A few months ago I was presented with a problem that took me a while tofigure out. I had lost my notes but just found them and hence the postnow.
Theissue that I had was that I had a web service that provided a method tosee if a file existed on a remote server from some parameters passed toit that through a function mapped to a file name on those storagesystems. Existence of the file was done with the File.Exists methodwhich was passed a UNC representing the file.
This all workedfine as the web service server and the file server where in the samedomain. This all changed when the moved the web services into a serverin a different domain, and one that didn't have a trust.
Ioriginally thought that this was interesting as I had the web servicesetup to impersonate the user account in the domain of the file serverthrough the web.config impersonation, as that was needed just to passsecurity checks as access is limited to a few accounts on the domain. However, because there was no trust, the impersonation didn't work!
Aftermuch research, what I did not find any real solution, but I did findtwo half solutions that needed to be stitched together into a singlesolution.
The first part of thte solution is to create anapplication pool to run your web service within. We'll configure thisappliation pool to run as a different identity than the rest ofASP.NET. After you've created your application pool, select Properties-> Identity -> Configurable, and enter the account from your webservice server domain that you want the account to run under. It isvery important that this account be named the same and have the samepassword as the account in the remote domain (the one without thetrust) use to access the resources with. Now, configure your webservice to run in that application pool.
If you try to accessyour web service, you will get the infamous ‘Service Unavailable Page’page with big red letters. What's going on? Well, this is the secondhalf of the solution as you've created the application pool, but thatapplication pool doesn't have the permissions to access .net systemfiles. Doh!
To solve this, add your account to theIIS_WPG group, and then assign this account the following user rights:
- Adjust memory quota for a process
- Replace a process level token
And we're not done yet. You still have to give the IIS_WPG group fullcontrol to the following directories (and all sub items):
- C:\windows\temp
- C:\windows\Microsoft.NET\Framework\v.2.0.50727\Temporary ASP.NET Files
- And the folder where your web service is located.
Restart IIS and you should be able to access yourweb service, and have it access the resources in the remote but nottrusted domain.
Technorati Tags: .Net