Integrated Windows Authentication

Hi,

I've an intranet application which use integrated windows authentication (domain account).

The application needs to upload a file and save it to a folder in another server. However, I encountered Access Denied error while trying to save the file in the folder.

All the necessary rights have been given to the domain account to access this remote server.

Have tried to access the same folder from explorer and it works. Everything is working fine in development server but not UAT server

 

Here's my settings

 

1) Web.Config

            <identity impersonate="true" />

                <authentication mode="Windows" />

 

2) IIS

            Unchecked “Enable anonymous access”

            Unchecked “Digest authentication”

Unchecked “Basic authentication”

Unchecked “.Net passport authentication”

Checked “Integrated Windows Authentication”

           

3) Browser Setting

            Checked “Enable Integrated Windows Authentication” (Internet Options – Advanced)

            Choose “Automatic logon only in Intranet zone” (Internet Options – Security – Local intranet)

 

Did I miss out anything?

 

How do I check (in code) which account is being used to access the server?

 

 

 

Appreciate your help. Thanks

 

Out of the box it is not possible to write the file onto a remote server even if the user you are using is perfectly valid on both machines. I remember that If your have 2003 Servers in a 2003 domain you can set up delegation between the two servers in AD but I don't recall the details of how exaclty this works.

This information is some years old, so there may be other solutions now.

Can i assume that both servers are in the same domain?

In order to perform delegation and access another server, you must use Kerberos rather than NTLM.

To use Kerberos, your domain must be Native domain (not having any domain controller running NT 4.0 or older versions, in another word, in order to promote to native domain, all domain controllers must be running minimum Windows 2000 Server)

Check it out here for more information on Kerberos Network Authentication Protocol.

Yes, both servers are in the same domain.

 And the other server is on Windows 2000 as well. By default, Windows 2000 server use Kerberos right?

That depends on how is the first domain in the forest is setup, meaning the settings you choose during the DCPROMO wizard will decide if the domain is setup to operate in native mode or not.  You can still promote the existing domain to native mode by using "Active Directory Users and Computer" administration tool. (Warning: It is one-way operation, thus, cannot be revert back to mixed mode.)

Check out Domain Model on http://www.samspublishing.com/articles/article.asp?p=130843&rl=1

or

Check out more on Mixed Mode vs Native Mode here. http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=7156

Thanks for the reply.

How do I check in code whether Kerberos or NTLM authentication is used?

I think should be using kerberos. I will check and confirm

Any other possible reasons for getting the access denied error?

I sort of found an answer for your problem.

Put this in web.config file.

<authorization>
     <deny users="?" />
     <allow users="*" />
</authorization>

ASP.NET will not authenticate the user unless anonymous access is disabled on the site.

You can use the following code to find out which identity is being used to access the file.

Response.Write(System.Threading.Thread.CurrentPrincipal.Identity.Name);

I need to disable the anonymous access on this site as this is meant to be a secured system.

Tried the System.Threading.Thread.CurrentPrincipal.Identity.Name in my code, I'm getting the correct id, i.e. user NT login id

ci:

The application needs to upload a file and save it to a folder in another server.

That is two hops. You can only authenticate and impersonate the user principal at just the web server node. This authentication process is non-transitive so the remote file server is still being access ed by the ASPNET or Network Service principal. This is by design.