C# 3.5 ASP.net File IO issue, UnauthorizedAccessEx

2019-05-25 04:44发布

问题:

I get an UnauthorizedAccessException everytime I try to access (just read) a file on a network share "\\server\folder1\folder2\file.pdf."

I am impersonating the domain\aspnet user which has read & write access to the above mentioned folders. The file is not read-only.

I tried finding the permissions via System.Security.Permissions.FileIOPermission. It just says NoAccess to all files.

I'm not sure what else I can do.

I am using Visual Studio 2008, ASP.net 2.0 on Framework 3.5, WinXP, IIS 5.1.

回答1:

ASP.NET user will not work with network path. So you need to have a windows account that will have all the rights and then you need to imposernate things in web.config like following.

<identity impersonate="true" userName="domainname\windowuseraccount" password="password"/>


回答2:

I'll assume you have set up the impersonation properly. You have turned off anonymous access, set the authentication mode to Windows and set impersonation to true, etc.

Even with all that done properly and the correct account impersonating you will still not be able to access the file. The account being impersonated is using what are called network credentials. These are only valid on the machine on which the impersonation is taking place. When you attempt to access a file on the computer itself the access is performed with the user's credentials but for a file on a share the access is done as a non-authenticated user and so no access is allowed.

In order to allow you to use the user's credentials for remote work, i.e. accessing a share, integrated security for a remote database, etc. you need to use delegation rather than impersonation. This is a somewhat complicated topic involving your Active Directory set-up and your IIS configuration. Have a look at this article, it should give you a good place to start.



回答3:

Make sure that the domain user has Security rights and Share rights. That is, on the shared folder, add the domain user under the "Sharing" tab in the properties, as wells as under the "Security" tab.



回答4:

What IIS version are you using? If it is version 6, you can place the web app in it's own application pool, then set the identity of that application pool to be a domain user account. Then, grant that domain user account access to the network share.



回答5:

FYI you can place the following in an aspx file to verify what identify your pages are running as:

<%@ Page Language="C#" %>
<% Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name); %>

To access a network share the above user will need to be a domain account setup by a network administrator.