Hi,
I have one ASP.NET page which allows users to upload their files which are stored in another system (file server) through simple network share. The code is as simple as
FileUpload.PostedFile.SaveAs(strPath)

Here this page gets "access denied" to save the file. I know the application is running under ASPNET local user account. So i even can't give privileges to save file for this local account in another target system.

I solved this problem by using impersonation tags as below in the web.config :

<identity impersonate="true" userid=xxx password=yyyy />

But i have to specify user id and password explicitly in plain text here....
Is there anyway i avoid specifying user id and password like this?

If you define it in the web config, then it isn't available for users to view. Hence it is secure.


Hope this helped.

Slade

Hi,
I have one ASP.NET page which allows users to upload their files which are stored in another system (file server) through simple network share. The code is as simple as
FileUpload.PostedFile.SaveAs(strPath)

Here this page gets "access denied" to save the file. I know the application is running under ASPNET local user account. So i even can't give privileges to save file for this local account in another target system.

I solved this problem by using impersonation tags as below in the web.config :

<identity impersonate="true" userid=xxx password=yyyy />

But i have to specify user id and password explicitly in plain text here....
Is there anyway i avoid specifying user id and password like this?

turn off anonymous access to the website and use the integrated nt security...

OR if I recall just give Permission to the IUSR_anonymous User in Windows access to the directory/files. It is the default user used by ASP.Net

Hi,
If you are concerned about the security with respect to some user having access to the machine can read the user credentials, then you can encrypt that particular configuration section of the web.config using aspnet_regiis.exe with the pe / pef commands. This would render the web.config section unreadable if opened physically, but readable from the application.

That brings up another question though. What happens if the company policy madates the change of user passwords at regular intervals? Can we read the user credentials from Active Directory without coding, i.e., can we specify whether to get the user credentials from the AD by specifying user name? Can someone answer these questions?

regards,
Prabin.

This article has been dead for over six months. Start a new discussion instead.