impersonation - network share - access denied

[bren]

My intranet web app is trying to display the list of files in a
directory showing their mod date.

I wrap the code that's retreiving the mode date with code to set
impersonation and I still get and access denied error.

This is the code that's fails and raises the error:

ModDate = File.GetLastWriteTime( TestPath ).ToString();

I'm confident that I am impersonating the current login.

The application requires integrated authentication with anonymous
authentication turned off.

To confirm for myself what login is trying to access the share, I
display the access denied error along with the login name using
System.Security.Principal.User.Identity.Name.

The login has full permissions on the directory and the files that are
being accessed.

Why is the error being raised?

thanks, Bren

 

[Joe Kaplan \(MVP - ADSI\)]

If the files are on a file share on a remote machine, you probably need to
get Kerberos delegation in order to use the authenticated user's security
context to access them. That constitutes a double hop.

Joe K.

 

[bren]

Joe,

Thanks for your reply.

I've researched Kerberos and tried a few things. I've enabled
delegation on the web server on which the app is running, and I've set
the attribute for delegation for the login I'm testing with. Those
changes didn't make a difference.

Do you know of anything else specific that I need to do?

Maybe there is something in the impersonation code that needs to be
different?

Thanks, Bren

 

[Joe Kaplan \(MVP - ADSI\)]

The first thing I always check for with delegation issues is to make sure
that I'm authenticating to the web server with Kerberos, not NTLM. NTLM
auth will prevent delegation right off.

The security event log on the server is the best way to find out what
happened, but you can also use a tool like wfetch.exe (IIS Resource Kit) to
play around with the settings. After a while, you can learn to tell what a
Kerberos authentication "looks like" in terms of the authorization headers
sent by the client as usually the blob of data is much larger than with
NTLM.

Once you get the front end working with Kerberos, you then need to make sure
you are accessing the backend file share via Kerberos too. The same rules
apply with the security event log.

Most of the time, failure to get Kerberos auth is an issue with not having
the correct SPNs set on the accounts in question in AD.

Joe K.