I have an ASP.NET app using Windows authentication, and I'm testing for the existence of a file on a remote server.
I'm authenticating as MYDOMAIN\my.username - this works.
The file is \MYSERVER\WebShare\example.txt. This file exists. I can open it from various hosts whilst logged in as MYDOMAIN\my.username. Under Windows Explorer, the effective permissions indicate that MYDOMAIN\my.username has full control of this file.
If I attach a debugger and type $user
in the watch window, I can see that the current thread is running as MYDOMAIN\my.username, whilst the current process is still running as NT AUTHORITY\NETWORK SERVICE
- the relevant bits of the watch window are reproduced below:
$user {...} $user register
+- Process {...} TOKEN
| +- Name NT AUTHORITY\NETWORK SERVICE User Name
| +- User SID S-1-5-20 SID
| +- Session Id 0 DWORD
| +- Loggin Id 000003e4-00000000 LUID
| +- Impersonation Level N/A (not impersonating) SECURITY_IMPERSONATION_LEVEL
+- Thread {...} TOKEN
+- Name MYDOMAIN\my.username User Name
+- User SID S-1-5-21-... SID
+- Session Id 0 DWORD
+- Loggin Id 018622ef-00000000 LUID
+- Impersonation Level Impersonate SECURITY_IMPERSONATION_LEVEL
The server that's running ASP.NET is a member of the MYDOMAIN\Webservers group, which in turn has full control of the shared file.
Here's what I don't understand:
- When .NET tries to query File.Exists, is it the thread or process identity that is being used?
- If it's using the process credentials - how can I either force the process to run as MYDOMAIN\my.username, or give the NETWORK SERVICE account permission to read the file? (I thought this has already done by adding my computer account - but it doesn't work...)
- If it's using the thread's credentials - why can't I read the file?
Any pointers or useful debugging tips would be most gratefully received.
Thanks,
Dylan