1

I've got an issue with receiving an access denied error when trying to access a folder via UNC on another machine, from a web application running in IIS. Now i'm sure your thinking, as I did, this is surely just a permissions problem, however the following has happened:

  • The application is using impersonation and the user it is impersonating has full access to that folder.
  • Permission for that folder has been set to allow full control for everyone, in case impersonation was not working, same issue.
  • The application can quite happily view other folders and files in this share

Procmon is showing an access denied error when accessing this file, details of what it is asking is below:

Operation: Create File Result: ACCESS DENIED Desired Access: Generic Read Disposition: Open Options: Synchronous IO Non-Alert Attributes: N ShareMode: Read, Write, Delete AllocationSize: n/a Impersonating: domain\user

The application is essentially just trying to read from that folder, nothing more (the create file operation is actually only creating a handle to that file).

There are no events in the security log of the file server indicating an access denied error.

Edit

Delegation has been setup for UNC access (allowing the App pool user to delegate to the HOST and CIFS service on the file server) and using Deleconfig confirms this should work, it does not. However setting the App Pool user to be allowed to delegate to any service (Kerberos) only does work. As far as I was aware HOSTS and CIFS were the only services required to delegate file server access, so I'm not sure what extra service it needs access to.

Improve this question

2 Answers 2

Reset to default
1

This is from procmon running on the remote machine?

If so, that indicates that impersonation was successful (as it identifies the right domain\user, right?), so it's not a delegation problem with Windows authentication.

If not, it's probably a delegation problem with Windows authentication; try DelegConfig.

If the application is creating its own connection using \server\share - i.e. it's not a folder in IIS mapped to that location - then further subtleties may be present based on the application framework and the way it's been programmed.

Improve this answer
2
  • It's from Procmon running on the IIS server. It looks like it is a delegation problem, as allowing the App Pool user to delegate to any service (Kerberos only) lets it work. This is surprising as I already have delegation for UNC (HOST and CIFS) access setup and tested with Deleconfig, so I don't know what service it is delegting to! Commented Nov 9, 2011 at 12:01
  • host\targetname or CIFS\targetname should work - grab a network trace from the IIS box when it's setting up the connection to see what exact SPN it's building and sending to the DC, then ensure it's allowed to delegate to that one. Commented Nov 9, 2011 at 12:44
0

Can't remember if IIS allows UNC access specifications?

Maybe the area needs to be assigned to a drive letter for IIS access.

Improve this answer
1
  • IIS does allow UNC access from applications, it is working fine in other areas of the application (and in many other applications). Microsoft specifically advise against using mapped drives. Commented Nov 9, 2011 at 10:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.