Web Service Security problem

[Russ]

Hello. I'm still struggling with a million new concepts in this .NET
world, so forgive me if the answers are obvious.

I wrote a test web service using managed C++. It works ok on
localhost but I need it to open files on another machine on the lan.
When I try to do that, it fails with error 2 (file not found). But
the file is there and accessible through windows explorer and normal
application programs.

Security auditing on the target machine (Win2K server) indicates a
failed logon attempt by user ASPNET every time I try to open the file.
It says "unknown user or bad password".

I think the problem is the use of the user ASPNET for trying to access
another computer on the lan. How can I cause the web service to use a
different username that is known to the domain server?

I read somewhere that asp.net security does not apply to non .NET
resources. Since I am trying to open a simple text file (using
CFile::Open or even fopen), I don't think the solution is to be found
in machine.config or web.config. I have tried changing the username
in the process model in machine.config on the server to "SYSTEM", and
same on the workstation on which the web service is running, but to no
avail.

Another possible issue is the ASPNET account on the server. That
account was initially disabled when I looked at it. Each security
audit indicated that the user domain was the workstation. After
enabling the ASPNET account on the server, subsequent security audit
failures showed the domain of the ASPNET user to be the server. But
it still fails.

Help?

Russ

 

[CodeMeister]

The web service project should hav a web.config.

In the web.config file, set the identity element as follows:

<identity impersonate="true" userName="domain\someuser"
password="somepassword" />

make sure the domain\someuser has access permission to the files on te lan.

The ASPNET account is the default account used by the .Net process for
ASP.Net. It is used by default for every ASP.Net application on a machine.
Allowin that account access to lan resources would be a large security risk.

Since the web.config is a text file, the username and password elements
should be encrypted if you are using .Net 1.1. The information on encryption
can be found at
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

 

[Russ]

Thank you for that. This solves the problem of accessing a text file.
But I still have another permission problem that you MAY be able to
help me with.

I have Pervasive Software's Btrieve engine (version 2000i) running on
the server. Although I can now access a text file, trying to open one
of the Btrieve files via a call to it's requester (from the web
service) fails with an error 94 - permission error.

Before I added impersonation to the web.config, the user name shown in
the failed logon attempt was ASPNET. Now the user name and domain are
changed to the ones specified, but the logon still fails (only when
the request is through the Btrieve engine). Access to the same file
is successful when the request is done from a normal windows client
program (unmanaged code and not a web service).

I know this is probably a Btrieve problem, and I have posted a query
to the appropriate news group, but I thought I would ask here too in
case you, or anyone, has any idea how to cure this.

Thanks, Russ