Access Denied when accessing UNC path from IIS
This is from procmon running on the remote machine?
If so, that indicates that impersonation was successful (as it identifies the right domain\user, right?), so it's not a delegation problem with Windows authentication.
If not, it's probably a delegation problem with Windows authentication; try DelegConfig.
If the application is creating its own connection using \server\share - i.e. it's not a folder in IIS mapped to that location - then further subtleties may be present based on the application framework and the way it's been programmed.
Sam Cogan
I'm a Cloud Architect and Microsoft Azure MVP, focused on providing architecture and technical solutions for cloud based SaaS projects using Azure. I'm particularly focused on areas around cloud automation and deployment, devops, configuration management, along with high performance and grid computing in the cloud. I blog about Azure and cloud related topics at samcogan.com
Updated on September 18, 2022Comments
-
Sam Cogan over 1 year
I've got an issue with receiving an access denied error when trying to access a folder via UNC on another machine, from a web application running in IIS. Now i'm sure your thinking, as I did, this is surely just a permissions problem, however the following has happened:
- The application is using impersonation and the user it is impersonating has full access to that folder.
- Permission for that folder has been set to allow full control for everyone, in case impersonation was not working, same issue.
- The application can quite happily view other folders and files in this share
Procmon is showing an access denied error when accessing this file, details of what it is asking is below:
Operation: Create File Result: ACCESS DENIED Desired Access: Generic Read Disposition: Open Options: Synchronous IO Non-Alert Attributes: N ShareMode: Read, Write, Delete AllocationSize: n/a Impersonating: domain\user
The application is essentially just trying to read from that folder, nothing more (the create file operation is actually only creating a handle to that file).
There are no events in the security log of the file server indicating an access denied error.
Edit
Delegation has been setup for UNC access (allowing the App pool user to delegate to the HOST and CIFS service on the file server) and using Deleconfig confirms this should work, it does not. However setting the App Pool user to be allowed to delegate to any service (Kerberos) only does work. As far as I was aware HOSTS and CIFS were the only services required to delegate file server access, so I'm not sure what extra service it needs access to.
-
Sam Cogan over 12 yearsIIS does allow UNC access from applications, it is working fine in other areas of the application (and in many other applications). Microsoft specifically advise against using mapped drives.
-
Sam Cogan over 12 yearsIt's from Procmon running on the IIS server. It looks like it is a delegation problem, as allowing the App Pool user to delegate to any service (Kerberos only) lets it work. This is surprising as I already have delegation for UNC (HOST and CIFS) access setup and tested with Deleconfig, so I don't know what service it is delegting to!
-
Ov's Pianist over 12 yearshost\targetname or CIFS\targetname should work - grab a network trace from the IIS box when it's setting up the connection to see what exact SPN it's building and sending to the DC, then ensure it's allowed to delegate to that one.