Asked by:
Accessing network path with windows authentication

Question
-
User-252223581 posted
Hello
I am trying to create a web api service which acesses different network share locations based on the user authenticating, via windows authentication IIS authentication
the network shares have different permissions based on the accessing user due to security reasons.
When i try to read the files i get access denied althogh the i do get the currect "user.identity"
Am i missing somthing here?
Sunday, November 3, 2019 7:13 PM
All replies
-
User475983607 posted
If this is a ASP.NET IIS hosted application, the application identity is the application pool identity not the user's.
Sunday, November 3, 2019 10:07 PM -
User61956409 posted
Hi Liran.Dobrish,
Please check which account is used by IIS to access the network share locations, then give that account permissions on the share.
And to access network resources like file shares, using the Network Service account has a great benefit in a domain environment. For more information about application pool identities, please check this document.
https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
With Regards,
Fei Han
Monday, November 4, 2019 2:22 AM -
User-252223581 posted
Hi
the service is hosted on the IIS.
i cannot use the application pool identity for accessing the network shares, due to security reasons.
i also tried aspnet impersonation but it did not help.
Monday, November 4, 2019 4:42 AM -
User61956409 posted
Hi Liran.Dobrish,
For IIS hosting and configuration questions, you can also post on IIS forums.
With Regards,
Fei Han
Monday, November 4, 2019 8:00 AM -
User-474980206 posted
if you want webapi (mvc classic) service to access a network share with the users permissions you need to do the following
1) switch to Kerberos authentication
2) enable delegation from the web server to network shares
3) set web.config to impersonate user
4) if using asp.net core, you will need to use windows identity. you will then need to convert the user token to a primary token and run the network request on its own thread where the thread impersonates the token. as asp.net core is async and multiple requests use the same request thread, you can not impersonate on the main thread, you must create a new thread.
Monday, November 4, 2019 4:56 PM