Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Access denied impersonating current user accessing network folder

Trying to list the directories and files within a specific folder. This folder will depend on the current user (Page.User) which logs in by Windows Authentication (NTLM) and is retrieved from the Active Directory (homedirectory property).

I am using a domain user to access the AD and retrieve the folder location, this works fine.

What fails is retrieving the sub folders using System.IO.DirectoryInfo.GetDirectories() even with impersonation.

Here's the code I'm using for impersonation:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =  ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

I have checked that the user being impersonated has access to the folder.

From what I have found so far it seems that I either need to set up delegation or Kerberos authentication, is this true? Are these the only ways to achieve this? Shouldn't impersonation be enough?

like image 276
Perbert Avatar asked Dec 19 '12 15:12

Perbert


1 Answers

Impersonation allows the website service account to impersonate (pretend to be) another user on that machine. So querying AD to see what rights you (or the impersonated user) have is allowed.

Requesting access to a UNC share on another machine is asking the other machine to accept that the website service account is acting on behalf of the user being impersonated. This is delegating. The other machine is not checking the users credentials itself but delegating that check to the webserver.

If the client is connecting the the website from yet another machine (normally the case for webservers), then you have a "double hop" from client to webserver to UNC file server.

I'd suggest you need to configure Kerberos (via the SetSPN utility) and look enabling delegation rights for the website service account (witihin AD users and Computers). if you have problems setting this up, I heartily recommend a tool called DeleConfig.

like image 78
Grhm Avatar answered Oct 07 '22 19:10

Grhm