-1

Hi,
I have one ASP.NET page which allows users to upload their files which are stored in another system (file server) through simple network share. The code is as simple as
FileUpload.PostedFile.SaveAs(strPath)

Here this page gets "access denied" to save the file. I know the application is running under ASPNET local user account. So i even can't give privileges to save file for this local account in another target system.

I solved this problem by using impersonation tags as below in the web.config :

<identity impersonate="true" userid=xxx password=yyyy />

But i have to specify user id and password explicitly in plain text here....
Is there anyway i avoid specifying user id and password like this?

5
Contributors
4
Replies
5
Views
12 Years
Discussion Span
Last Post by prabinv
0

If you define it in the web config, then it isn't available for users to view. Hence it is secure.


Hope this helped.

Slade

-1

Hi,
I have one ASP.NET page which allows users to upload their files which are stored in another system (file server) through simple network share. The code is as simple as
FileUpload.PostedFile.SaveAs(strPath)

Here this page gets "access denied" to save the file. I know the application is running under ASPNET local user account. So i even can't give privileges to save file for this local account in another target system.

I solved this problem by using impersonation tags as below in the web.config :

<identity impersonate="true" userid=xxx password=yyyy />

But i have to specify user id and password explicitly in plain text here....
Is there anyway i avoid specifying user id and password like this?

turn off anonymous access to the website and use the integrated nt security...

0

OR if I recall just give Permission to the IUSR_anonymous User in Windows access to the directory/files. It is the default user used by ASP.Net

0

Hi,
If you are concerned about the security with respect to some user having access to the machine can read the user credentials, then you can encrypt that particular configuration section of the web.config using aspnet_regiis.exe with the pe / pef commands. This would render the web.config section unreadable if opened physically, but readable from the application.

That brings up another question though. What happens if the company policy madates the change of user passwords at regular intervals? Can we read the user credentials from Active Directory without coding, i.e., can we specify whether to get the user credentials from the AD by specifying user name? Can someone answer these questions?

regards,
Prabin.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.