locked
MVC File Upload - Shared Drive directory permissions RRS feed

  • Question

  • User1047454725 posted

    Apologies in advance for the newbie question - as this is fairly straightforward operation.

    I'm trying to migrate my intranet MVC application to production. One of its features is that it allows users to upload files. This is very simple - after a user selects a file, it is saved using the HttpPostedFileBase.SaveAs() method.

    The application itself has Windows Authentication enabled along with Impersonation (authenticated user). For development purposes, I was uploading to a local location and of course everything is working as expected. But for production, we've allocated space on a network share. The Application Pool uses ApplicationPoolIdentity.

    My question is which users are supposed to get permission to the shared directory? Should it be the individual Windows accounts (we can put them into an AD group to simplify management) or do we just give access to IIS_IUSRS? (I believe the latter is a security hole). Or is there a different solution altogether?

    Apologies in advance if I'm missing information needed for making an assessment - please let me know your thoughts.

    Best Regards. 

    Friday, March 1, 2019 8:16 PM

All replies

  • User283571144 posted

    Hi kj27,

    My question is which users are supposed to get permission to the shared directory? Should it be the individual Windows accounts (we can put them into an AD group to simplify management) or do we just give access to IIS_IUSRS? (I believe the latter is a security hole). Or is there a different solution altogether?

    As far as I know, the web application will use the identity pool account to accesss the shared folder. Like below: IIS_Apppool {your application pool name}.

    If you want to upload the file to shared folder, you should make sure your ASP.NET identity account has permission on this network folder and make sure the account is in the Access this computer from the network group on remote server.

    If you don't want to use asp.net IIS application pool acocunt, you could use Impersonation to achieve your requirement.

    More details, you could refer to below article:

    http://aspalliance.com/336_Upload_Files_Using_ASPNET_Impersonation_and_UNC_Share.all 

    https://stackoverflow.com/a/5985299/7609093

    Best Regards,

    Brando

    Monday, March 4, 2019 7:19 AM
  • User753101303 posted

    Hi,

    If impersonation is enabled your code should run with the user identity but it might be difficult to reuse this user identity to access network resources for safety reason (else from a web app you could act as a user for everything). You don't have the user name as part of the error message when  you try ? Do you really  need impersonation ?

    See for example https://stackoverflow.com/questions/2646644/asp-net-impersonate-user-for-network-resource-access in short you need to authorize reusing the user idenity to access non local resources...

    Usually you grant access to the application and you make sure only allowed users can use your app.

    Tuesday, March 5, 2019 1:57 PM