Accessing network path with windows authentication

Question

User-252223581 posted

Hello

I am trying to create a web api service which acesses different network share locations based on the user authenticating, via windows authentication IIS authentication 

the network shares have different permissions based on the accessing user due to security reasons.

When i try to read the files i get access denied althogh the i do get the currect "user.identity"

Am i missing somthing here?

Answer 1

User475983607 posted

If this is a ASP.NET IIS hosted application, the application identity is the application pool identity not the user's.  

Answer 2

User61956409 posted

Hi Liran.Dobrish,

Please check which account is used by IIS to access the network share locations, then give that account permissions on the share.

And to access network resources like file shares, using the Network Service account has a great benefit in a domain environment. For more information about application pool identities, please check this document.

https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

With Regards,

Fei Han

Answer 3

User-252223581 posted

Hi 

the service is hosted on the IIS.

i cannot use the application pool identity for accessing the network shares, due to security reasons.

i also tried aspnet  impersonation but it did not help.

Answer 4

User61956409 posted

Hi Liran.Dobrish,

For IIS hosting and configuration questions, you can also post on IIS forums.

https://forums.iis.net/

With Regards,

Fei Han

Answer 5

User-474980206 posted

if you want webapi (mvc classic) service to access a network share with the users permissions you need to do the following

1) switch to Kerberos authentication

   https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

2) enable delegation from the web server to network shares

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation

3) set web.config to impersonate user

4) if using asp.net core, you will need to use windows identity. you will then need to convert the user token to a primary token and run the network request on its own thread where the thread impersonates the token. as asp.net core is async and multiple requests use the same request thread, you can not impersonate on the main thread, you must create a new thread.