvironment.Impersonate())
{
//code
}

and a couple other various suggestions I've found posted.

If I check System.Security.Principal.WindowsIdentity.GetCurrent().Name without any direct impersonation lines in the code it shows up with the correct domain/user credentials that I want to be impersonating, who has the rights to the file I am trying to reach.

When I access the web app via a browser not on the IIS server, it asks for windows credentials and then when I hit a button to run the above code the log in box pops up, asks for windows information, and keeps popping up no matter what I pass it. Each attempt creates a new event on server1 with the ANONYMOUS LOGON connecting.

From what I read it might be a double hop issue authentication issue, though mostly those posts are regarding SQL servers rather than a simple file share.

The error is:

Access to the path '\\server\project\test.csv' is denied.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.UnauthorizedAccessException: Access to the path '\\server1\project\test.csv' is denied. 

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user. 

To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

Any guidance would be appreciated!

Answer 1

The exception tells you that you do not have the right to access the resource. You have a user which runs your project. Give the necessary privileges to the given resource to the user which runs the project. If you do not trust that user of the OS, run your project with a trusted user.